Historic Hacks of the 2010s, Part 2

Note: This is Part 2 of 2. To read Part 1, click here.

 

Uber paid a price to cover up its hack, and then paid a bigger price.

Hacking has come a long way since an irate Nevil Maskelyne punked Guglielmo Marconi in 1903. We hear almost daily of data breaches that expose hundreds of thousands, if not millions of personal records.

 

The frequency of breaches and their associated costs of remediation are increasing. According to a study by IBM Security and the Ponemon Institute, an average data breach exposes 25,500 personal records and costs organizations $3.92 million to clean up. In addition to lost time and money, a breach can also irreparably damage a company's reputation — Yahoo! comes to mind.

 

The good news is that private businesses of all sizes are aware of the need to up their cybersecurity and are taking appropriate steps. Some are doing so preemptively, others unfortunately only after suffering a hack.

 

Governments at all levels are following suit, but typically lagging behind private industry in their level and speed of response. By their nature, governments are bureaucratic, functioning in a sea of red tape. Throw in poor cybersecurity practices, complex legacy systems and scarce resources and it is easy to see why they are falling behind.

 

The primary victims of the war between hackers and cybersecurity professionals are everyday people.  On an individual level, they bear the yearslong burdens and costs of repairing credit ratings and reclaiming identities. Justifiably angry at data breaches, they are demanding that elected officials take action.

 

Unfortunately, while government can play an important role in cybersecurity through regulations and policies, its involvement can easily create additional problems in the balance between freedom and security. As Benjamin Franklin knew, it is a difficult thing to do.

 

Most people agree that businesses that fail to protect personal data should be accountable, but how much. As the following hacks show, the desire of elected officials to "solve" data breaches has the potential to open a Pandora's Box of excessive burdening on business and overly punitive punishments for C-level executives guilty of nothing more than being outwitted by cybercriminals.

 

Uber (2016)

 

Uber Technologies, Inc. the multinational transportation network company best known for peer-to-peer ridesharing went public earlier this year. Marketing its shares at $45 apiece, the company raised an impressive $8.1 billion.

 

The company's current market value is north of $82 billion — not bad for an organization that, two years earlier, endured a seemingly endless litany of bad publicity stumbling from one scandal to another. In January 2017, the company dealt with the viral #DeleteUber campaign for profiting during the New York City taxi drivers' work stoppage.

 

February 2017 found them handling claims of company-wide sexual harassment. And finally, in March, they were exposed for deceiving authorities in cities where Uber was not allowed to operate, and cheating drivers out of millions of dollars.

 

What really made 2017 a downer, however, was news of a data breach from the year before. In October 2016, hackers accessed Uber's GitHub account and pilfered data containing usernames and password credential to Uber's Amazon Web Services account. The breach exposed unencrypted names, email addresses and mobile phone numbers of 57 million users of the Uber app as well as the drivers license numbers of 600,000 Uber contractors.

 

While the hack was damaging enough, it was management's response that really hurt the company — an absolute dumpster fire. Under existing data breach notification statutes, the only way for a company to have direct liability for a breach is to not give notice of it happening, which is exactly what Uber did.

 

After Bloomberg News reported the breach, Uber's management hurried to play catch-up, publicly admitting the intrusion. When asked why they did not alert the public to the breach on their own, management sheepishly admitted they had paid the hackers $100,000 for a promise to destroy the stolen data with no way to verify that they would so. Uber even went so far as to bury the hundred-grand expense in their financial statements by labelling it a "bug bounty" fee.

 

Aftermath: Uber reached a $148 million settlement with 50 state attorneys general and fired their Chief Security Officer, Joseph Sullivan, for concealing the breach and paying the ransom. CEO Dara Khosrowshahi issued the obligatory apology acknowledging the breach and cover-up and declaring, "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

 

The Federal Trade Commission (FTC) mandated that Uber undergo onerous third-party audits for the next 20 years and provide records of its bug bounty reports relating to vulnerabilities in their consumer data.

 

Public knowledge of the hack hit at the worst time possible for Uber, as it was deep in negotiations to sell a large stake in the company to Softbank. The initial valuation of the company at that time had been $68 billion. When the deal closed a month later, valuation had fallen sharply to $48 billion.

 

Your data was probably exposed in the Equifax hack of 2017.

Lessons Learned: Just like "Tricky-Dick Nixon," Uber learned that the cover-up is always worse than the crime. Under the laws of most states, because the breach did not include personal financial information, reporting it would likely not have been required. Instead of hiding the breach, management could have notified the appropriate authorities and let them make the decision.

