What are the costs of reputational damage caused by phishing and data breaches? In this article we’ll see that the answer to this question is not as obvious as it might seem. The 2015 Ashley Madison hack, for instance, suggests that in some cases reputational damage may not negatively affect a company’s image in the way it is expected to. Is reputational damage allegedly caused by phishing simply “much ado about nothing”?

For an ordinary user, reputational damage is sometimes at a directly personal level; however, phishers also target individuals in an effort to either breach the security of the companies they work for or hold sensitive personal data hostage in order to extort money from their employer or make other demands. They can do this by installing malware on an employee’s computer and accessing their company correspondence. We’ll see how this happened in the 2011 Sony PlayStation Network hack.

Security Awareness

We’ll also see how customers of companies whose security has been breached are the first victims of reputational damage but they are not necessarily the main target of phishing attacks. The threat of reputational damage is sometimes used as a powerful weapon by phishers to get victims to accede to their demands.

We’ll also look at the key factors of reputational damage, like bad publicity, loss of customer trust, unstable management structures, poor staff morale and the cost of damage control. How are reputations damaged as a result of a phishing attack?

11

First, let’s take a brief look at what the term “phishing” means and why phishers do it. We’ll see that causing reputational damage is a core element of their attack strategy even when their ultimate goal may be something else.

What is phishing?

“Phishing” is a contemporary term that describes the attempted theft of people’s sensitive information, e.g. user names, passwords, email addresses, account information, social security numbers, etc., that can be used to:

  • Hijack individuals’ identities (for instance, by gaining access to their email password);
  • Scam contacts in a user’s personal and business network (for instance, by accessing their social or business networking profiles);
  • Steal directly from an individual’s accounts or purchase expensive resalable goods and services (for instance, by installing Trojan malware on a victim’s computer); and
  • Attack the companies the victims work for.

Sensitive information for a phisher includes not only a user’s bank account details or passwords. Name, age, email address, contacts, interests, hobbies; all these snippets of personal information can be used to a phisher’s advantage. For instance, a phisher could use information from a user’s social media profile to contact them, purportedly because they have shared interests. The next step in the scheme would be to get the user’s email address. After acquiring this, the phisher could send the user a phishing email from a different, fake account containing a malicious link in an attempt to trick the user into revealing their password, e.g. by sending an email purportedly from their email provider requesting they reset their password.

Phishers’ goals

While stealing money is a powerful motive behind many malicious cyberattacks, it’s not the only one. Damaging a company’s reputation can be part of a strategy to further other goals, e.g. to:

  • Extort money from or blackmail a victim.
  • Cripple business rivals by shutting down their businesses.
  • Fight personal wars, protest against political policies, voice social or community grievances or demonstrate solidarity with illegal or unpopular groups.
  • Protest against the kind of business dealings a company practices, e.g. animal testing.
  • Flaunt their technical skills in the phishing underworld.
  • Maliciously cause chaos, damage and fear; cyber bullying is an example of this.

The cost of reputational damage for individuals

Phishers can use a victim’s personal data to damage their reputation by:

  • Stealing their identities and using their credentials for illegal activities for which the victim gets blamed, or to bully, blackmail or intimidate the victim’s contacts.
  • Hijacking their personal information and using it embarrass the victim, e.g. by publishing private correspondence or a victim’s secrets.
  • Sending out fake emails from the victim or publishing malicious posts on the internet, purportedly from the victim, in order to make them look bad.

The cost of reputational damage for businesses

The figures below suggest that reputational damage is perceived as inevitable after a cyberattack and has a measurable dollar value:

  • Marsh’s International Business Resilience Survey of 2015 found that 79% of 200 respondents believed damaged reputation after a sensitive data breach was 79% likely to happen.
  • A separate but similar IBM study found that respondents considered reputational damage the highest measurable cost in the event of a data breach.2

A separate but similar IBM study found that respondents considered reputational damage the highest measurable cost in the event of a data breach.

