The Burden of Breach NotificationRecent Hacks Underscore Need for Customer Communication
The Gmail hack, allegedly perpetrated by a group from China, has raised serious concerns about e-mail vulnerability and the potential compromise of Gmail accounts held by U.S. government officials and employees.
The newly reported Sony Pictures hack - yet another purported cyberattack aimed at international corporate giant Sony - is being claimed by a hacking group called LulzSec. The group claims to have hacked SonyPictures.com and compromised more than 1 million user accounts. The same group also takes credit for the Memorial Weekend attack on PBS's "NewsHour," which led to the hijacking of the NewsHour website. Hackers posted fictitious content on the site, claiming deceased 1990s rapper Tupac Shakur was alive and well in New Zealand.
Those incidents came on the heels of attacks against government contractors Lockheed Martin Corp. and L-3 Communications Holdings Inc. Both hacks are suspected of being linked to the RSA Security breach that in March exposed technology behind RSA's SecurID multifactor authentication tokens.
Lockheed, the country's largest military contractor, says it is investigating the root of the Lockheed attack, discovered May 21.
Though no link between the RSA and Lockheed attacks has been confirmed, industry experts suggest the two are likely connected. Hackers behind the Lockheed attack are suspected of using information gathered during the RSA breach. And L-3, which was created from business units Lockheed spun off when it acquired Martin Marietta, is assumed to have been compromised in the same way in late May.
Dave Jevans, chairman of online security vendor IronKey as well as the Anti-Phishing Working Group, a consortium of more than 1,500 financial-services companies, Internet service providers, law enforcement agencies and technology vendors dedicated to fighting e-mail fraud and identity theft online, says Lockheed's breach is likely linked to RSA, but it won't be easy for investigators to connect the breach dots.
"There are many ways these two could be linked," Jevans says. "And it's probably not the most obvious link. That means any company or financial institution that relies on RSA tokens [like Lockheed and L-3] needs to think about what types of attacks could be launched against them with breached RSA data."
Worse, Jevans says, is the more insidious concern behind all of these recent incidents: "What does it mean for your customers? What could spear phishing do to your users?"
RSA's token technology is widely used and until the March hack had been regarded as a leading security authentication product. [See RSA Breach: What Did We Expect?]
Josh Corman, research director of enterprise security at analyst firm The 451 Group, says the March attack on RSA highlights the vulnerability of having all intellectual security property in one proverbial bucket.
"There's a broad trend here that the Internet is getting more hostile, that criminals are more determined; and when you think about Lockheed, if it's connected to RSA, there is a serious underground here that may or may not be connected to nation states," Jevan says. "We really need to think about how we are going to address all of this."
Notifying ConsumersAt the core of these hacks is a deeper worry: What is the end goal? Most industry pundits speculate hackers' ultimate aim is to collect personal identifiable information, consumer data that can later be used to compromise identities, overtake banking accounts and spy on the activities of corporations and government agencies. Once equipped with enough PII, hackers rely on phishing attacks to infiltrate systems and networks.
On June 2, concerns were aired before Congress, when the Subcommittee on Commerce, Manufacturing and Trade, part of the House of Representatives Energy & Commerce Committee, heard testimony from Sony and e-mail marketing provider Epsilon, about recent breaches at both companies. The collective incidents led to the exposure of PII on millions of consumers.
"We've been reminded that no one is immune to a cyberattack. We believe the attack on us was unprecedented in size and scope," said Tim Schaaff, president of Sony Network Entertainment International, a division of Sony. "We look forward to a national initiative that protects consumers."
During the hearing, both Sony and Epsilon told subcommittee members they support a national breach notification system, one that would trump the disjointed state notification laws that have, to date, made breach notification challenging. "Working with various notification laws from different states is confusing," said Jeanette Fitzgerald, general legal counsel of Epsilon Data Management LLC.
Sony's notification to consumers after its breach, which occurred seven days after the intrusion was detected, was criticized by subcommittee members. Sony also took a hit for relying too heavily on its blog for information dissemination, rather than contacting consumers directly with updates.
Notification is a problem, not only for global organizations like Sony, but smaller agencies and financial institutions as well, the APWG's Jevans says. While most businesses, agencies and banking institutions have historically relied on e-mail correspondence to notify consumers when breaches occur, e-mail is one of the worst communication routes. "The fraudsters are using e-mail to send out phishing e-mails, so sending out a notice about a breach that asks consumers to click on links is not a good idea," he says.
Over the last several weeks, the APWG has spearheaded a communication campaign built around Twitter. Jevans says several banks and credit unions have warmed to the idea of notifying consumers about breaches via real-time tweets, and the method seems to be working.
"Tweets are hard to spoof," Jevans says. "It's a really interesting development, and we see potential for Facebook as well."
While concerns about the security of social networking sites have long plagued the financial industry, Jevans says organizations need to start thinking about sites like Twitter and Facebook in a different way. "I think what banks and corporations need to do is start thinking about the social networking channel in the same way they think about domain names," he says. "You have your bank name on Twitter, so you need to be monitoring it to make sure fraudsters aren't setting up fake identities on there. Banks and businesses need to be keeping an eye on this anyway, and what better channel to use to monitor what's going on with your brand and get the word out about breaches to your customers?"