 

Because the $148 million fine was paid to individual states (California alone received $38 million), there is now an incentive for state regulators to eagerly enter the fray of data breaches, particularly as the definition of "protected data" is expanding beyond financial data to include any information that can be used to identify a person. In the near future, companies can expect security and reporting regulations of a more burdensome nature. Something akin to the European Union's General Data Protection Regulation.

 

Equifax (2017)

 

Equifax, the world's oldest and second-largest credit bureau is the repository of information for 1 billion consumers and businesses. Founded in 1899 by the Woolford Brothers, as the Retail Credit Company, their mission has been to report on the credit worthiness of individuals and businesses.

 

While the company focus has changed over time to meet market demand, critics are quick to point out two aspects that have not changed: Equifax's constant vacuuming up of tons of private data, and their willingness to share that data with anyone who will pay. 120 years later, Equifax is still sharing personal data with others — only this time it's the company that is paying.

 

Sometime in mid-May of 2017, hackers took advantage of "an application vulnerability" on one of the company websites to access the personal information of 143 million consumers. The intrusion was discovered at the end of July, and by September the estimate of records accessed climbed to 148 million.

 

Although the hackers failed to access Equifax's core consumer or commercial credit reporting databases, they did make off with records containing birthdates, home addresses, phone and social security numbers, and a bunch of drivers license numbers.

 

Aftermath: As a whole, Equifax's response was prompt, professional and by the book. They quickly admitted the hack, with CEO Richard Smith issuing a statement of apology calling the intrusion, "clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do."

 

They also hired a well-known forensics firm to conduct the investigation with an eye to preventing future breaches and began contacting victims by mail offering free credit monitoring for 10 years. They even launched a website to help consumers figure out their options and apply for the monitoring.

 

In a surprisingly consumer-friendly move, the company went so far as to remove a clause from the Terms of Use section of the website that had previously barred victims from suing. (Individuals can still sue on their own, but must opt out of the settlement in writing to do so.)

 

CIO Jun Ying was one of the first executive casualties of the breach. He resigned after the Securities and Exchange Commission accused him of insider trading for selling his stock before revealing the breach. In June 2019, Ying pled guilty, received a four-month prison sentence, paid a fine of $55,000 and will have to pay a restitution of $118,000.

 

Although Equifax's response to the breach was top-notch, the "government" showed up to help sort things out. With haste, belaying their normally ponderous natures, the U.S. Consumer Financial Protection Bureau and the FTC, along with 48 states and the District of Columbia and Puerto Rico, demanded their citizens be made whole. The company eventually agreed to pony up $700 million to settle all claims.

 

House Republicans awkwardly tried to score political points by publishing a report, 14-months later,  saying that the hack was "entirely preventable." They blamed the intrusion on the company's failure to "implement responsible security measurements" as well as Equifax's custom-built and antiquated legacy IT system. Not to be upstaged, Democratic lawmakers went all pitchfork and torches on the agreement. Claiming $700 million wasn't nearly enough, they demanded even more money from the company.

 

Lessons Learned: The public is tired of their data being stolen. They want regulatory action and Congress is willing to give it to them. Democratic Senators Elizabeth Warren (Mass.) and Mark Warner (VA.) recently introduced a bill calling for harsh minimum financial penalties along with structural reforms and increased oversight of credit rating agencies and their data protection plans. If their bill had been in place at the time of the breach, Equifax would have paid a fine of $1.5 billion to the federal government in addition to whatever settlements they could have reached with individual states.

 

Some officials like Senator Ron Wyden (D. Ore.) are willing to go even further. His proposed bill would authorize criminal prosecutions and 20-year prison sentences for C-level executives at companies that suffer data breaches. It also would allow the FTC to fine companies up to 4 percent of their annual revenue. Truly, the natives are restless and elected officials smell an easy payday.

 

An additional danger of excessive governmental involvement in preventing data breaches is the likelihood of stifling innovation. The threat of massive fines and direct governmental oversight of their operations will lead companies to be overly careful before releasing new products and services causing a reduction in competitiveness and improvement.

 

President Ronald Reagan used to get laughs by saying, "The ten worst words in the English Language are, �We're from the government and were here to help you.' " Such was the case with Equifax's breach. Unfortunately, governmental help has the potential to be ham-fisted and may just portend more difficulties and increased costs for businesses and the people who run them, not to mention the consumers who use such services.

 

MORE HISTORIC HACKS
Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author
Calvin Harper

Calvin Harper is a writer, editor, and publisher who has covered a variety of topics across more than two decades in media. Calvin is a former GoCertify associate editor.