Some companies care about security of their software, some companies don’t. Adding security properties as an afterthought brings larger financial losses than developing applications securely from the very beginning. The obvious losses brought on by bad data security are not only financial in terms of lawsuits and refunds to clients, but also include employee overtime and assistance from external professionals brought in for incident mitigation.
As an attempt to fix this issue on a governmental level, security and privacy by design became the cornerstones of General Data Protection Act created to enforce better user privacy and data security in the EU (in the obvious hopes that the whole world will follow suit). But is this enough to make the companies care about the security more?
According to a Kaspersky security report created in 2016, enterprises spend 19% of the total loss mitigation budget per incident on employee training and requesting help from external experts (with the total cost averaging out at $86,500 for small to medium companies and $861,000 for medium to large enterprises, increasing in the direct proportion to the incident discovery time).
Another catastrophic consequence of data leaks is the loss of client trust. For some products or companies this becomes synonymous with the death of the business. For the companies with larger budgets and wider margin for mistake this means dedicating a lot of skills and efforts to mitigation of the discovered security incident.
Why are there hacks and leaks in the first place? According to the report by Shape Security, almost 90% of the login attempts made on online retailers' websites are “hackers” using stolen data. Many of the security breaches that put that data into the attackers’ hands were caused by flaws in the payment systems and vulnerable apps that were taken advantage of.
Bad security decisions (or a total lack thereof) bring profits to malicious attackers and financial losses to companies. But why is it so hard to develop secure applications right from the start and concentrate on the day-to-day of the business afterwards?
Estimating the real positive value of data security is hard. The problem is that we usually deal with “negative security” that has a negative immediate and obvious value. Good working security is essentially a lack, an absence of threat – so as it yields no immediate results or profits, it is considered to be negative value.
To put a positive value on security, it helps to gain an understanding what could happen and how much it can cost. Let’s see what tangible losses the leaks and vulnerabilities brought to the small and large businesses in 2018. Tech startups, medium-sized private businesses, as well as huge enterprises were selected for the following overview to cover the whole range of businesses that can be affected by bad security.
Google+. Completely shut down by Alphabet, and not as a result of the glaring unpopularity of the said social network, but due to a discovered API vulnerability. The security breach made it possible for 3rd party app developers to access user data. According to Wall Street Journal, the data of around 500,000 users was exposed and at first Google didn’t disclose the breach, opting for the shutdown of the service for good.
Losses: kill-off of a major product (operational costs of the emergency shutdown), reputational damage.
British Airways. Hacked by a group of cyber criminals between last August and early September 2018. Financial information (credit card numbers, CVC codes, etc.) stolen during around 380,000 payment transactions. The company put out a statement asking their clients to contact their banks to asses the damage. The affected users will be reimbursed for the losses and credit card checking and processing services.
Losses: refunds, reputational damage.
Facebook. Although Facebook has been on a downward spiral of data breaches since the Cambridge Analytica scandal, some companies just don’t learn their lessons so there was another notable security incident for Facebook this year. 87 million of records are known to have been breached in March (although it’s suspected that many more accounts were affected) and another 90 million Facebook users suffered in a security breach caused by the vulnerability in the “view as” mode. Access tokens were stolen for around 50 million people, 40 million more were exposed. In both cases, the culprit was nothing else but carelessness and bad security.
Losses: reputational damage for the company and its top management, $1.63 billion GDPR-induced fine (currently), temporary suspension of the “view as” feature, security audit.
Uber. The actual data breach that exposed data belonging to 57 million of Uber users took place in 2016 (and was only revealed in November 2017), but in 2018 it was finally followed by a $148 mln fine for the failure to disclose the details of the data loss (as reported by BBC). To make the matters more interesting, at first Uber tried to bribe the attackers with $100,000 to make them delete the stolen data.
Losses: multi-million fine and an attempt to pay off the data thieves, reputational damage.
Timehop, a “close friend” of Facebook, allows the users to see what they did on a specific day in the past. In July 2018, the company detected an ongoing attack that exposed users’ email addresses and keys. 21 million of users were affected and the company had to invalidate all of its older API credentials, deactivate existing user tokens, and dedicate a lot of operational work to make sure the attack was fully mitigated.
Losses: leaked user data, reputational damage, directing the employees efforts at attack mitigation instead of developing and supporting the actual product.
MyHeritage. 92 million of people using the services of DNA-analysing start-up were affected by a leak when their email addresses and password information was stolen and sent to 3rd party researchers. The security incident was exposed in June with a file tagged as “myheritage” found on a private server that did not belong to MyHeritage. The inspection of the file revealed that it contained the login information (with hashed passwords) of all the users who signed up for the service before late October 2017.
Losses: reputational damage, possible future lawsuits.
AgentRun. A startup that creates software for independent insurance brokers carelessly exposed sensitive data (user info and medical information) of thousands of insurance policy holders. The data was stored in a misconfigured Amazon S3 storage bucket and revealed the customers’ highly sensitive personal data. The leak was secured within an hour once discovered, but it is still unclear how many customers were affected.
Losses: reputational damage, huge potential for future privacy-related lawsuits.
University of Greenwich. Time is no issue when it comes to leaking sensitive information. Even when it’s not a business per se, but an educational establishment that’s at fault in the security department. A leak that took place back in 2004, exposing 19,500 records containing the sensitive details on the UK university students (health conditions, addresses, etc.), was finally hit with a £120,000 fine.
Losses: court fine, reputational damage.
MyFitness Pal. In March 2018, an app by fitness retailer Under Armour leaked personal user data (emails, passwords, location, etc.) belonging to 150 million users. The breach was disclosed within a week. Although the stolen passwords were hashed, the company admitted that only some of the passwords were processed using bcrypt function, whilst the others were protected by a weak SHA-1 that can be cracked.
Losses: reputational damage, further possible negative consequences due to compromised user passwords.
If you want peace, prepare for war. Common sense, actually caring about the possible consequences, setting incident reaction and mitigation policies and starting out with security in mind should be the step #1. Better control over confidential data, using encryption and correctly managing encryption keys, using (and testing) backups, making sure that security practices are up to date, auditing user activities, educating non-Tech and Tech staff (imposing healthy security-oriented BYOD policies, creating and maintaining a certain security awareness level, etc.) are another must-have.
Till mid-2000s, data protection was only crucial for governmental and military projects. Today nearly every startup or major company operate on tons of user records, websites collect device fingerprints, and we all are being tracked by public Wi-Fi networks. The data itself and the processes surrounding it become the core business assets and should be protected as such. Not only because of the imposed laws and regulations, but because the data breaches (caused either by competitors’ attacks or by the employees’ own carelessness or maliciousness) lead to direct financial and reputational losses.
Modern software development is not ready for the demands of the secure software development yet: few people understand that “high-quality software” means not only stable, beautiful, and fast, but also safe applications and websites. But the demand for user privacy continues to grow, just as the fines for failing to comply with the privacy regulations. The time to create secure software has come.