Information Technology and Ethics/Security Breach

Ever heard or read the news headline: “2 million credit card numbers stolen…?” Unfortunately, this happens to several organizations and companies everyday. There are many security breaches that make the news, but there are even more that do not make headlines. There is a large amount of data that can be accessed from anywhere in the world due to advanced technologies such as IoT and cloud computing. No company, big or small is immune to a data security breach. It is a matter of “when”, not “if”. This paper will focus on analyzing several case studies of security breaches that businesses have suffered from. It will also identify some of the reasons why a breach occurs, the impact of a breach, and some suggestions on how to mitigate such incidents from occurring.

Before delving into the topic, it is important to understand what a security breach entails. It is an incident that occurs as a result of unauthorized access to confidential data, applications, networks and/or devices.^[1] Most data breaches expose sensitive information such as Personal Identification Information (PII), credit card information, trade secrets, and so on. According to Statista, in 2017, “nearly 179 million records were exposed in the U.S. [...], whereas the number of data breaches in the country added up to 1,579 that year.”^[2] Data breach incidents are on the rise as more data is being recorded and collected.

Why do these security breaches happen so often? According to Calyptix, the number one cause of a data breach is malicious or criminal attacks. Attackers do this for different reasons, some of which include financial gain: the attacker’s motive is to make money from the stolen data by selling it on the dark web or even demanding ransom by holding the victim’s computer hostage. Another common gain is stealing trade secrets or military intelligence. If it’s not for financial gain, then it is for hacktivism - to make a political statement. This is usually less harmful than other motives. Another cause of a data breach is a human error: this happens when an employee leaves their workstations or laptops unattended, exposes sensitive information online, or security patches are not applied to known vulnerabilities.^[3]

This is one of the major causes of a data breach. Most of the employees are not aware of the latest types of attacks or the techniques used by the attackers which will be easy for the attackers to make them fall under their prey. Also the poor habits such as using the weak passwords or typing the passwords openly and slowly in front of others or in public, not encrypting the files and leaving everything outdated and not updated the software required, losing the laptops or important office files, sending emails to wrong persons. All these come under poor habits and the lack of proper awareness and poor habits. This can be prevented by proper security training to the employees and with regular inspections.

Many of the employees don’t bother about the E-wastes. They throw the important documents in the trash without disposing of them properly. These documents, when found, can be taken advantage. Also, most of the employees when their hard drive gets corrupted, they throw it away without a second thought. But the fact these that the data can be obtained from the corrupted drives sometimes by changing a few parts inside the drive. So while disposing of the official documents they must be crushed and torn into pieces before trashing them and the e-wastes such as the hard drives must be disposed of only when it is confirmed that the data inside it is unrecoverable.

This can due to technical errors or due to human errors. The server misconfiguration can happen if the default files that come with the server are not changed with necessary configurations or left as it is. The admin must never leave any unnecessary ports open in the server. Most of the users won’t change the default username and password of the server which the attackers can take the advantage.

Most of the employees have the option to work from home or to work remotely. So, when the employees are working remotely they must be very careful in using the office laptops because once if the attacker gets access to that computer then he can get into the company’s network. They must never be connected to the open network or the public WiFi because it is easy to sniff if the attacker and the user are in the same network, They must always use the VPN so that the data gets encrypted. Attackers can even create a fake SSID and make the user connect to it and once the user is connected they can easy hijack their session. So the user must make sure he is connected to the secured network.

What are the consequences of a security breach on affected companies or organizations? The impact will vary between the affected businesses based on the time, the industry, the type of breach that occurred. However, there are some common impacts that these businesses experience. The company’s reputation is at stake because they lose their customers and stakeholders, they can’t be trusted to do business with another company, and also, there’s loss of potential customers and other opportunities. Another critical impact is a financial loss. A data breach costs a lot of money and damage to companies. According to Sungardas, “small businesses shell out an average of $38,000 to recover from a single data breach in direct expenses alone.”^[4] Not only do they suffer financial loss, but they also face multiple lawsuits, pay a huge amount of fines, and other hidden costs.^[4]

Now, let's address the consequences of a Security Breach.

