Security breaches represent constant headline fodder for news organizations. While a huge percentage of the companies and organizations are as open as they can be about the attacks and their implications, there are still many organizations that are not taking advantage of security; others are not disclosing breaches in a timely manner, instead sweeping the information under the proverbial rug, at least for a while. Here are just a few examples of security breaches that either took place or were announced in 2016. Those affected to date represent the who’s who in top corporations and agencies.
Top Agencies, the Federal Reserve and Financial Companies Fail Security
A recent warning by a government watchdog specifically called out four federal agencies regarding their cyber security. Included were NASA, the Nuclear Regulatory Commission, the Department of Veterans’ Affairs and the Office of Personnel Management, said the Government Accountability Office, pointing to the fact that the agencies did not fully implement their information security programs. The four are said to have specific weaknesses in patching software vulnerabilities, as well as in contingency planning.
The recent audit took place after the breach of the Office of Personnel Management computers that exposed personal data on 21.5 million persons, and many of them held security clearances. The auditors called on NASA, NRC, OPM and VA to fully implement key elements of their information security programs.
The Office of the Inspector General also recently announced that it is auditing the Federal Reserve’s security policies, procedures and effectiveness, and its ability to quickly detect and respond to data breaches. According to Reuters, from 2011 to 2015, the Fed found more than 50 data breaches in the networks. While the presence of breaches across all agencies is common on a daily basis, finding out which breaches successfully yielded data is the hard part.
The Federal Reserve audit follows on the heels of the theft of $81 million in February from the central bank of Bangladesh's New York Federal Reserve account via the messaging service used by Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT). It is claimed to be the world’s leading provider of secure financial messaging services, processing 25 million communications daily and representing billions of dollars in transfers. The SWIFT breach was the result of coordinated malware attacks involving multiple banks, with claims that North Korea was to blame.
Financial institution breaches are not limited to government-based organizations. Two recent and highly visible examples are the $55 million in digital currency missing from the Decentralized Autonomous Organization investment fund. The cyber heist involved 3.6 million ether coins that were moved to an account within an identical fund set up by the hackers. Fortunately there is a 27-day waiting period before funds can be accessed, so the transaction should be void. This is not the first time digital currency was accessed. In 2014 there was a breach in the Mt. Gox bitcoin exchange caused by a flaw in Decentralized Autonomous Organization’s security.
Digital currency is more at risk than traditional currency. If security can be bypassed, currency can be transferred anonymously with no recourse to the victims.
The second example is another from 2016 when Vanguard sent 71 emails to a Vanguard customer that involved information on customer transactions. Unfortunately the emails regarding the transactions were sent by mistake, and the receiving customer tweeted about the incident. Also unfortunately, Vanguard described it as a system error and a one-time isolated incident. However financial firms are subject to state and federal investigations, regulatory examinations and class action suits, so it is incumbent upon a financial firm to adhere to compliance, and maintain professionalism, consistency and transparency when there is a problem.
By Vanguard dismissing the incident as a system error, it was hard to believe that customer financial data ending up in the wrong hands was a minor problem. At the very least, Vanguard should have reported the incident to the SEC and disclosed the incident to the people whose information was compromised. The reality is that the SEC will find out about the incident either from social media, disgruntled customers or whistleblowers—so it is best to report it immediately. Vanguard clearly missed an opportunity to endear itself to its customers rather than hide the facts and create animosity as a result.
The IRS and More on the OPM
Recently identity thieves used an automated bot to generate phony login information in an attempt to breach the IRS. The actual Social Security numbers involved were stolen from somewhere else and used to try to create e-file PINs that taxpayers use to file their returns. According to the IRS, the attempt involved 464,000 Social Security numbers, more than one-fourth of which were used to successfully access an e-file PIN.
In August 2015, the IRS indicated that hackers accessed sensitive information on more than 300,000 taxpayers.
Also last summer, the Office of Personnel Management uncovered the digital theft of the personal information of over 22 million former and current federal employees, contractors and others. An anonymous hacker claimed to have breached the Department of Justice via a stolen email address to convince an IT support employee to give him login credentials. Once logged in, the hacker stole and dumped databases of tens of thousands of FBI and Department of Homeland Security personnel. While spot checks confirm the claim is true, neither agency confirms that it happened.
Globally, laws are evolving that open a company to claims from investors when the company fails to adequately disclose cyber-security events, minimizes their impact, or delays publishing material.
While customers are wary of companies that have experienced security breaches, greater concern is placed on how the breach is handled. While it is hardly easy to let those who have trusted you know that a breach has taken place, communication is key. Those that outline the event, inform as to what was stolen, and advise customers regarding what they should do for their own security end up being respected for their attempts to do what they can to mitigate the event.
One event—a Canadian student loan data breach—caused the loss of a substantial amount of data, but it took Human Resources and Skills Development Canada more than two months to report the situation. While this was not the first case of delayed notification, and it will certainly not be the last, the damage that this kind of delay causes in customer trust is extremely difficult to overcome.
Unfortunately we do not have systems that are 100% secure. Companies have been breached multiple times, as have governmental agencies. Known occurrences represent an unknown percentage of those that have been kept completely quiet. It will become increasingly difficult, however, to maintain secrecy as new laws kick in, especially for publicly held companies. Let us hope governments and agencies will opt for transparency as well.