  • According to a 2015 Information Security Breaches Survey by PwC, 41% of organizations that responded said that reputational damage was the worst aspect of a cyberattack. This figure was up from 30% in 2014.
  • PwC’s research (based on 75 responses from large companies and 47 responses from small companies) indicated that damage to reputation had a GBP value of £80,000 to £310,000 and £3,000 to £16,000 respectively.
  • A study by Semafone found that of 2,000 survey participants, nearly 87% would not (or were not very likely to) do business with a company that had faced a data breach involving credit or debit card information.
  • Backing Semaphone results up, a study by retailperceptions.com found that 12% of shoppers would stop shopping at a retailer hit with a breach, while 79% of shoppers who did return preferred to use cash as a method of payment as opposed to using credit or debit cards.In another study by the company, 64% of shoppers said that they accepted security breaches as part of the shopping process and 53% said that compromising their personal information was a risk they were willing to take in exchange for convenience. Yet, despite the apparent acceptance by shoppers of security breaches, retailperceptions.com observed that retailers may still see a change in shopper behavior as the result of a breach. 39% of shoppers said that they spent less than before at retailers who had experienced a security breach and 34% of shoppers don’t shop online due to fear of security breaches.

Is reputational damage after a phishing attack exaggerated?

When JPMorgan Chase was hacked in 2014, it was one of the largest financial security breaches in history, affecting more than 83 million customers. However, the company reported its stock price barely budged. As we’ll see, Ashley Madison also appeared to shrug off negative publicity after a data breach that left millions caught literally with their virtual trousers down.

According to FT’s Jessica Twentyman, “While reputational damage is often presented by technology suppliers as the consequence of security breaches, evidence suggests the public has a short memory, though senior executives will continue to pay the price for a bad leak.”

She’s not alone in expressing this sentiment. Twentyman quotes Marc van Zadelhoff, vice-president of strategy in IBM’s security division: “The more frequently data breaches occur, the more desensitized people become, resulting in less of an impact to the brand’s reputation.” A Ponemon Institute study – The Aftermath of a Mega Data Breach: Consumer Sentiment – seems to confirm this. The study concluded that the reason many customers (more than 50%) did not take measures to protect themselves after a breach may have been the result “of data breach ‘fatigue’.” 30% of those surveyed received at least two data breach notifications and 15 percent received three in the last two years, while 10 percent received more than five.

And when it comes to costs, Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, puts the financial impact of Sony’s breach into perspective: “To give some scale to these losses, they represent from 0.9% to 2% of Sony’s total projected sales for 2014 and a fraction of the initial estimates.”

For smaller companies, however, cyberattacks can be financially back breaking. The Huffington Post calculated that 60% of small businesses that are hacked go out of business within six months. Unlike larger businesses, smaller ones don’t have the cash flow to sustain them when faced with legal fees, infrastructural damage, reputational damages, etc.

In what ways are reputations damaged by successful cyberattacks?

The following all contribute to damaging a company’s reputation, which may result in loss of earnings, degradation of the brand name, low staff morale, erosion of the company’s customer base, lawsuits from victims of security breaches, high costs of damage control by experts, PR and marketing headaches, and increased rivalry from competitors.

  • Business disruption: When a website goes offline, even for a short period, customers are unable to access their accounts and the organization is unable to sell their products and services online. This negatively impacts business operations and a company may lose customers to competitors perceived as more reliable.
  • Lawsuits: Litigation creates the perception in the public mind that a company is in the wrong. Lawsuits also provide negative material for news reports about a company.
  • Regulatory fines: Sony PlayStation Network was fined £250,000 by the UK’s Information Commissioner’s Office for what it called “a serious breach of the Data Protection Act.” Like lawsuits, fines create the perception a company has done something wrong and may lead to customers jumping ship to competitors.
  • Instability at management level: Shareholders may demand the resignation of executives and technical staff. Instability in the higher echelons is bad for staff morale and can make shareholders and customers nervous.
  • Negative media reports: Negative reporting can make a company appear untrustworthy, weak, ineffective, unresponsive, unstable, unfeeling (particularly if they don’t make apologies), unethical and sometimes, as in the example blow, just plain stupid.3
  • Employee perceptions and morale: In the event of a data breach, phishers may steal employees’ personal and salary data and use it to attack them or embarrass them by publishing it on the internet. A study by RiseSmart found that 16% of employees have posted negative comments on social media about the company they work for. With over 90% of people trusting recommendations from friends or family, the potential damage done to a company’s image from disgruntled employees can be significant.
  • Social media backlash: Angry customers who have been victims of data breaches, phishing or hack attacks may take to social and business media to vent their rage. A common complaint among customers and industry observers is a company’s failure to keep affected customers informed. After a hack attack on retail giant Target in 2013, the company’s response to a question as to whether the issue was resolved was: “Yes, Target moved swiftly to address this issue so guests can shop with confidence. We have identified and resolved the issue of unauthorized access to payment card data. The issue occurred between Nov. 27 and Dec. 15 and guests should continue to monitor their accounts.” Customers could be forgiven for asking what Target was doing while its customers were busy monitoring their own accounts.
  • High-profile embarrassment: Data breaches can result in the publication of embarrassing personal correspondence and confidential information like employee salaries, company strategy and budgets. In the Sony PlayStation Network incident, one of the items in the budget for the film “The Interview” was “a table of weed, coke, pills and panties.” All the toe-curling gossip about that data breach is publicly available on WikiLeaks.
  • Abnormal consumer churn rate: Loss of trust can result in lost customers. Security consultant Kroll estimated that the average abnormal consumer churn rate after data breaches between 2013 and 2014 increased by 15%.
  • Brand reputation: The study conducted by the Ponemon Institute – The Aftermath of a Mega Data Breach: Consumer Sentiment – also found that data breaches, poor customer service, and environmental disasters have a greater impact on brand reputation than publicized lawsuits, government fines, and labor or union disputes.