The most harmful and heinous impact of a security breach is to lose customer and stakeholders trust, because it’s those overwhelming people would not like to do any kind of business with those companies who have been breached, and additionally when the companies were not able to protect their customer's data. This clearly shows the negative impact on the product that you have worked so hard to make it at this level. Reputation plays a vital role, once it starts degrading you may lose to attract the new talent, suppliers or investor.^[5][6]

Apart from the economy and incident response cost, but there many impalpable costs that may stay for a long time after the breach. It’s easy for an attacker to target a smaller business, having the advantage of easier to penetrate and softer target. Small business is already facing a problem in cash flow and after being a victim of breaches, the companies will be in debt. Cybersecurity is not the problem for IT only, Even other business also should adopt security strategies to make their inner and outer surface strong to make the attacker work hard to stop.^[7][8]

When the companies came to know that their system or environment are being penetrated by others, the best practice is to stop their work environment until they find out the problem. If hacker used a network flow in the organization then companies have to find the source of it and patch it as soon as possible. It’s obvious that a longer the business will be down, companies won't generate their revenue and eventually will lose their customer trust. Because of this companies may suffer from a series of problems like decreased trust, revenue, and other serious consequences. It’s better to identify the hack and patch it before something bad happens.^[9][10]

The client generally shares their confidential data with the companies believing that companies will have a place to keep their data protective. The companies can not only prevent but also manage the hack against. But the hack may affect the customer's trust in companies, will create a negative impact on the client. It’s not only about the hack that will a reason to lose their customer, but the lack of follow-up after an incident, companies should be transparent with their customer. Companies should as much information as they can that shows that they are not trying to hide anything from and will be a great step to get back customers trust.^[11][12]

The attacker is mainly interested in the company's proprietary information such as a list of customer’s detail, trading, pricing, and market strategy. Once the attacker is able to get all this information, they can sale this information to that company's rival or can expose to the public. If the attack is not able to stop or take a long time then the final result could be worst. Because of such incident, they might lose their reputation in the public and it takes time to rebuild their reputation.^[13][14]

The most common type of security breaches. The viruses or malware can be introduced by email or bundled applications. It usually seduces people to click a link, and then download unnecessary malware. The virus will quickly spread throughout the system and cause breaches. The virus is hard to remove.

Denial of Service (DoS) attack means when a third or hacker sending a huge amount of links and data then cause the system overloading. Thus, It is possible to stop the functioning of your system by DoS. The hacker will get into the system when the system isn't working and cause the security breach. DoS attacks usually target web servers of famous or services-provide organizations such as banking, business, game, media companies, and government. The symptoms of DoS usually contains slow network connection, unavailable to access the website, and abundant spam emails increase, etc. The common methods of DoS attack are flood attacks and buffer overflow attacks. The DoS is also common in online protest. Typically DoS would not cause the leaking of important files, but it cost a huge amount of time and money to recover it.

Phishing is a type of security breach based on the emails from the network. These emails often contain a link and disguised themselves as a trustable source. The links would make you input your username, password, and other personal information. Therefore, the hackers would have full access to your account without notice.

Identity spoofing is a method by pretending a valid user's identity illegally. The hackers would make fake IP address and looks like from a valid source. They also would steal your account password illegally. After they get access permission, they will able to see the information.

Although we thought most of the breaches were from the network, some breaches happened because someone physically accessed your device. When you leave your device for a while, someone would launch your device and use USB to copy your files or insert malware. It is important to lock and keep your device under surveillance.

