Another week goes by, seven full rotations of the earth, and another eventful week in the cyberverse. Each week we bring you three of the top cyber security stories bubbling to the surface during the week. Sometimes themes emerge and lessons are learned. This past week, those stories have a banking theme and some important cyber security reminders.
As long as there have been banks there have been robbers–train heists, getaway cars, and armed assaults were the tools of the trade. Today, while live robberies and police chases still happen, things have, overall, taken a decidedly digital turn. Since Fort Knox might be empty and the alternative currency market growing, money has become less about dollars and “O”s and more about ones and zeros…a digitally supported exchange of…something, backed by… confidence alone, perhaps.
Disrupting financial markets and robbery alike then become more about data secured and cyber breach, more about upsetting confidence and less about packing a 9mm. We’ll take a look at three angles on the financial market that have taken a hit.
Hit One: Accounting
As long as there has been or will be money of some kind, there will probably be accountants to quantify it. Arguably the biggest accounting firm in the world, Deloitte, reported a recent data breach. Considering their business includes a security sector, on top of the security of funds in auditing, tax, tax advisory and risk assessment, and that they even specifically offer cyber risk services, you’d think they’d be pretty well protected against a data breach. Perhaps they were “well protected,” just not well enough.
News of the breach first broke on September 25th, but hackers had access to internal email systems as far back October or November 2016. Deloitte knew of the data breach as early as March of this year. In those months since the beach became known, only a handful of Deloitte’s most senior partners and lawyers were informed (presumably their PR-crisis response team as well).
Though the firm is US-based, the UK paper The Guardian broke the story, reporting that, “The hacker compromised the firm’s global email server through an ‘administrator’s account’ that, in theory, gave them privileged, unrestricted ‘access to all areas.’”
Like so many other companies, Deloitte had moved to a cloud-based system, Azure cloud service (a Microsoft platform). Cloud storage offers incredible convenience but may pose additional security risks. The breach at Deloitte involved cloud access through an account that had not enabled 2FA. (For years, we’ve been advising clients that 2FA, 2-factor authentication, is essential, particularly to cloud storage security. Check out this post from 2015).
An administrator failing to have additional authentication measures in place seems like a rookie mistake. In a statement, Deloitte said, “Only very few clients were impacted [and] no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” Yet an anonymous source leaked to KrebsOnSecurity that, “It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”
What impact does such a leak really have on banking? We can’t honestly say for sure, but given the potentialities, it deserves more attention than a “sweep under the rug.” Email data at a firm like Deloitte could contain:
- Industry data, provided to accounting firms, not even reported to investors
- Speculation and advisory data that could be used for an equivalent of “insider trading”
- The kind of inside scoop that fuels industrial espionage
- Security measure discussion that could open the door to further data breach
The list could go on and on. Often, email is the most sensitive data available, since it may include fact and information, but also insight and intellectual property. With such a concerted effort to contain the scope and content of this breach, we may never know the financial impact. That’s high-stakes, high-scale robbery.
Hit 2: Regulators
Speaking of sensitive data, another way to undermine the function of a market would be to hit the regulators. Somebody has. The very organization trusted to protect investors, suffered a data breach…one that may already have had an impact on global markets, but we wouldn’t necessarily know it.
The US Securities and Exchange Commission (SEC) is the government-backed, independent regulatory agency created by the US Congress to maintain order in a market full of competitors (such as NASDAQ and the New York Stock Exchange, as well as thousands of publicly traded companies), a hit to the SEC could be motivated by one of two things:
- Purely driven by financial gain
- Designed to undermine faith in the pillars of the American economy
(Though, of course, either, could have an impact on the second). Since IPO’s and the number of publicly traded companies, two important indicators of faith in capitalism, have both been on the decline (not to mention that recent Equifax major data breach), the SEC announcement seems like particularly poor timing for the future of public markets.
The breach was aimed at the SEC’s EDGAR (Electronic Data Gathering, Analysis, and Retrieval system). While much of what gets filed and indexed on EDGAR is both publicly available and not particularly interesting, the data breach may have led to the infiltration of more crucial data, such as:
- Internal accounting and assessment data
- Personnel proceedings, such as a planned CEO change
- Potential trades and offers
If you think such speculatory data would have no impact on a market, think again. The SEC is currently pursuing a lawsuit against a fraudulent EDGAR report that temporarily caused an increased spike in the price of Fitbit stock. That’s a major part of the SEC’s job: investigate insider trading or other market disruptions. Who knows how many specific pieces of data could be used to alter market outcome from this EDGAR breach.
Given that role, of course security is a major concern at the security exchange commission. More than two years ago, after a study of potential security risks (led by the US Government Accountability Office) found flaws and issued at least 58 recommendations for improvement to the SEC. In July of this year, an update was issued that claimed at least 47 of those flaws have been addressed and “resolved.”
Yet, despite such attention to cyber security, this EDGAR breach may have lasted for months, with an unknown quantity of data leaked. Maybe we’ll read the contents someday on WikiLeaks, like the DNC data breach.
Hit 3: Retail
Nothing symbolizes capitalism quite like retail consumerism. So when a major chain suffers a nearly year-long infiltration of their POS (point of sale) system, it tends to make headlines. Brooks Brothers issued a statement of impact on US and Puerto Rican stores, stating “Based upon an extensive forensic investigation, it appears that an unauthorized individual was able to gain access to and install malicious software designed to capture credit card payment information on some of our payment processing systems at our retail and outlet locations.”
The statement included a link to see which locations were affected. The stolen data included names, account numbers, expiration dates and card verification numbers. Brooks Brothers was quick to assure customers that physical addresses and social security numbers of customers were not stolen.
The added retail security features of PIN numbers or EMV chip cards help protect against such breaches, but they cannot protect reputation. When a major retail chain such as Brooks Brothers takes a hit, the subsequent impact on both the chain individually and the retail market as a whole jeopardizes a pillar of capitalism. Of course, beyond just a monetary desire to obtain credit card numbers for personal gain, the Brooks Brothers POS breach may have been driven by a plan to cause a market upset.
Learn from Others
Despite these major attacks on pillars of capitalism, the global economy lumbers on. In some ways, people may have grown numb to cyber security news, overwhelmed by the sheer volume. Yet data breach security, backed by the combined forces of cutting-edge analytics and human intelligence, can protect against these and other attacks. It just might rest on the shoulders of each organization to protect themselves.
Until next week, enjoy the headlines, but stay out of them.