Last year, it was Target. The discount retailer was hacking, resulting in the theft of credit and debit card data from 70 million accounts, and a whole lot of negative publicity.
Then a few days ago, news hit of a hack of Sony Pictures Entertainment that has the international company reeling. Only this time, it wasn’t money being stolen. Hackers have leaked everything from embarrassing emails to financial documents to employees’ personal information.
We’ve got a new holiday tradition, and it has me a bit alarmed.
For Target, damage control has proven costly. More than 90 lawsuits were filed (as of March) by customers and banks for negligence and compensatory damages. And that’s on top of other costs, which analysts estimated in the billions.
But perhaps the worst part is that it was avoidable. In fact, the biggest retail hack in US history “wasn’t particularly inventive, nor did it appear destined for success, according to Business Week, which reported that in the days leading up to Thanksgiving 2013, malware was installed in Target’s security and payments system. “At the critical moment — when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe — the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.”
Clearly, when it came to protecting customer data, Target missed the mark. And although the company appears to be turning the quarter, it still bears battle wounds, as evidenced in the 16 percent slide in first-quarter profit, and the firing of longtime CEO Gregg Steinhafel. It took a huge scandal to force leadership to realize the importance of data security.
For Sony, the repercussions could be far worse.
While it’s the “sensitive” internal emails that have grabbed most of the headlines, the hackers in this particular case have leaked confidential marketing materials, proprietary Sony financial data, employee social security numbers, and other forms of sensitive info. And they didn’t even have to dig that far before hitting gold.
According to Gawker.com, which is providing round-the-clock coverage, Sony stored personal passwords in bulk in unprotected text documents, using titles like “Master Password Sheet.” Sneaky, right? Some of those documents are tied to financial accounts like American Express, while others enable access to corporate voicemail accounts or internal servers, and come conveniently paired with full names, addresses, phone numbers, and emails.
Oh, and Sony was hacked earlier this year, something they never disclosed.
Just how bad is it?
“Awful,” said a security researcher who spoke with Gawker. But if you think Sony is the only large organization guilty of sins like plaintext passwords, think again. “It’s pretty common” for older software shops to rely on a firewall to save them. “Why bother having locks on the doors at all?”
Well, Sony didn’t. And now leadership has been completely exposed — not just for being careless about security, but for the extremely unprofessional way in which its executives speak with each other, and about their talent (not to mention the President of the US, who isn’t even above their cutting, insensitive remarks).
One lawsuit has already being filed, and I believe it’s just the tip of the iceberg. Sony is staring down a public relations nightmare, one that could take years — and billions of dollars — to fix, and it could have been prevented.
The lesson here is simple. As John Halamka stated in yesterday’s HIT Policy Update webinar, “we need to make sure healthcare is not the next Sony.”
Because, as we all know, it’s already quite a popular target.
Share Your Thoughts
You must be logged in to post a comment.