It is a simple tool which actually captures each and every stroke of the keyboard and sends the captured strokes to the attacker. The keyloggers are very difficult to identify because they hide and run in the background once installed. So, if the attacker is successful in installing the keylogger in the victim’s computer and if he gets the username and the password then he can get all his data under his control. One way to check for the presence of the keylogger is by checking all the apps running on the computer removing anything that is malicious and the other way to press CTRL+ALT+SHIFT+(any combination of the letter). If a pop-up is displayed then it shows the presence of keylogger. ^[15]

It was reported that more than 40 million customers had their debit or credit cards compromised by a security breach. The breach originated with a small outside contractor, Fazio Mechanical in Pennsylvania. Fazio, who worked with Target, suffered a breach via malware. Once Fazio’s system was compromised, their VPN (virtual private network) access to Target was in turn compromised. After the breach was exposed, Target hired Verizon to run penetration testing to find weaknesses and vulnerabilities within the system. The initial report showed that the penetration testers were able to obtain a staggering 86% of Target employee and administrator passwords, allowing access to various internal networks. They also found that many systems and services were either outdated or did not have up-to-date security patches. Upon Verizon’s follow-up months later, it was reported that Target had fixed most of the issues and had even taken some proactive steps to further protect their customers.^[16] Target later settled for $18.5 million in a lawsuit that was filed by 47 states and the District of Columbia.^[17] It's interesting to note that Target had no Chief Information Security Officer (CISO) prior to the breach, and that the CEO and CIO lost their jobs as a result of this breach^[18].

In September 2016 negotiations were underway for Verizon to purchase Yahoo. During negotiations, Yahoo disclosed that they had been hit with a huge data breach of 500 million registered users in late 2014 by Russian hackers. Even though their information was protected using the ‘bcrypt algorithm’, user’s names, emails, birth dates and phone numbers were all compromised. In December 2016, Yahoo reported that in 2013, a different group of hackers stole data from 1 billion Yahoo registered users. Later in October 2017, Yahoo obtained new information and updated the earlier figure of 1 million users compromised to a staggering 3 billion compromised registered users making the this the largest data breach in history as of 2019. Since disclosing the final breach estimate, Yahoo lost $350 million dollars from Verizon purchase, was fined by the Security and Exchange Commission for $35 million dollars, and ,in March 2018, paid out an $80 million dollar class action settlement ^[19].

Shortly after the Target Breach, Home Depot had a breach of their own. It was carried out in a very similar fashion. The attackers gained access to the systems via third-party accounts and were able to install malware directly onto the point-of-sale systems. The attackers collected 56 million debit and credit cards, but they also reportedly collected 53 million email addresses as part of this breach. Many of the same findings from the Target breach were also found during the Home Depot breach. It is estimated that the Home Depot breach lasted nearly five months. The Target breach could have prevented this breach if Home Depot had taken the necessary steps to correct the issues found at Target in their own systems. Home Depot later settled a $27.25 million lawsuit with financial institutions for the loss caused by this breach.^[20]

On October 18, 2016, an anonymous Twitter user, 1x0123, reached out to the FriendFinder Networks Inc, the company which owns popular adult content websites such as ‘AdultFriendFinder’, ‘Cams.com’, or ‘Stripshow.com’, to warn them of a Local File Inclusion (LFI) vulnerability in their server system. Days later it was reported that the FriendFinder Network’s databases had been compromised with more than 100 million accounts breached. However, this was an early estimate with the final count, reported by LeakSource, amounting to 412 million users that had their credentials and private information stolen. It was later found out the majority of the personal information and passwords stored were protected with a weak SHA1 hashing algorithm. This meant that 99 percent of the passwords were cracked even before LeakSource reported the final breach count. The FriendFinder company had been notifying users of the breach and advocates that users should reset and change their passwords ^[21].  

The Equifax breach is arguably one of the worst security breaches in the United States history because the type of information that was compromised was highly sensitive and could lead to identity theft. There were nearly 148 million people affected. The majority of people affected had their names, social security numbers, addresses, and birth dates stolen. A much smaller portion of people only had minimally exposed driver’s license numbers. In this case, a vulnerability in a website application allowed the attackers access to the files containing the sensitive data. The former Equifax CEO, Richard Smith, blamed the entire breach on one former employee.^[22][23] Richard Smith stepped down immediately following the breach. In the wake of the breach, free credit monitoring was offered to those affected. It is unclear at this time what the actual damage of this breach will cost.^[24] Although some critics do not believe it was necessarily a factor in the breach^[25][26], many questioned the fact the Chief Security Officer at Equifax, Susan Mauldin, held two degrees in music and no documented education or certifications related to technology or security^[27].

