“Companies don’t go out of business due to a cybersecurity breach,” say
several well-versed cybersecurity experts. When I give them counter-examples to
disprove their point, they list it as an aberration.
Here’s a less catchy but more accurate statement: “Large companies usually don’t go out of business due to
a large cybersecurity breach. They can often get by with their CEO, CIO, and/or
CISO getting fired. Medium and small companies can go out of business or go bankrupt due to a cybersecurity
breach.”
This article aims
to explore some of the examples of bankrupt and out-of-business companies that
were brought down by cybersecurity breaches. It is difficult to trace all
bankruptcies to solely cybersecurity. Our standard for this article is that in
the cases that we list, the breach significantly contributed to bankruptcy or led
the company to cease operations.
Large Company Cybersecurity
Breaches
We don’t need another article going over the Equifax, Marriott or Target
breaches. For Equifax and Target , their CEO and CIO
both left. Perhaps the only reason that Target is still
in business following a breach affecting so many consumers that Target was so
big to begin with! Target paid over $200 million for
breach remediation with their insurance company paying the
remaining $90 million.
Cybersecurity Breach Bankruptcy from Intellectual Property Cyber Theft
Having your intellectual property (IP) stolen can be a recipe for Chapter 11. Here are three businesses whose failures can be directly tied to an intellectual property breach. IP can lead to cybersecurity breach bankruptcy for even large enterprises.
There’s Westinghouse Nuclear, who had
trade secrets and confidential communications from senior executives stolen by
Chinese hackers. From the U.S. Justice Department indictment , “… [Wang] Sun[, alleged Chinese
attacker,] stole confidential and proprietary technical and design
specifications for pipes, pipe supports, and pipe routing within the AP1000
plant buildings.”
China has over 40% of the nuclear power plants that are planned to come online in
2019 or 2020. Instead of contracting with Westinghouse Nuclear, they took some
of its key technology to be able to build the plants themselves.
Westinghouse Nuclear went bankrupt in
large part because they lost their competitive advantage due to IP theft.
Nortel Networks met a similar fate.
After being compromised for nearly a decade, the Canadian telecommunications
giant filed for bankruptcy. Huawei, the Chinese telecommunications company, largely benefited from Nortel IP which let it sell similar products for
much lower prices.
Another example is SolarWorld, a leader in solar panel
production until the theft of intellectual property led to bankruptcy, in 2017.
The U.S. Justice Department indictment stated that China “stole thousands of
files including information about SolarWorld’s cash flow, manufacturing
metrics, production line information, costs, and privileged attorney-client
communications…”
The moral of the story is that if you are a
large enterprise then you can go bankrupt through IP theft by China.
Securing
Cryptocurrency Exchanges
Another category of businesses that have gone
under are cryptocurrency exchanges. When an exchange fails to protect the cryptocurrency
it is holding, the exchange can go out of business in short order. There are no
failsafe measures with cryptocurrencies. When funds are stolen, they cannot be
pulled back, like an ACH transfer might allow.
Mt.
Gox , the one-time leading
cryptocurrency exchange, was hacked in 2014, leading to its insolvency. It lost
hundreds of millions of dollars worth of Bitcoins.
Then there’s the tale of YouBit – a South Korean exchange that found itself under the gun after
an attack that some believe came from the democracy’s northern neighbor
compromised 17% of the exchange’s total assets. After the second attack, it
didn’t take long for Youbit to declare bankruptcy.
There is a fair chance that a cryptocurrency
exchange could be hacked into bankruptcy!
Former
Employee Threat Causing Cybersecurity Breach Bankruptcy
What about attacks from disgruntled former
employees? That’s what happened at MyBizHomepage
when, according to New York Times reports , the recently fired CTO began a cyber-attack
on his former employer. The ex-CTO had
built multiple “backdoor” entrances to the company’s software and used them to
compromise the company’s software.
Protecting your organization from insiders and
former insiders can be the difference for some companies that remain in
business.
