Sunday, May 15, 2011

The responsibility for Information Security rests with the Company’s Senior Management: A case study on Epsilon and Sony PSN

Nota: Esta nota está disponible en Español 

During the last month, two historic information security breaches occurred: the personal information theft to Epsilon and Sony PlayStation Network (PSN).

Epsilon, an on-line marketing (e-mail) company, suffered an attack on the 1st of April where personal information (including full names, e-mail addresses and preferences) belonging to the 2% of their customers (which represents 2.500 companies) was extracted. This doesn’t seem much, but this percentage included 50 highly worldwide recognized companies, such as: Ameriprise Financial, Barclay's Bank of Delaware, Best Buy, Capital One, Chase, Citigroup, Disney Destinations, JPMorgan Chase, Marks and Spencer, Marriott and TD Ameritrade among others. The quantity of stolen records is not exactly known, but if we take into account that Epsilon sends out approximately 40 billion e-mails per year, the number of affected records could be very high.

On the other hand, we have the Sony PSN case. On the 20th of April the Sony on-line entertainment network, which allows users the to play games on-line, watch movies, TV shows and access exclusive contents went off-line and entered maintenance mode. On April the 26th Sony announced that personal information belonging to 78 million users was extracted from their servers, becoming one of the biggest information thefts in history. The stolen information included: full name, full address (city, state/province, zip code and country), e-mail address, date of birth, user, password (PSN) and credit card numbers.

The ramifications of both incidents form an excellent case study of what could happen when a successful attack takes place. Next, I will list some the key risks that the Companies mentioned above are facing (or may face).

What are the risks that these Companies are facing?

  • Non-compliance fines: There are federal laws that companies must meet that establish the protection mechanisms of stored personal information. As an example, Argentina has the law Nº 25.326 called Personal Data Protection, while the US has the Privacy Act of 1974 (personal information protection managed by federal agencies), Gramm-Leach-Bliley Act (financial data protection) and Health Insurance Portability and Accountability Act (HIPAA) of 1996 (personal health information protection). An incident involving personal information theft can start an investigation by the controlling entities of each country (this is so because each country has its own laws and regulations) in order to verify if the Company was in compliance or not with the required regulations, and if it wasn’t, apply the corresponding fines.
  • Lawsuits: The affected third parties, such as Sony PSN users, are already filing lawsuits against the Company for negligence. In the case of Epsilon affected customers, they could sue the Company for damages resulting from the incident (let us remember that the Epsilon affected customers were other Companies and their customers). 
  • Collateral damage: In the Sony case, it is estimated that the credit card information theft could cost the credit card Companies 300 million USD just to replace them (this cost will be faced by Sony). In the Epsilon case, it is estimated that each affected client will be facing a cost of 5.5 million USD in lawsuits, settlements, lost clients, revenue, etc.  
  • Government investigations: In both cases, the US Government started a public investigation against the Companies. For the Sony PSN case, also the Governments of England and Hong Kong are investigation the incident. In the US, the House of Representatives demanded explanations to Sony about the incident and the steps that it will take in order to protect the affected customers. With regards to the Epsilon case, the US Attorney General was requested to investigate the Company for possible civil and criminal liability.  
  • Financial effects: Both Companies suffered a drop between 2 and 5 percent of their shares. Furthermore, it is estimated that the total cost of the breach for Sony will be around 24 billion USD whereas for Epsilon 4 billion USD.  
  • Loss of image and trust: There is no doubt that both Companies suffered an important loss of image. However, Sony is the most affected one due to the way they handled the incident and the impact that it had to the PSN mission (let us remember that the PSN is still off-line). What affected Sony most is the loss of trust from their clients: even though the majority of them just wants the PSN back on-line, they state that they won’t put their personal data in Sony’s hands again. With regards to Epsilon, it is estimated in the cost of the breach (the 4 billion USD) the expected loss of customers.  
  • Information Selling: The extracted information could be sold to the Companies competition, resulting in future losses. 
What are the risks that affected users/customers face for the information breach? 

  • Fishing / Spear-phishing attacks: The information extracted from Epsilon has already been used in phishing attacks and this is just the beginning. The same could happen with Sony.
  • Identity Theft: With the data extracted from Sony an identity theft attack to the PSN users could be executed. Even though the data stolen did not contain the social security numbers, it was still a lot of information and an attack of this type could be executed. Moreover, attackers could launch social engineering attacks obtain the missing data.  
  • Access on-line applications: The information stolen both from Epsilon and Sony could be used by attackers to launch brute force attacks on on-line applications like eBay, Gmail, Amazon, Paypal and others by trial and error. Why? Since the majority of the users use the same e-mail and even passwords to access different on-line applications, the attackers could try and access them by guessing the passwords (remember they do have a lot of personal information and this makes their job easier).  
  • Credit card duplicates: In Sony’s case, where the attackers obtained the credit card numbers, the Company asked the affected customers to periodically check their card statements or have them replaced. This due to the fact that attackers could use those credit card numbers to make on-line transactions or credit card duplicates. However, and according to Sony, the probability of this happening is really low since the credit card numbers were encrypted.  
Why the responsibility for Information Security rests with the Company’s Senior Management?

Senior Management has the responsibility to get acquainted with all the risks that could affect the Company’s mission. This implies the detection of the risks that could affect the confidentiality, integrity and availability of information and/or systems that it requires in order to provide its services. It must perform an exhaustive risk analysis in order to detect, quantify and prioritize them. This is known as due diligence.

Once management knows the risks that could affect the Company’s mission, they must implement the corresponding safeguards in order to mitigate them. This is known as due care.

If Senior Management does not perform a Due Diligence and Due Care, in the event of a successful attack (such as those that happened to Sony and Epsilon), the Company could be held liable for not taking the proper measures to prevent them.

 By Agustin Chernitsky

No comments:

Post a Comment