With Black Friday behind him and Christmas just around the corner Gregg Steinhafel was a man not at peace with the world. As chairman and CEO of discount chain Target Corporation, one of the 10 largest retailers in the US, he had every reason to pause and reflect on a successful 35-year career with the firm.
But on the morning of Sunday 15 December 2013, the problems that were beginning to surface after the company’s recent expansion into the Canadian market were on his mind. And then the phone rang. “I remember it distinctly,” he told CNBC in a televised corporate damage-limitation exercise a month later.
“It’s hard for me to describe the feeling that came over me. I was devastated. How could this happen to Target? It was really a moving moment for me because we’re all about the guests [customers], we’re all about the trust and the relationship and that’s what we built the franchise on... I’m still shaken by it.”
He would be even more shaken five months later, when his departure from the company was described in a lawyer-friendly proxy statement by the interim board as “involuntary termination for reasons other than for cause”.
The call he received on that Sunday morning had nothing to do with the ill-fated Canadian expansion, although all 133 outlets were closed a year later. Instead it was to inform him of a cybercrime that even today, more than six years and many other blue-chip victims later, marks out the unfortunately named Target as one of the reluctant poster boys for a corporation caught with its pants down by a major data breach.
Ultimately, it affected more than 41 million of the company’s customer payment card accounts and contact information for another 70 million customers and, alongside a $10m class action and an $18.5m multistate settlement in May 2017, caused untold reputational damage.
In the wake of the Target breach, the response of the corporate world was muted, as it often still is, even in the face of irrefutable evidence that no system is hack proof.
Witness the work of Anonymous, a decentralised international hacktivist group that has attacked several governments; the Stuxnet computer worm, which is thought to have caused substantial damage to Iran’s nuclear programme; and even rumours of Russian involvement in US elections and the Brexit referendum.
As one former chief information security officer, who wishes to remain anonymous, puts it: “The modus operandi appears to be: tell the IT guy to be extra careful, throw some money at it (but not enough), keep your head down and pray that it happens to somebody else.”
Unfortunately, as many businesses have discovered to their cost, it doesn’t always happen to someone else. Catastrophic attacks, like 2017’s ransomware attack WannaCry, spread like wildfire, encrypting hundreds of thousands of computers in more than 150 countries (including those in the NHS) in a matter of hours, while the NotPetya malware, which is widely seen as a state-sponsored Russian cyberattack on the Ukraine, swamped banks, ministries, newspapers and electricity firms. Maersk, the world’s largest shipping line, lost $300m in the attack.
Other notable victims of cyberattacks include Yahoo (multiple breaches, including one in August 2013 that involved holders of three billion accounts, have left it facing a $35m fine for failing to disclose them); Marriott International (which acquired a hacked database including five million unencrypted passport numbers and eight million credit card records when it bought Starwood Hotels and Resorts Worldwide in 2016); and British Airways (details from 380,000 booking transactions, including bank card numbers, expiry dates and CVV codes, were stolen in September 2018).
The last two incurred huge General Data Protection Regulation (GDPR) fines – more of which later.
The precise number of cyberattacks is hard to gauge. Although there is a constantly updated Wikipedia page listing those that come to light, many breaches are either undetected or unreported. The overall cost, however, is estimated at £1.5trn annually worldwide (with predictions of £4.6trn at the dire end of the spectrum by 2021) and, as Dido Harding discovered, such costs can hit companies, and their CEOs, hard. Baroness Harding, the former TalkTalk boss, has been known to refer to herself with admirable humility as a member of Cyber Anonymous, a non-existent club for business leaders who have suffered a data breach on their watch.
The attack on TalkTalk in October 2015 cost the company an estimated £77m, 101,000 subscribers and earned a record fine of £400,000 from the Information Commissioner’s Office for its negligence in securing clients’ data. It had been prompted by the actions of a 17-year-old hacker, who expose the vulnerability of the company’s website.
Initially described as a “significant and sustained cyberattack”, confusion reigned in the immediate aftermath of the discovery, with Harding talking of a “sequential attack” (rather than the extremely simple “SQL injection attack” that actually took place).
At the time, she was subjected personally to repeated blackmail attempts that offered to return the data in exchange for Bitcoin, and then endured, as the Evening Standard noted, “a tough week... facing complaints from customers and calls for her head”.
The attack ultimately hit Harding in the pocket, when her 2015 cash bonus was reduced from £432,000 to £220,000.
Talking at the Infosecurity Conference in London in June 2018, Harding, who has since left TalkTalk, admitted that, having already suffered less serious breaches, TalkTalk “could have done more” to prevent the attack. “There was the IT equivalent of an old shed in a field that was covered in brambles,” she said of the technology in place at the time. “All we saw was the brambles and not the open window.”
