“Companies don’t go out of business due to a cybersecurity breach,” say several well-versed cybersecurity experts. When I give them counter-examples to disprove their point, they list it as an aberration.
Here’s a less catchy but more accurate statement: “Large companies usually don’t go out of business due to a large cybersecurity breach. They can often get by with their CEO, CIO, and/or CISO getting fired. Medium and small companies can go out of business or go bankrupt due to a cybersecurity breach.”
This article aims to explore some of the examples of bankrupt and out-of-business companies that were brought down by cybersecurity breaches. It is difficult to trace all bankruptcies to solely cybersecurity. Our standard for this article is that in the cases that we list, the breach significantly contributed to bankruptcy or led the company to cease operations.
Large Company Cybersecurity Breaches
We don’t need another article going over the Equifax, Marriott or Target breaches. For Equifax and Target, their CEO and CIO both left. Perhaps the only reason that Target is still in business following a breach affecting so many consumers that Target was so big to begin with! Target paid over $200 million for breach remediation with their insurance company paying the remaining $90 million.
Cybersecurity Breach Bankruptcy from Intellectual Property Cyber Theft
Having your intellectual property (IP) stolen can be a recipe for Chapter 11. Here are three businesses whose failures can be directly tied to an intellectual property breach. IP can lead to cybersecurity breach bankruptcy for even large enterprises.
There’s Westinghouse Nuclear, who had trade secrets and confidential communications from senior executives stolen by Chinese hackers. From the U.S. Justice Department indictment, “… [Wang] Sun[, alleged Chinese attacker,] stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.”
China has over 40% of the nuclear power plants that are planned to come online in 2019 or 2020. Instead of contracting with Westinghouse Nuclear, they took some of its key technology to be able to build the plants themselves.
Westinghouse Nuclear went bankrupt in large part because they lost their competitive advantage due to IP theft.
Nortel Networks met a similar fate. After being compromised for nearly a decade, the Canadian telecommunications giant filed for bankruptcy. Huawei, the Chinese telecommunications company, largely benefited from Nortel IP which let it sell similar products for much lower prices.
Another example is SolarWorld, a leader in solar panel production until the theft of intellectual property led to bankruptcy, in 2017. The U.S. Justice Department indictment stated that China “stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications…”
The moral of the story is that if you are a large enterprise then you can go bankrupt through IP theft by China.
Securing Cryptocurrency Exchanges
Another category of businesses that have gone under are cryptocurrency exchanges. When an exchange fails to protect the cryptocurrency it is holding, the exchange can go out of business in short order. There are no failsafe measures with cryptocurrencies. When funds are stolen, they cannot be pulled back, like an ACH transfer might allow.
Mt. Gox, the one-time leading cryptocurrency exchange, was hacked in 2014, leading to its insolvency. It lost hundreds of millions of dollars worth of Bitcoins.
Then there’s the tale of YouBit – a South Korean exchange that found itself under the gun after an attack that some believe came from the democracy’s northern neighbor compromised 17% of the exchange’s total assets. After the second attack, it didn’t take long for Youbit to declare bankruptcy.
There is a fair chance that a cryptocurrency exchange could be hacked into bankruptcy!
Former Employee Threat Causing Cybersecurity Breach Bankruptcy
What about attacks from disgruntled former employees? That’s what happened at MyBizHomepage when, according to New York Times reports, the recently fired CTO began a cyber-attack on his former employer. The ex-CTO had built multiple “backdoor” entrances to the company’s software and used them to compromise the company’s software.
Protecting your organization from insiders and former insiders can be the difference for some companies that remain in business.
Wire Transfer Fraud into Cybersecurity Breach Bankruptcy
Wire transfer fraud is another real danger when it comes to data-breach-induced financial problems. In 2010, Little and King, LLC filed bankruptcy due to a loss of $164,000 in an online banking interface. The culprit? Wire transfer fraud – with actors conducting an elaborate round-robin money transfer system, and leaving the firm holding the bag. Eventually, with the help of some of the parties targeted for participation, law enforcement caught up to the problem- Little and King, LLC had a system that had been infected with the ZeuS Trojan, a malware that criminals have used in prior bank heists to make off with the cash while keeping the victim offline as documented by Krebs on Security.
