Data Breach. The word itself carries a scent of panic that grows in magnitude the more such high profile events enter the public cognizance. They are hideously complex to deal with, legally and technically, and carry high costs in terms of money, liability, and reputation. The consensus is: don’t ask if you will be breached, ask when. No one should throw stones, because we all live in glass houses in the age of cloud computing, pervasive connectivity, Big Data, and the impending arrival of the “Internet of Things”.
No one is immune, not even security companies, and even sophisticated companies suffer cyber incidents. The most important thing a company can do is to have an action plan for responding to the breach including legal counsel, forensics incident response teams, and security consultants to minimize the damage and remediate the problem.
Case in point – I got a heads up email last night from a forensics colleague regarding “Hacking Team” – a firm that specializes in offensive cyber technologies and surveillance tools suffered an incident resulting in the reported exfiltration of 400GB of its internal data which is now being distributed across bittorrent. It reportedly contains internal emails, business records, and even source code to some of its tools. This data trove contains information involving the company’s business dealings with state actors, among others. (See e.g. http://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-firm-run-amok/; and See http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html)
This a similar incident to what occurred with HBGary Federal in 2011 when its then CEO Aron Barr ran afoul of the Anonymous group after claiming he could de-anonymize them. That company too suffered a massive breach of internal data and correspondence, and suffered a PR nightmare.
I thought I would write a quick comment on all of this because of a discussion I had two weeks ago at the Sedona Conference Working Group 11 – which deals with data breaches. I cannot go into specifics because the working group has a no-quoting policy to foster more open discussions, but there was one exchange that talked about companies proactively monitoring the internet for indications they have been breached (owing to the terrible statistics that presently companies generally go months from time of breach to discovery of breach).
One commentator indicates the organization he was with took it a step further to infiltrate the sites, boards, and/or groups responsible for these types of things to actively monitor them. (I do not recall exactly how he phrased what they were infiltrating, but it seemed like he was describing underground sites of the darknet variety).
My contribution to the discussion was to inject a warning about the danger going from keeping tabs on the news to actively trying to infiltrate these groups. I used HBGary Federal as an example of the kind of risk that can bring – not only does poking the bear risk turning unwanted attention to your company, but it also exposes the customers of your company in the event data is exfiltrated and publicized. The line between defensive and offensive measures in cyber security has long been a controversial one both on legal and ethical fronts. (See e.g. “Ethics for Intelligence Officers”, Ethics and the Future of Spying: Technology, National Security and Intelligence Collection (Studies in Intelligence) (Forthcoming)).
The long and short of this post is (1) data breaches pose collateral damage to those affiliated with the breached company, (2) a high profile breach spreads to the far corners of the internet within less than an hour, (3) once the genie escapes there is no putting it back in the bottle. Given these things, companies need to very carefully evaluate how “pro-active” they are being. While many recent data breaches revolved around financial crime (e.g. Target, Home Depot, etc) others have political and/or ideological associations (e.g. HBGary Federal, and now Hacking Team) not withstanding likely state actors (e.g. OPM). The closer to that line between defensive and offensive your company is going, the bigger target it may become especially if it is involved in a business line that is controversial. The same goes for vendors and consultants your business may work with – do you know what activities they are involved with that might cause repercussions for your enterprise if they suffer a breach?
As surely as winter follows fall, litigation follows a breach.