Personal Reputation Damage – Ashley Madison’s Reputation Apocalypse

The case of Ashley Madison is a good example of personal reputational damage but, as we’ll see, it is primarily a story about phishers whose ulterior motive was to damage the company’s reputation in order to shut the company website down.

4

In July 2015 the Ashley Madison dating website was hacked. It was reported that data for almost 40 million user accounts was stolen, including names, credit card information and other personal details. What made the story particularly newsworthy was that the website was not just any old dating website; Ashley Madison was a playground for cheating partners.

Even if a website acts quickly to change its users’ passwords, the theft of only email addresses and names is still a lucrative catch for phishers. Some users anonymously commented that they “thankfully” used pseudonyms but unfortunately anyone who used a credit card was a sitting duck, as banks are generally unwilling to issue anonymous credit cards. Consequently, there were a number of reports of extortion and the scam was linked, at least by the media, to at least two suicides. The media, in a frenzy of reporting the scandal, speculated on the number of divorces that might result from the breach.

InfoWorld’s Paul Venezia took the potential consequences of the breach one step further: “… the group that took this data could possibly release it after adding hundreds of thousands of records from other data heists. People with no connection to Ashley Madison would be presumed guilty.” These innocent victims could in the future become additional targets for extortion and cyber bullying; a kind of two-for-the-price-of-one haul for phishers.

5The hackers, calling themselves the Impact Team, announced that what they actually wanted was the complete shutdown of the Ashley Madison site. They were apparently only somewhat opposed to the nature of the website’s activities but had a real gripe about the company’s business ethics. One vital factor upon which a company’s reputation is based is being able to deliver on promises. The phishers referred to a promise by the company that it would delete users’ information for a $19 fee when in fact the company pocketed the fee but kept the information on the servers. The Impact Team also complained that the company used female “bots” or automated programs pretending to be women on the hunt for men.

6

The furor, in this instance, doesn’t seem to have dented the company’s popularity too much. How did things pan out?

  • Ashley Madison never did shut down. They apologized in the media but nothing about the matter was published on the website.
  • Business Insider suggests that the scandal actually made the site more popular. The website still claims the same number of members as before.
  • The company did do some rebranding and also announced they would no longer use female bots.
  • While most victims aren’t suing Ashley Madison in a hurry (although some tried, unsuccessfully, to do so anonymously), the bill for those who did is mounting up and lawsuits aren’t great PR material.
  • While stolen data was only published on the Dark Web by the Impact Team, some of this data was copied and published on social media on the regular internet. Some of these entities were subsequently successfully sued.
  • A casualty of personal reputational damage in this case was CEO Noel Biderman who resigned.

Business Reputational Damage – Sony’s Hacking Saga

In another reputational damage case where money was seemingly not the prime motive for the attack, in November 2014 confidential data from the film studio Sony Pictures Entertainment was released by a hacker group called Guardians of Peace (GOP). The information included personal staff information, sensitive employee emails, information about salaries (including those of executives) and copies of yet-unreleased films.

7

The attack was conducted using malware. Cylance security researchers called it “a well-crafted set of spear phishing attacks, centered around Apple ID verification.” In the attack, the hackers sent out a fake Apple ID verification email that tricked the victims into clicking to verify their ID. Faced with a password error page, the victims re-entered their data which the phishers were then able to capture and use to breach Sony’s security after which they installed their malware on the company server.

