In this article
Will Your Employees Take the Bait?
Find out how vulnerable your team is to phishing with a FREE diagnostic test!Get Started!
In this article
Find out how vulnerable your team is to phishing with a FREE diagnostic test!Get Started!
What are the costs of reputational damage caused by phishing and data breaches? In this article we’ll see that the answer to this question is not as obvious as it might seem. The 2015 Ashley Madison hack, for instance, suggests that in some cases reputational damage may not negatively affect a company’s image in the way it is expected to. Is reputational damage allegedly caused by phishing simply “much ado about nothing”?
For an ordinary user, reputational damage is sometimes at a directly personal level; however, phishers also target individuals in an effort to either breach the security of the companies they work for or hold sensitive personal data hostage in order to extort money from their employer or make other demands. They can do this by installing malware on an employee’s computer and accessing their company correspondence. We’ll see how this happened in the 2011 Sony PlayStation Network hack.
We’ll also see how customers of companies whose security has been breached are the first victims of reputational damage but they are not necessarily the main target of phishing attacks. The threat of reputational damage is sometimes used as a powerful weapon by phishers to get victims to accede to their demands.
We’ll also look at the key factors of reputational damage, like bad publicity, loss of customer trust, unstable management structures, poor staff morale and the cost of damage control. How are reputations damaged as a result of a phishing attack?
First, let’s take a brief look at what the term “phishing” means and why phishers do it. We’ll see that causing reputational damage is a core element of their attack strategy even when their ultimate goal may be something else.
“Phishing” is a contemporary term that describes the attempted theft of people’s sensitive information, e.g. user names, passwords, email addresses, account information, social security numbers, etc., that can be used to:
Sensitive information for a phisher includes not only a user’s bank account details or passwords. Name, age, email address, contacts, interests, hobbies; all these snippets of personal information can be used to a phisher’s advantage. For instance, a phisher could use information from a user’s social media profile to contact them, purportedly because they have shared interests. The next step in the scheme would be to get the user’s email address. After acquiring this, the phisher could send the user a phishing email from a different, fake account containing a malicious link in an attempt to trick the user into revealing their password, e.g. by sending an email purportedly from their email provider requesting they reset their password.
While stealing money is a powerful motive behind many malicious cyberattacks, it’s not the only one. Damaging a company’s reputation can be part of a strategy to further other goals, e.g. to:
Phishers can use a victim’s personal data to damage their reputation by:
The figures below suggest that reputational damage is perceived as inevitable after a cyberattack and has a measurable dollar value:
A separate but similar IBM study found that respondents considered reputational damage the highest measurable cost in the event of a data breach.
When JPMorgan Chase was hacked in 2014, it was one of the largest financial security breaches in history, affecting more than 83 million customers. However, the company reported its stock price barely budged. As we’ll see, Ashley Madison also appeared to shrug off negative publicity after a data breach that left millions caught literally with their virtual trousers down.
According to FT’s Jessica Twentyman, “While reputational damage is often presented by technology suppliers as the consequence of security breaches, evidence suggests the public has a short memory, though senior executives will continue to pay the price for a bad leak.”
She’s not alone in expressing this sentiment. Twentyman quotes Marc van Zadelhoff, vice-president of strategy in IBM’s security division: “The more frequently data breaches occur, the more desensitized people become, resulting in less of an impact to the brand’s reputation.” A Ponemon Institute study – The Aftermath of a Mega Data Breach: Consumer Sentiment – seems to confirm this. The study concluded that the reason many customers (more than 50%) did not take measures to protect themselves after a breach may have been the result “of data breach ‘fatigue’.” 30% of those surveyed received at least two data breach notifications and 15 percent received three in the last two years, while 10 percent received more than five.
And when it comes to costs, Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, puts the financial impact of Sony’s breach into perspective: “To give some scale to these losses, they represent from 0.9% to 2% of Sony’s total projected sales for 2014 and a fraction of the initial estimates.”
For smaller companies, however, cyberattacks can be financially back breaking. The Huffington Post calculated that 60% of small businesses that are hacked go out of business within six months. Unlike larger businesses, smaller ones don’t have the cash flow to sustain them when faced with legal fees, infrastructural damage, reputational damages, etc.
The following all contribute to damaging a company’s reputation, which may result in loss of earnings, degradation of the brand name, low staff morale, erosion of the company’s customer base, lawsuits from victims of security breaches, high costs of damage control by experts, PR and marketing headaches, and increased rivalry from competitors.
The case of Ashley Madison is a good example of personal reputational damage but, as we’ll see, it is primarily a story about phishers whose ulterior motive was to damage the company’s reputation in order to shut the company website down.