In December 2018, Google announced that approximately 52 million personal information including users’ name, their email addresses, age, and so on, was at risk of data disclosure due to a security bug. The bug affected users that are related to Google+. Google+ apps users could access public information of their friends, but this bug allowed users to access information that they didn’t register as public information. According to Google, it discovered the bug while conducting standard tests and fixed the bug within one week. Although Google had planned to shut down Google+ service for the consumer in August 2019 because of low usage and discovery of similar security bug in March, it has decided to shut down the service in April 2019 after the incident. ^[28]

In December 2018, Marriott hotel announced that its reservation database had been compromised and personal information of guests had been stolen from the database due to unauthorized access. It was estimated that hackers had exposed approximately 500 million guests’ information. For 65 % of the victims, the stolen information included their passport number and itinerary in addition to their name and address. Some guests also had been stolen credit card number and expiration date. After Marriott had recognized the incident by a security tool, they had asked security experts to investigate it. The investigation team found that the unauthorized access had been carried out since 2014, but it took four years for Marriott to notice the security issue.^[29]

In September 2018, Facebook announced a security breach in which approximately 50 million user accounts were accessed by unknown attackers. According to Facebook company, the hackers had exploited the vulnerability that affected its "View As" function, which users can confirm their profiles that was seen by someone else. Attackers had stolen "access tokens, which are digital keys to keep users logged in. Facebook mentioned that possession of those tokens would allow attackers to take control of user accounts. And also, hackers can access other websites using the Facebook account for logging in.^[30]

We provide to websites and share over the internet every day. Credit card numbers, emails, addresses, and even social security numbers are shared over the internet. We can even save this information on our web browsers to autofill for us. With all the information we give out over the web, it’s no wonder everyone is out to obtain it. We expect the companies we trust with our information to keep it safe, but as we read in the last paragraphs, it seems that companies can’t protect us any better than we ourselves could. Not only this, but disclosure laws in the United states are murky at best. There have been bills proposed to congress to standardize security breach notifications, but none have passed. [^[31]] Not only are disclosure laws not always clear, but businesses risk losses by revealing data loss to their customers. The stock prices of companies who reveal data breaches fall following data breaches.[^[32]] Though the loss may diminish over time. Is it ethical to obscure the loss of user data in order to preserve the image of a company? Is it ethical for companies not to protect the data that users have shared with them? What about collecting and selling our data? Acxiom, a data broker, collects and sells data. The Chief Executive Officer of Acxiom, Scott Howe, mentioned in his interview with CNN that,” all the information we collect and utilize is secure, appropriate, and legal.” [^[33]] He also stated that, “we collect things like contact information, demographics and your preferences on things. And we'll aggregate that information to try to discern a picture of what people want.” For Acxiom, buying and selling our data is perfectly legal. This information can be and is used to create a profile. A profile will consist of information like one’s religion, health searches, past purchases, political views, relationship status, income, and debt. These profiles are used to target specific consumers with specific ads. In fact, this data can be analyzed and correlated so strongly that a Target store in Minnesota predicted a young girl’s pregnancy before her family even knew about it.[^[34]] Is it ethical target ads like this? Should we allow these companies to know so much about us? Equifax, a credit reporting company, was hacked in 2017 as noted above. The information stolen led to cases of identity theft – even the CEO of Equifax had his identity stolen.[^[35]] Should we expect that data willingly given out by us will be exposed to criminals? Do we as users and consumers have a right to privacy even if we share our information online? These ethical dilemmas will have varying answers depending on who you ask, but one thing is for sure: There’s no way to be truly private on the internet.

