Managing your reputation in a crisis: cyber attacks and data breaches

0
1190

Damage to organizations’ intangible assets has received increasing attention in the last few years. In fact, a recent study reported that in 2019 corporate reputation, one of most important intangible assets, accounted for 35% of stock market evaluations. This is 10% higher than the value reported by the World Economic Forum in 2012.

To showcase different reaction strategies of companies that have dealt with reputation damage, PANTA RAY will publish a bi-monthly series of case studies. This issue includes two data breaches experienced by Target (2013) and Ashley Madison (2015). The analysis looks at the type of incident, financial losses, public statements and the related corrective measures. The case studies have the goal of providing guidelines for protecting a company’s reputation after a cyberattack.

Executive Summary

  • The cyberbreaches involving Target (2013) and Ashley Madison (2015) cost them a total of at least $300 million.
  • Crisis communication must be complete, accurate, and timely. Unclear and inaccurate information often results in public distrust.
  • Effective leadership means taking responsibility for the incident and having a well-defined and tested crisis response plan.
  • Current cyber risks extend to the supply chain, which falls within the responsibilities of the organization.

Target, 2013

During the 2013 Target data breach, 98 million customers lost their personal and financial details during the winter holiday season. On December 19, 2013, Target made a public statement announcing that roughly 40 million credit and debit card numbers had been exposed between November 27th and December 15th. This statement was released a day after IT security expert Brian Krebs broke the story on his blog. The incident led to an estimated 600,000 tweets on the cyberattack within two days and to a large number of customer complaints, which jammed Target’s website and customer service hotlines. Despite Target’s offer of a 10% discount on most of their items and free credit monitoring services for those affected, Target’s customer perception plummeted to its lowest point since June 2007.

Target executives met with the Department of Justice, the US Secret Service, and hired external experts to conduct investigation. On December 27th, 2013, Target had to retract their earlier assurance that Personal Identification Numbers (PINs) had not been stolen. During this period, Target released only few technical details on the attack, which led to extensive rumors on the scale of the breach and the time it had gone unnoticed. On January 10th, 2014, the store released a statement indicating an additional 70 million consumers had their personal information stolen. As a result, the company adjusted its sales projection for the fourth quarter as the company expected a weak performance.

After the necessary forensic analyses, it was discovered that the criminals had broken into Target’s network using stolen credentials from Fazio Mechanical Services, a third-party vendor that provides heating, ventilation, and air conditioning (HVAC) services for Target. Hackers were then able to install malware on their point-on-sale (POS) terminals, getting access to millions of customer data. The Senate Committee on Commerce agreed in March 2014 that Target had failed to protect their consumers’ data.

Bob DeRodes, former tech adviser to government agencies, took over as Target’s Chief Information Officer, while Target CEO Gregg Steinhafel resigned in May 2014. Target described in their 2016 annual report that the data breach cost them $292 million, more than half of which ($153.9 million) went to settlements However, Target was somewhat able to mitigate the financial losses through a cyber-insurance policy.

Two years after the major incident, YouGov Brand Index data showed that Target took 373 days to get back the pre-crisis level of consumer perception and it was able to do so only briefly before experiencing further ups and downs. In addition, Target rolled out EMV-compliant POST terminals nationwide, and re-issued REDcards as chip-and-PIN cards. Aside from joining two cybersecurity threat-sharing initiatives, they added security improvements such as monitoring and logging of system activity, whitelisting on POS systems and POS management tools, and limited or disabled network access for vendors.

Ashley Madison, 2015

Described as historic, the Ashley Madison breach not only exposed passwords, pictures and personal information but also deeply impacted the reputation of the individuals involved. Ashley Madison is a dating service for people who are either married or in a relationship. At the time of the breach, Ashely Madison boasted that their user community was made up of roughly 37 million people. The company is under the parent firm Avid Life Media (ALM) which also runs other brands such as Established Men.

On July 12th, 2015, employees of Avid Life Media received a ransom message from The Impact Team, threatening to release customers’ information to the public unless the Ashley Madison and Established Men websites were taken down. After a week, The Impact Team published a cautionary message on Pastebin, giving Avid Life Media a 30-day ultimatum to take the websites offline before the data would be released. The following day, ALM released statements confirming the breach, declaring that an investigation was ongoing. On July 22th, 2015, The Impact Team released personal information on two Ashley Madison customers, the first data leak from the breach.

The 30-day ultimatum expired on August 18th 2015, with the two websites still running. Thus, the Impact Team published a post on Pastebin, named “TIME’S UP”, with a 10gb attachment of email addresses, names, phone numbers, and credit card data of Ashley Madison users. Raja Bhatia, Chief Technology Officer of Ashley Madison, stated in an interview that most of the data was fake and that his company did not store any credit card information. However, hours later, Krebsonsecurity affirmed through various sources that the leak was legitimate.

On August 20th, 2015, The Impact Team leaked another 20gb of internal data such as Ashley Madison’s CEO Noel Biderman’s emails. Three days later, the third leak occurred, with a full list of government emails used to subscribed to Ashley Madison. The list included email and IP addresses, subscription dates, and the total amount of time spent on the website.

As a consequence, on August 24th, 2015, Ashley Madison was hit with a $578 million class action lawsuit by two Canadian law firms representing the 39 million users whose data were compromised, as well as those who paid for their accounts to be deleted. Furthermore, the Toronto police reported that two individuals committed suicide in relation with the leak. Ashley Madison then announced that the company was offering a $500,000 bounty for information about The Impact Team or the attack.

The Impact Team continued publishing the compromised data, leading to blackmail threats. On August 28th, 2015, Noel Biderman, CEO resigned from his position and explained that this decision was in the best interest of the company. Security researcher Gabor Szathmari discovered significant vulnerabilities in Ashley Madison’s source code, while also exposing the fact that the company did not employ email validation.

Ashley Madison was also fined $1.6 million by the US Federal Trade Commission for having lax online security, misleading users and creating fake female profiles to lure male users. In addition, Ashley Madison also paid $11.2 million to settle the US litigation in 2017. As part of the Federal Trade Commission settlement, Ashley Madison had to guarantee improvements to its data security system, such as two-factor authentication.