A 2019 survey of more than 5,400 small, medium and large businesses in the US and Europe by insurance firm Hiscox revealed that 60 per cent had been hit by one or more cyberattacks (up from 45 per cent in 2018), incurring an average loss from security breaches of £284k (up from £176k).
It remains to be seen whether risks will have increased due to the coronavirus lockdown, but in principle the more sensitive information is communicated remotely, the greater the vulnerability.
While larger businesses and institutions tend to be more vulnerable to attacks, including from hacktivists and advanced persistent threats (typically state-sponsored groups or organised criminal gangs that gain unauthorised access to a computer network and remain undetected for some time), they generally have multiple and more advanced layers of defence than their smaller counterparts, not to mention deeper pockets. TalkTalk is still in business and Target has since bounced back to full health.
Smaller businesses, with their reliance on the cloud and a tendency towards working remotely, offer easier pickings. In the UK alone, research from business internet service provider Beaming shows that 63 per cent of small companies (employing between 10 and 49 people), about 130,000 in total, reported a cyberattack in 2018. And, with fewer human and financial resources to deal with an attack, the industry best guess is that 60 per cent of small companies will go bust within six months of an attack.
More than 20 billion devices are connected to the internet (over half of those able to transfer data without human-to-human or human-to- computer interaction). We live in a globalised network of networks with embedded systems, wireless sensor networks and automation performing everything from menial tasks, such as shuffling tracks on a playlist, to controlling the fundamental elements of a nation’s critical infrastructure.
That is a lot of potentially open windows. It might be the environment in which modern business operates but, whether the threat of attack comes from “script kiddies”, who learn from YouTube tutorials, organised criminal gangs like Carbanak, which stole $1bn after targeting dozens of global financial institutions, or state-sponsored apparatchiks, it’s a hackers’ playground.
While the TalkTalk teenager told a court in Norwich that he was “just showing off to his friends”, the motivations of hackers are many and varied. The term “hacker” is almost invariably used in a pejorative sense, suggesting illegality, but that is too simplistic. The number of hackers at work in the world is impossible to discern, for obvious reasons. Many are the faceless people who give CEOs cold sweats and sleepless nights but others are “ethical hackers”.
HackerOne represents 300,000 so-called “white hat hackers” claiming to “come together to help address the security needs of our increasingly interconnected society”.
Hackers are an increasingly sophisticated and diverse group
Founded in 2012 after two Dutch hackers revealed security flaws in 100 top tech companies (the “Hack 100”) and then, with the help of Facebook’s head of product security, established a “vulnerability coordination and bug bounty platform”, HackerOne works with some of the world’s most famous companies and organisations and exists to find weaknesses in any network and then reward those who discover it.
Its most recent Hacker Report reveals that $19m was earned in “bounties” in 2018, more than for the two preceding years combined, but also yields other valuable data.
More than 100,000 vulnerabilities have been reported to organisations by HackerOne. Less than 6 per cent of hackers learn their skills in the classroom, with 81 per cent picking them up through blogs and self-directed educational materials.
Top earners in the hacker-powered security business can earn up to 40 times the median annual wage of a software engineer in their home country (a fact that is likely to encourage more to go freelance, exacerbating the worldwide shortage of cybersecurity professionals).
Although US security software company McAfee has pointed to the fact that insiders are responsible for 43 per cent of data breaches – with malicious insiders (including departing staff) the most prevalent – recent figures suggest 230,000 new malware samples are being produced every day and the ability to infiltrate an organisation is up to the talent and imagination of the hacker.
“Traditionally, this has been done through business email compromise – BEC,” explains cybersecurity expert Tony Morbin, editor in chief of Management Today’s sister publication SC Media.
“Phishing emails go out to catch anybody they can. Your security can be seriously compromised if somebody inside your organisation makes a simple mistake, such as just opening a link. If a hacker does break in, what they then do is impersonate the people with the most privilege and steal all the information they have access to.”
Morbin says there are several steps a business can take to minimise damage from such attacks, such as segregating databases and only allowing access to authorised people and only for limited periods of time.
He uses the analogy of gun control: “If you were giving people access to guns, not only would you be very careful about who you gave them to, you would only do so after checking their identity and, even then, you would only allow it for a certain period of time and for a specific purpose.
Similarly, you don’t just give people unlimited access to data whenever they like for as long as they like, even if they’re the CEO. The more you limit it, the more difficult you make it for the hacker.”