There are many ways that a cybercriminal can get our personal information online, however there are some methods that we can use to prevent our personal data from being compromised. The article, Identity Theft Protection: 10 Ways To Secure Your Personal Data by R.L. Adams mentions a simple solution that is to not use a public wifi hotspot.^[24] Usually any site that is browsed while using a public hotspot is vulnerable to being attacked. This may be done by simply creating a free wifi hotspot in a local area. Users may believe that this is a secure free hotspot and access it. Once the user is in the hacker’s hotspot, they are able to use cookies to grab usernames, passwords, and sites visited. The article, Why Super Bowl Is a Gold Mine for Mobile-Device Hackers by Chris Preimesberger states that, “Free WiFi networks are by far the most troublesome attack surface for both network-based and malware attacks. On average, Sharabani said, Skycure identifies a potential threat in 10.1 percent of all networks.”^[36] So, if one must use the web outside of a protected wifi then they have to try using their own cellular data or to be safe it may be best to wait to use the internet.

Another way to protect your personal information from being hacked online is to use different strong and secure passwords for different sites. Since many people use the same password for all the sites they visit, this solution may be difficult for some users. However, this may be the simplest solution to prevent hackers from stealing all of our personal information. Imagine that you only use one password for every site that you browse, if a hacker gets a hold of that password and your username, the hacker would then have access to all of your accounts. By using different passwords you are able to prevent attackers from accessing your personal information. Another best practice is to change the password every 3 months. Also, the composition of the password is very important. Avoid using simple passwords or passwords that involve your personal life. Complex passwords may be hard to remember but are great at keeping your personal information secure. A complex password includes characters, letters, numbers, and symbols.

Other ways to protect your information is by updating your software. Operating systems and applications usually come out with updates to their software frequently. This is done to fix bugs, vulnerabilities to their software, and for other reasons. In order to actually have your software safe, you simply have to keep up to date with the software updates. The article, Keep your PC from being hacked by Nick Mediati mentions that unexpected email attachments should be distrusted and should not be downloaded. She also recommends to upgrade to the latest antivirus software, to prevent hackers from getting access to sensitive information.^[37] The article also mentions that installing a link-checker plug-in tool like AVG, Norton, and McAfee, all have free software tools to check for malicious websites when browsing the web. Although, these are some ways to prevent cyber criminals from getting our personal information, one cannot truly be safe online from hackers, especially if our information is in the hands of a company. All we can do is be aware of sites that are not secure and take precautionary measures.