Some of Sony’s employees suffered serious reputational blows although it was Sony itself that got most of the bad press. Let’s summarize the reputational fallout:

  • The first individual reputational casualty was Sony co-chairperson, Amy Pascal, who stepped down (and into another role at Sony). She was a victim of the leak of private correspondence that, with hindsight, she must have regretted digitally penning.
  • The GOP group demanded that Sony pull The Interview, a movie about a plot to assassinate North Korean leader Kim Jong-un. The group also threatened terrorist attacks at cinemas screening the film. After a number of major U.S. cinemas announced they wouldn’t screen the film, Sony cancelled the formal premiere and first released it digitally followed by limited screenings mainly at independent cinemas. Backing down left Sony looking vulnerable, feeble and directionless.
  • The terrorist angle led authorities to believe that North Korea, outraged by the film’s comedic look at North Korea’s presidency, was behind the attack. Public sentiment was that Sony had brought the attack on itself by offending a third world country. Sony was accused of being a cultural bully.
  • Sony’s security measures were brought into question, including an apparent Zero-Day vulnerability. According to Recode, Sony is not releasing information about the vulnerability, but it involves software coding errors that could have been used to breach security. These types of errors can be picked up by security researchers, ex-employees or hackers and sold to phishers on the black market.
  • Some executive and employee correspondence exposed internal rivalries, petty jealousies, thinly veiled racism in upper echelons and other company secrets; not a good look for the powers-that-be.
  • Employees received threatening messages and Sony admitted that some of their personal information was compromised. Sony offered current and former employees free identity and credit-theft protection through AllClearID, an identify protection service, but at least four former employees sued Sony for not protecting their private information from hackers. So, no employee of the month awards for Sony.
  • Celebrities tweeted their concerns about the future of free speech and artistic expression in the wake of Sony’s perceived capitulation to the attackers’ demands. The tweets were prophetic: Paramount and Fox soon after ducked out of their own North Korea projects.

Sony worked fast to try and prevent publication of confidential information but the internet is a difficult place to try and gag people. The cost of its humiliation has been estimated at around $1.5 billion. These costs include loss of earnings, legal fees, infrastructural costs and expert fees paid to assist in trying to salvage the brand name.

Target’s $61 Million Phishing Fiasco)

One of the biggest malware attacks in US retail history involved the theft of 40 million credit card numbers (as well as associated personal information linked to customers’ credit cards) between November 27 and December 15, 2013. The result: Target’s profit for the holiday shopping period fell 46% compared to the same quarter the year before. Bloomberg reported that more than 90 lawsuits were filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimated could run into the billions. Between December and February, Target spent $61 million responding to the breach.

The irony was that Target was warned of the breach by its own system but failed to respond to the alert. Journalists and security experts voiced incredulity, leaving Target red-faced and with its reputation badly dented.

Individual casualties of damaged reputations were Chief Information Officer Beth Jacob who resigned in March 2014, and Target CEO, President and Chairman Gregg Steinhafel who resigned from all his positions in May (but reportedly only partially as a result of the malware debacle).

8

Some customers vented their anger on social media but overall, their frustration appeared short-lived and limited to vocal outrage. In fact, Target appeared to suffer more reputational damage in a previous incident concerning dressing rooms for transgender customers.

Walk the TalkTalk

Social media can be a thorn in the side of a company struggling to reverse reputational damage after a cyberattack. As an example, UK’s Reputation.org website cited the 2015 cyberattack against UK telephone company TalkTalk, who fell victim to a serious data breach in which confidential customer data was obtained. TalkTalk lost over 100,000 customers, and saw a drop in their share price.

9

In response to the scandal, there was an Internet uproar, particularly on Twitter. Reputation.org says the topic got 200,000 tweets in seven days and began trending. Initially, very little information was officially released to the public and customers, which further prompted negative online conversations surrounding the company.

Conclusion

  • Consumers have a short memory and may remain loyal in the long-run to companies who have been victims of reputational damage, but the costs of damage control are high, particularly for small businesses.
  • Company executives are first in the firing line after a cyberattack.
  • Employees need to be educated about the dangers of phishing, at home as well as at work, and be aware of the potential consequences of “loose lips.”
  • Data breaches should be handled transparently and proactively to avoid long-term reputational damage.

You can read more about data breaches and reputational damage here: http://resources.infosecinstitute.com/the-cost-of-a-data-breach-how-harmful-can-a-data-breach-be/.

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources

Be Safe

Section Guide

Penny
Hoelscher

View more articles from Penny

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Penny
Hoelscher

View more articles from Penny