We would suspect there are many other companies in this sort of situation – sitting ducks for people who are able to pull off digital currency and digital finance manipulations that simply ‘break money out of its cage.’ It’s a scary concept, and one that boards and executives should think about very carefully. In this day and age, when there’s so much questioning about money laundering, fraud, breaches and other issues, the financial world is going to have to batten down the hatches against intellectual property theft and other types of cyberattack.
When a Company Becomes “Collateral Damage”
Too often, firms end up becoming collateral damage from big headline events. For example, in 2015, Reuters reported that a company called Altegrity Risk International (ARI) filed for Chapter 11 bankruptcy after the U.S. government terminated two major contracts with them following a security intrusion said to be “state-sponsored”. ARI was responsible for the background checks on whistleblower Edward Snowden as well as Navy Yard shooter Aaron Alexis.
This is a textbook example of how a loss of reputation and a hit to a company’s services leaves a trail of devastation after a data breach or similar cybersecurity fiasco. It’s not unusual for a whole firm to become toast in these sorts of scenarios. This is a case of the Snowden insider threat undoing a company only tangentially related.
Here’s another example where a hack by an executive led to bankruptcy – the story of One World Labs in 2015 shows that even though there were no actual law enforcement actions against the company or its founder at the time of collapse, the critical mass of negative news was enough to shutter the company and again, leave it financially stranded as “collateral damage.” The CEO claimed with some credibility that he hacked an airplane. That hack did not have the desired effect, but it did bring down his company!
IT Vulnerabilities – Dangerous Obsolescence
Sometimes experts looking at a bankruptcy or collapse after the fact are astonished at the primitive nature of the IT systems of big and powerful firms. This is prominent in the case of Mossak Fonseca, the law office at the heart of the ‘Panama Papers’ debacle in 2016.
A Wired article looking into the state of Internet facing infrastructure at Mossak Fonseca found that the law firm’s front end computer systems were, in the words of Wired writers Matt Burgess and James Templeton, “riddled with security flaws”.
The company was using very outdated technologies and had failed to update its Outlook Web Access login. At the time, the company’s portal had at least 25 vulnerabilities including several high-risk ones.
You can imagine high-powered executives simply overlooking these sorts of problems as details, while chasing bigger and bigger profits – but you can also imagine the devastating consequences of this, and the regret that comes later as outsiders start looking into woefully insufficient IT systems.
Ransomware: “Pirates” on the Net
Among the bankruptcy-inducing cyberthreats that are out there, we shouldn’t forget about ransomware, which features prominently in the story of promotional company, Colorado Timberline.
This case happened just last year, with Promo Marketing Magazine reporting Colorado Timberline’s management announced closure, citing a ransomware attack that happened earlier in the year.
In the Colorado Timberline incident, the ransomware got onto their systems and locked their files. This is often how ransomware campaigns play out. Unfortunately, the ransomware wasn’t the one where they could just pay and get their systems up and running. The company had to announce that they were closing abruptly due.
Poor Key Management
In the cybersecurity world, digital keys are incredibly important to online operations.
In a telling example that InfoWorld called “Murder in the Amazon Cloud,” Code Spaces, a company that hosted source code repositories did the equivalent of leaving the keys in the car. When its AWS control panel was compromised by an attacker who took S3 object storage buckets and other key resources. Taking those pieces out of the puzzle led to the company’s eventual demise.
Next Steps
Did we miss any examples of cybersecurity breach bankruptcy? I’m sure we did. There were several cases we found where we suspected that a cybersecurity incident caused a company to go out of business. We didn’t opt to include a case where there wasn’t clear evidence that the breach was the main driver. Please send us a message about companies that we may have missed.
If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 297-9509 or by email at [email protected].