1. ↑ What is a Security Breach? - Definition from Techopedia. (n.d.). Retrieved April 19, 2018, from https://www.techopedia.com/definition/29060/security-breach
2. ↑ U.S. data breaches and exposed records 2017 | Statistic. (n.d.). Retrieved April 19, 2018, from https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
3. ↑ C. (2017, June 29). Top 3 Causes of Data Breach Are Expensive. Retrieved April 19, 2018, from https://www.calyptix.com/top-threats/top-3-causes-data-breach-expensive/
4. ↑ ^{a b} Sungard. (n.d.). Cybersecurity: Take it seriously. Retrieved April 19, 2018, from https://www.sungardas.com/en/cyber-security-advice/articles/the-consequences-of-a-cyber-security-breach.html
5. ↑ https://www.sungardas.com/en/about/resources/articles/the-consequences-of-a-cyber-security-breach/
6. ↑ https://www.vantiv.com/vantage-point/safer-payments/data-breach-side-effects
7. ↑ https://www.sungardas.com/en/about/resources/articles/the-consequences-of-a-cyber-security-breach/
8. ↑ https://www.vantiv.com/vantage-point/safer-payments/data-breach-side-effects
9. ↑ https://www.sungardas.com/en/about/resources/articles/the-consequences-of-a-cyber-security-breach/
10. ↑ https://www.vantiv.com/vantage-point/safer-payments/data-breach-side-effects
11. ↑ https://www.sungardas.com/en/about/resources/articles/the-consequences-of-a-cyber-security-breach/
12. ↑ https://www.vantiv.com/vantage-point/safer-payments/data-breach-side-effects
13. ↑ https://www.sungardas.com/en/about/resources/articles/the-consequences-of-a-cyber-security-breach/
14. ↑ https://www.vantiv.com/vantage-point/safer-payments/data-breach-side-effects
15. ↑ Suganya V. (2016). A Review on Phishing Attacks and Various Anti Phishing Techniques. International Journal of Computer Applications, 139(1) 1-3
16. ↑ Krebs, B. (n.d.). Krebs on Security. Retrieved from https://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/
17. ↑ McCoy, K. (2017, May 23). Target to pay $18.5M for 2013 data breach that affected 41 million consumers. Retrieved from https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/
18. ↑ https://www.computerworld.com/article/2490637/security0/target-finally-gets-its-first-ciso.html
19. ↑ McAndrew, Edward J. (2018). “The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far).” In natlawreview.com. Retrieved on April 29, 2019.
20. ↑ Schwartz, M. J. (n.d.). Analysis: Home Depot Breach Details. Retrieved from https://www.bankinfosecurity.com/analysis-home-depot-breach-details-a-7323
21. ↑ Ragan, Steve. (2016). “412 Million FriendFinder Accounts Exposed by Hackers.” In csoonline.com. Retrieved on April 29, 2019.
22. ↑ Clements, N. (2018, March 06). Equifax's Enormous Data Breach Just Got Even Bigger. Retrieved from https://www.forbes.com/sites/nickclements/2018/03/05/equifaxs-enormous-data-breach-just-got-even-bigger/#7e4d593953bc
23. ↑ Gressin, S. (2018, March 13). The Equifax Data Breach: What to Do. Retrieved from https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
24. ↑ ^{a b} Adams, R. L. (2017, May 5). Identity theft protection: 10 ways to secure your personal data. Retrieved April 19, 2018, from Forbes website: https://www.forbes.com/sites/robertadams/2017/05/05/identity-theft-protection-10-ways-to-secure-your-personal-data/#55cc87f62fde
25. ↑ https://www.thesslstore.com/blog/equifaxs-cso-music-major-college/
26. ↑ http://www.chicagonow.com/listing-beyond-forty/2017/09/equifax-cso-music-degree/
27. ↑ https://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15
28. ↑ David Thacker. (2018, December 18). Expediting changes to Google+. Retrieved from https://www.blog.google/technology/safety-security/expediting-changes-google-plus/
29. ↑ Jordan Valinsky. (2018, November 30). Marriott reveals data breach of 500 million Starwood guests. Retrieved from https://www.cnn.com/2018/11/30/tech/marriott-hotels-hacked/index.html
30. ↑ Guy Rosen. (2018, September 28). Security Update. Retrieved from https://newsroom.fb.com/news/2018/09/security-update/
31. ↑ RSA Blogs. (2019, April 28). Retrieved from https://www.rsa.com/en-us/blog
32. ↑ DeMasters, K. (n.d.). Financial Company Stocks Fare Worse After Data Breaches. Retrieved from https://www.fa-mag.com/news/financial-company-stocks-fare-worse-after-data-breaches-41528.html
33. ↑ Morris, J., & Lavendera, E. (2012, August 23). Why big companies buy, sell your data. Retrieved April 19, 2018, from CNN website: https://www.cnn.com/2012/08/23/tech/web/big-data-acxiom/index.html
34. ↑ Ellenberg, J., & Ellenberg, J. (2014, June 09). What's Even Creepier Than Target Guessing That You're Pregnant? Retrieved from https://slate.com/human-interest/2014/06/big-data-whats-even-creepier-than-target-guessing-that-youre-pregnant.html
35. ↑ Paul, K. (2019, February 28). Even the CEO of Equifax has had his identity stolen - 3 times. Retrieved from https://www.marketwatch.com/story/even-the-ceo-of-equifax-has-had-his-identity-stolen-3-times-2019-02-27
36. ↑ Preimesberger, C. (2015). Why Super Bowl Is a Gold Mine for Mobile-Device Hackers. Eweek, 1.
37. ↑ Mediati, N. (2011). KEEP YOUR PC FROM BEING HACKED. Pcworld, 29(9), 63.