Mark Rodbert, CEO of idax Software analyses why companies and the public treat hacked businesses as criminals.
Whenever it is announced that an organisation has suffered from a cyberattack, the blame is almost automatically shifted onto the company itself. To some degree, this is the right position to take. These businesses are entrusted with the personal data of potentially millions of customers: personal information, financial details, home and email addresses. It is extremely valuable data which, in the wrong hands, can cause significant damage. If malicious attackers break through security and access this information, it is a huge problem.When the easyJet attack was announced in May, it was revealed that 9 million people had been affected by it. However, while easyJet certainly has to be held accountable for its own faults, there is no getting away from the fact that the airline is without doubt a victim in all of this. It begs the question: why do we treat hacked companies as criminals?
The typical narrative treats these businesses as the criminal and their customers as the victims. In fact, both are victims. Of course, we entrust our data to a company such as easyJet, but the airline did not hand this information out on a platter, and will face serious consequences in turn. However, we must not forget that the real criminals here are the hackers, not the hacked company. We need to reconsider the narrative that we, as a society, use around incidents like this.
Holding Companies Accountable
It’s important to remember that above everything, hacked companies need to be held responsible for their own failures to prevent attacks. Many are guilty of resting on their laurels. They become lax and don’t expect to be targeted. As the technology within security progresses, so too do the malicious attackers who are trying to get in. Companies need to continually keep on top of their security efforts if they wish to remain safe from outside threats. Otherwise, they can fall behind and become an easy target – security should be a top priority in such a digitally driven environment.
In easyJet’s case, it was reported that 2,208 people had credit card details stolen. In comparison to the 9 million people affected by the attack, just over 2,000 credit card details doesn’t seem too significant, but for each individual whose finances were at risk, it can quickly become a very stressful situation. It becomes a race between customers cancelling their cards and hackers (or those who have bought the details from the hackers) using them.
On the whole, though, the hack – which took information such as flight details and email addresses – puts easyJet customers at a bigger risk of falling victim to phishing scams. In fact, they will have been at risk as soon as the attack happened back in January. Those impacted have to be alert to emails that they receive, conscious of those purporting to be sent by easyJet.
The impact that these attacks have on customers can’t be downplayed. It’s an invasion of privacy and theft of personal data. While much attention has rightly been paid to COVID-19 in 2020, there have been a number of cyber attacks that have gone somewhat under the radar – all coming with their own consequences. We’ve seen hackers take the details of 160,000 Nintendo users, Marriot saw the details of 5 million visitors taken from under its nose, and the personal details of 10.6 million hotel guests at MGM Resorts were accessed and posted on a hacking forum – each hack impacting customers in unique ways.
With that said, there are breaches that take more than email addresses and booking information. In March this year, hackers took data that held the characteristics of 76,000 sets of fingerprints from Brazilian Biometrics solutions company, Antheus Technologia. Suffering a breach through an unsecured server, which held binary code that hackers could use to recreate fingerprint scans. Antheus Tehnologia had failed to password protect or encrypt its database. It’s clear that breaches of any kind have huge consequences for customers – and it is the organisation’s responsibility to protect that.
Customers Are Not the Only Victims
While we’re holding these hacked businesses accountable, there is no avoiding the fact that they too are victims of attacks, and will ultimately face large scale consequences themselves.
Off the back of easyJet’s attack, the airline is now facing a class action lawsuit that could make the company liable for £18 billion – which would amount to £2,000 per affected customer. While the eventual fee is yet to be decided (and may not reach the quoted £18 billion), any eventual fine will surely be significant. When British Airways was hacked in September 2018, the Information Commissioner’s Office (ICO) hit the UK’s flag carrier airline with a £183m fine, which could eventually reach £3 billion with compensation payouts – and that was for 500,000 impacted customers, rather than easyJet’s 9 million.
Not only will easyJet be hit with a hefty fine – a seriously dangerous outcome in a climate where COVID-19 has already crippled the travel industry – but the reputational impact that this attack might have could be catastrophic. Consumers place a lot of trust and faith in the organisations they do business with, and a considerable part of that lies in the trust that their data will be safe. Breaking this trust has a huge impact. According to a survey undertaken by Forbes, 46% of organisations had suffered reputational and brand damage off the back of a breach, and 19% of organisations suffered the same fate following a third party security breach.
That brand damage doesn’t only come from the customers affected by the breach, but the message reverberates around the world as the media circulates the news. People become concerned about purchasing from these hacked companies, and a lot of business can be lost as a result. On top of any ICO fine and class action lawsuit, it wouldn’t be out of the question to see a once global conglomerate buckle under the weight of an attack.
Is it fair to put the sole blame of an attack on the company being targeted? We, as a society, need to place much more focus on the real criminals, the hackers themselves. If a bank is robbed at gunpoint, we don’t immediately turn to the bankers and blame them for losing our money. Yes, our money in banks is insured and we don’t lose our personal information, but the principle stands.
These hackers purposely go out of their way to meticulously plan and steal private and confidential data, all to be profited from by selling to the highest bidder on the dark web. These are the real criminals.
Hacked companies certainly need to be made accountable for shortcomings on their cybersecurity, and fines are warranted. However, what isn’t warranted is the media manhunt for targeted companies, who are actually victims in these situations as well as their customers.