In July 2015 the Ashley Madison dating website was hacked. It was reported that data for almost 40 million user accounts was stolen, including names, credit card information and other personal details. What made the story particularly newsworthy was that the website was not just any old dating website; Ashley Madison was a playground for cheating partners.
Even if a website acts quickly to change its users’ passwords, the theft of only email addresses and names is still a lucrative catch for phishers. Some users anonymously commented that they “thankfully” used pseudonyms but unfortunately anyone who used a credit card was a sitting duck, as banks are generally unwilling to issue anonymous credit cards. Consequently, there were a number of reports of extortion and the scam was linked, at least by the media, to at least two suicides. The media, in a frenzy of reporting the scandal, speculated on the number of divorces that might result from the breach.
InfoWorld’s Paul Venezia took the potential consequences of the breach one step further: “… the group that took this data could possibly release it after adding hundreds of thousands of records from other data heists. People with no connection to Ashley Madison would be presumed guilty.” These innocent victims could in the future become additional targets for extortion and cyber bullying; a kind of two-for-the-price-of-one haul for phishers.
The hackers, calling themselves the Impact Team, announced that what they actually wanted was the complete shutdown of the Ashley Madison site. They were apparently only somewhat opposed to the nature of the website’s activities but had a real gripe about the company’s business ethics. One vital factor upon which a company’s reputation is based is being able to deliver on promises. The phishers referred to a promise by the company that it would delete users’ information for a $19 fee when in fact the company pocketed the fee but kept the information on the servers. The Impact Team also complained that the company used female “bots” or automated programs pretending to be women on the hunt for men.
The furor, in this instance, doesn’t seem to have dented the company’s popularity too much. How did things pan out?
In another reputational damage case where money was seemingly not the prime motive for the attack, in November 2014 confidential data from the film studio Sony Pictures Entertainment was released by a hacker group called Guardians of Peace (GOP). The information included personal staff information, sensitive employee emails, information about salaries (including those of executives) and copies of yet-unreleased films.
The attack was conducted using malware. Cylance security researchers called it “a well-crafted set of spear phishing attacks, centered around Apple ID verification.” In the attack, the hackers sent out a fake Apple ID verification email that tricked the victims into clicking to verify their ID. Faced with a password error page, the victims re-entered their data which the phishers were then able to capture and use to breach Sony’s security after which they installed their malware on the company server.
Some of Sony’s employees suffered serious reputational blows although it was Sony itself that got most of the bad press. Let’s summarize the reputational fallout:
Sony worked fast to try and prevent publication of confidential information but the internet is a difficult place to try and gag people. The cost of its humiliation has been estimated at around $1.5 billion. These costs include loss of earnings, legal fees, infrastructural costs and expert fees paid to assist in trying to salvage the brand name.
One of the biggest malware attacks in US retail history involved the theft of 40 million credit card numbers (as well as associated personal information linked to customers’ credit cards) between November 27 and December 15, 2013. The result: Target’s profit for the holiday shopping period fell 46% compared to the same quarter the year before. Bloomberg reported that more than 90 lawsuits were filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimated could run into the billions. Between December and February, Target spent $61 million responding to the breach.
The irony was that Target was warned of the breach by its own system but failed to respond to the alert. Journalists and security experts voiced incredulity, leaving Target red-faced and with its reputation badly dented.
Individual casualties of damaged reputations were Chief Information Officer Beth Jacob who resigned in March 2014, and Target CEO, President and Chairman Gregg Steinhafel who resigned from all his positions in May (but reportedly only partially as a result of the malware debacle).
Some customers vented their anger on social media but overall, their frustration appeared short-lived and limited to vocal outrage. In fact, Target appeared to suffer more reputational damage in a previous incident concerning dressing rooms for transgender customers.
Social media can be a thorn in the side of a company struggling to reverse reputational damage after a cyberattack. As an example, UK’s Reputation.org website cited the 2015 cyberattack against UK telephone company TalkTalk, who fell victim to a serious data breach in which confidential customer data was obtained. TalkTalk lost over 100,000 customers, and saw a drop in their share price.
In response to the scandal, there was an Internet uproar, particularly on Twitter. Reputation.org says the topic got 200,000 tweets in seven days and began trending. Initially, very little information was officially released to the public and customers, which further prompted negative online conversations surrounding the company.
You can read more about data breaches and reputational damage here: http://resources.infosecinstitute.com/the-cost-of-a-data-breach-how-harmful-can-a-data-breach-be/.