Lessons from Cyber Breaches

By Gary R. Pannone

July 6, 2018

Ten years ago, the mention of a cyber security breach was a rarity. Today, reports of breach  incidents are almost commonplace. Every time a breach occurs in business the potential to cause significant harm and financial loss is mind-numbing. In addition, when the victim of a breach is a business, the owner is often held liable, especially if it is determined that the business owner did not take appropriate preventive steps to protect customer data. There are at least three high-profile cybersecurity breaches in recent memory that offer lessons for those struggling with cybersecurity issues.

In 2017 we learned of the Equifax breach, which stands out for several reasons:

  • First—while not the largest breach in history, it affected the Social Security information of more individual Americans than any other breach, compromising data for potentially half the population.
  • Second—the breach was against an agency focused specifically on safeguarding its customers’ personal information.
  • Third—the news continues to get worse. The latest reports from Business Insider indicate that the reported number of victims has risen from 143 million to 146.6 million, and more than 56,000 victims had specifically sensitive documents leaked—like driver’s license numbers and passport information.

From a personal standpoint, the Equifax leak reminded all Americans of the importance of protecting credit information, prompting millions to freeze their credit. From a business standpoint, it reminds us that no company doing business online is completely immune to hacking, and that businesses must be ever diligent in monitoring and guarding the personal information of others.

Another massive breach offering “teaching moments” occurred in 2016 to Uber, the world’s dominate on-demand rideshare taxi service. Hackers broke into Uber’s servers and stole the personal information of 57 million users and 600,000 drivers. To make matters worse, the company attempted to cover up the breach by paying $100,000 in ransom money to the hackers, which was reported by the New York Times. In addition, the hackers were able to lift the data from the company’s GitHub account, a development platform that should never have been used to store people’s personal information. Uber didn’t admit the breach for almost a year.

The Uber fiasco serves as a case study in what not to do for businesses entrusted with people’s personal information. First, keep the information in a safe place; and second, if the data is compromised, don’t try to cover it up.

Easily one of, if not the largest data breach event in history, is the Yahoo incident, which actually involved two separate hacks by different agencies (reportedly state-sponsored) in 2013 and 2014. Yahoo did not admit the incidents for several years. The initial report said 500 million users had been affected by the 2014 hack—already setting a record for its time. Later, the company revealed that an earlier breach had compromised the information of 1 billion users. By October 2017, Yahoo admitted the first breach had affected its entire user base—more than 3 billion people.

Since that time, Yahoo’s value has dropped considerably; once valued at more than $100 billion, the Internet part of the business was sold to Verizon for just under $4.5 billion. In April 2018, according to The Verge, the SEC fined Yahoo $35 million for the breach. Not only can a cybersecurity breach damage your customers—if you don’t manage the breach correctly, it can do serious damage to the value of your company, as well.

Disclaimer: This blog post is for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.

Recent Posts