One of the core issues for businesses in the fight against cybercrime has traditionally been communicating its importance to board members. “Their eyes glaze over,” says Morbin.
“After a breach, a company will start spending on cybersecurity but until then they see the money as a cost as opposed to a generator of revenue.”
It doesn’t help that cybersecurity teams traditionally come from a tech background and have struggled to articulate the risk to board members in a way they will engage with. “Things are changing now, slowly,” he says.
“In my opinion, the chief information security officer is the prime role in cybersecurity and they need to have a seat on the board or at least be directly managed by someone with a seat on the board.”
Becky Pinkard, chief information security officer for Aldermore, a specialist UK-based bank supporting the SME business community, agrees. From a technical background herself but with a passion for “telling the security story”, Pinkard says the relationship between cybersecurity and the boardroom is evolving.
“I’ve heard it said a million times that you need to make it really simple for boards but you don’t have to dumb it down,” she says. “They don’t need all the detail but they need someone who can explain it and make it applicable to the business they are in.”
Two other factors have recently helped to focus the mindset of the C-suite: GDPR and the fact that senior management are, increasingly, targeted personally by cybercriminals.
GDPR, the EU legislation governing data protection and privacy, became law in the UK in May 2018 (and still applies post-Brexit to UK businesses if they have one customer in the EU or who is an EU citizen living in the UK). Fines of up to four per cent of global turnover plus the costs of notifying a customer base of a data breach mean cybersecurity is no longer just about risk management.
To translate the implications of non-compliance into the preferred language of the boardroom – ie the bottom line – TalkTalk’s record £400,000 fine would have been closer to £59m today. Both the Marriott International and BA fines, £99m and £183m respectively, came after the introduction of GDPR and, although both will be “vigorously contested”,they are serving to put cybersecurity on the radar of even the most tech-phobic CEOs.
And if that doesn’t, the trend for personal attacks might. “After phishing emails came spear phishing, which targeted individuals,” says Morbin. “But now there is whaling, where they are targeting the big fish.”
Last year, for example, an employee of Nikkei America, the US subsidy of the Nikkei financial media corporation, which owns the Financial Times, transferred $29m to a fraudulent bank account after direction from a BEC scam that falsely represented a senior management executive.
Scams such as this may become even more difficult to detect in the future as criminals and hackers develop ever more inventive ways to fool even the most suspicious. Deepfakes, for instance, which use AI to manipulate videos of people, could be used to fool employees into believing their CEO is personally instructing them to transfer money (or data) in real time.
The art of the possible became evident in a recent video by Indian politician Manoj Tiwari, president of India’s ruling Bharatiya Janata Party, where footage originally filmed in English was manipulated so he appeared to speak in the Hindi dialect of Haryanvi.
An evolving crime
In the cybersecurity industry, the joke is that the relatively unsophisticated TalkTalk hack was older than the hacker himself. Meanwhile, in the case of the Target breach, the perpetrators used a deeply untechy method to orchestrate their attack – the initial intrusion was traced back to the supply line and network credentials stolen from a third party provider of refrigeration and HVAC services.
But cybercrime has moved on. Carbanak, for instance, having infiltrated one bank’s intranet, installed a back door to find an entry point into the relevant financial system and then used keyloggers and stealth screenshot capabilities to withdraw funds via the most convenient method – SWIFT, “mules” taking cash out of fake accounts or via a remote command to a ATM.
The authorities claimed to have arrested the mastermind of the organisation in Spain in 2018 but the campaigns against major businesses have continued.
“The next big threat,” says Pinkard, “is a bit like Donald Rumsfeld’s ‘unknown unknowns’. You prepare for it by taking care of the basics, understanding how your estate is accessed and being able to prioritise and understand what you need to protect first and what the layers of control and protection look like.”
Morbin advises that to combat any eventuality, you need a really robust multi-layered system in place. “With the example of a deepfake CEO, you need to be able to turn round and say: ‘I’m really sorry but we have to have the key codes to be able do it’. Multi-factor authentication is the best defence against being scammed. There should be at least two, preferably three, doors to enter and they have to be in series, one after the other, not parallel.
"And that does not include passwords – there are four billion stolen passwords on the dark web and I’m sure they will soon become obsolete for all of us as a security measure.”
Cybercrime, in Morbin’s words, has become “an existential threat to business” which means boardrooms around the country need to understand that it’s not enough to tell the IT person to be extra careful, throw some money at it and pray for the best. After all, nobody wants the phone call Gregg Steinhafel had to take. Or the fine that would almost certainly follow it.
Main image: Tim Scott/Management Today
Body image: Ann Hermes/The Christian Science Monitor via Getty Images