“Hundreds of millions of dollars, and perhaps much more, have been stolen from banks and financial services companies in recent years because of this alliance of traditional and digital criminals, with many victims not reporting the thefts for fear of reputational damage,” the Reuters story said. “Typically, security and cyber-crime experts say, hackers break into the computer systems of financial institutions and make, or incite others to make, fraudulent transactions to pliant accounts. Organised crime then uses techniques developed over decades to launder the money, giving the alliance much higher rewards than a hold-up or bank vault robbery, with much less risk.”
But let’s ponder a bit more about why companies would allow themselves to be placed in such a situation. One factor is that, even in the U.S. states that mandate disclosure, the laws offer a healthy amount of wiggle room. First, companies can be exempted from the requirement if law enforcement is willing to sign off on the need for secrecy during a post-breach probe. All too often, law enforcement is happy to do that. Moreover, the laws often are applicable only if the breach is a direct threat to consumer privacy. That becomes a judgment call — one that is made by people who have a very strong incentive to conclude that the breach is not a direct threat to privacy.
Because the decision to report a breach is not black and white, it’s easy to see why companies can end up saying, “All right, let’s not embarrass ourselves needlessly.” Think about it. Most Fortune 100 companies see a huge number of penetration attempts every day, and some of those attempts will get further than others. At what point do they cross the line into a breach? Lacking evidence that any data was accessed, most companies are going to decide that no breach that has to be reported occurred. But does lack of evidence of success equal evidence of an attack’s failure? Of course not.
Consider a company that’s been subjected to a distributed denial-of-service attack. Theoretically, a DDoS attack does not translate into data being stolen, so it’s easy for the fear of embarrassment to lead to a (highly justified) decision not to disclose. Besides, the parties rationalize, there’s probably not a lot that law enforcement can do that our own people can’t, so let’s just hire a confidential forensic security team and call it a day.
Ah, but what if the DDoS attack is only a diversion so that your security people will be intently focused on fighting to keep the site up, leaving no one to notice that files are being accessed at the same time? By the time the DDoS is halted, all logs and evidence of the real attack will have been deleted or altered. No beach detected, no breach reported. End of story? Yes — until the attackers contact the company with a blackmail demand.
Sign up for CIO Asia eNewsletters.