Wire
Transfer Fraud into Cybersecurity Breach Bankruptcy
Wire transfer fraud is another real danger when it comes to data-breach-induced financial problems. In 2010, Little and King, LLC filed bankruptcy due to a loss of $164,000 in an online banking interface. The culprit? Wire transfer fraud – with actors conducting an elaborate round-robin money transfer system, and leaving the firm holding the bag. Eventually, with the help of some of the parties targeted for participation, law enforcement caught up to the problem- Little and King, LLC had a system that had been infected with the ZeuS Trojan, a malware that criminals have used in prior bank heists to make off with the cash while keeping the victim offline as documented by Krebs on Security.
We would suspect there are many other
companies in this sort of situation – sitting ducks for people who are able to
pull off digital currency and digital finance manipulations that simply ‘break
money out of its cage.’ It’s a scary concept, and one that boards and
executives should think about very carefully. In this day and age, when there’s
so much questioning about money laundering, fraud, breaches and other issues,
the financial world is going to have to batten down the hatches against
intellectual property theft and other types of cyberattack.
When
a Company Becomes “Collateral Damage”
Too often, firms end up becoming collateral damage from big headline events. For example, in 2015, Reuters reported that a company called Altegrity Risk International (ARI) filed for Chapter 11 bankruptcy after the U.S. government terminated two major contracts with them following a security intrusion said to be “state-sponsored”. ARI was responsible for the background checks on whistleblower Edward Snowden as well as Navy Yard shooter Aaron Alexis.
This is a textbook example of how a loss of
reputation and a hit to a company’s services leaves a trail of devastation
after a data breach or similar cybersecurity fiasco. It’s not unusual for a
whole firm to become toast in these sorts of scenarios. This is a case of the
Snowden insider threat undoing a company only tangentially related.
Here’s another example where a hack by an
executive led to bankruptcy – the story of One World Labs in 2015 shows that even though there were no actual
law enforcement actions against the company or its founder at the time of
collapse, the critical mass of negative news was enough to shutter the company
and again, leave it financially stranded as “collateral damage.” The CEO
claimed with some credibility that he hacked an airplane. That hack did not
have the desired effect, but it did bring down his company!
IT
Vulnerabilities – Dangerous Obsolescence
Sometimes experts looking at a bankruptcy or
collapse after the fact are astonished at the primitive nature of the IT
systems of big and powerful firms. This is prominent in the case of Mossak Fonseca, the law office at the heart of the ‘Panama Papers’ debacle in 2016.
A Wired article looking into the state of Internet
facing infrastructure at Mossak Fonseca found that the law firm’s front end computer systems were, in the
words of Wired writers Matt Burgess and James Templeton , “riddled with security flaws”.
The company was using very outdated
technologies and had failed to update its Outlook Web Access login. At the
time, the company’s portal had at least 25 vulnerabilities including several
high-risk ones.
You can imagine high-powered executives simply
overlooking these sorts of problems as details, while chasing bigger and bigger
profits – but you can also imagine the devastating consequences of this, and
the regret that comes later as outsiders start looking into woefully
insufficient IT systems.
Ransomware:
“Pirates” on the Net
Among the bankruptcy-inducing cyberthreats that are out there, we shouldn’t forget about ransomware, which features prominently in the story of promotional company, Colorado Timberline.
This case happened just last year, with Promo Marketing Magazine reporting Colorado Timberline’s management announced closure,
citing a ransomware attack that happened earlier in the year.
In the Colorado Timberline incident, the ransomware got onto their systems and locked their files. This is often how ransomware campaigns play out. Unfortunately, the ransomware wasn’t the one where they could just pay and get their systems up and running. The company had to announce that they were closing abruptly due.
Poor
Key Management
In the cybersecurity world, digital keys are
incredibly important to online operations.
In a telling example that InfoWorld called “Murder in the Amazon Cloud,” Code Spaces, a company that hosted source
code repositories did the equivalent of leaving the keys in the car. When its
AWS control panel was compromised by an attacker who took S3 object storage
buckets and other key resources. Taking those pieces out of the puzzle led to
the company’s eventual demise.
Next
Steps
Did we miss any examples of cybersecurity breach bankruptcy? I’m sure we did. There were several cases we found where we suspected that a cybersecurity incident caused a company to go out of business. We didn’t opt to include a case where there wasn’t clear evidence that the breach was the main driver. Please send us a message about companies that we may have missed.
If you would like
help with your cybersecurity strategy or program, give Fractional
CISO a call for a complimentary
consultation. We can be reached at (617) 658- 3276 or by email at [email protected] .