gtag('config', 'AW-10839537686');
top of page
Writer's picturePerformanta

April's most interesting security news: How much will that hack cost?



Calling cybercrime a disease is inaccurate. Diseases usually have clear diagnoses and remedies, with a good sense of the cost involved. As long as they are not fatal, most diseases require some medicine and rest, and you should be back on your feet soon.

 

But that's not a cyberattack. It's difficult to determine how much a successful breach will ultimately cost in money, productivity, and brand damage, and the road to recovery can be very uncertain. A cyberattack is more like a heart attack: sudden, devastating, expensive, and it can permanently weaken the victim—even kill them.

 

When you are unprepared, a cyberattack's impact can be very expensive, and even insurance coverage may not be enough.

 

The cost of a breach? How about $1 billion?

Many studies attempt to pin a value on cyberattacks, usually producing staggering numbers in the millions of dollars. But even these hefty sums might be conservative. When MGM Resorts suffered a breach late last year, it cost the entertainment group more than $100 million to fix. But at least they didn't pay a ransom. Change Healthcare, a US-based health provider, conceded to a $22 million demand from a ransomware gang. Yet, this turned out to be a pittance.

 

The group's parent company, UnitedHealth, has since revealed that the overall fallout from the breach is headed towards $900 million, excluding other costs such as advances and loans to impacted partners. In total, the company expects to write off over $1 billion due to the attack—and some of its data is still being held ransom.

 

Most cyber insurance coverage falls short

According to a new report, around 80 percent of companies with cybersecurity insurance do not have sufficient coverage. Using data from various sources, the Inadequacies in Breach Insurance Coverage study claims that most organisations' policies average a 350 percent gap, which equates to only 25 percent incident coverage. Some of the worst examples had gaps of 3,000 percent.

 

Interestingly, 'low tech' industries such as accommodation, food services, construction, transportation, and warehousing often have the best coverage, while finance, insurance, information, and manufacturing have the biggest gaps. The study's authors urged companies to invest more in cyber risk quantification (CRQ).

 

Decade-old virus discovered in Ukraine

Generally speaking, there are two types of exploits in the cybercrime world: unknown zero-day flaws that criminals exploit in secret, and known malware fixed through detection and patches. It's rare to discover a relatively unsophisticated virus that has been lurking around for several years without anyone discovering it. Yet, that's exactly what Cisco researchers uncovered. When they tracked the source of infected Word documents, they discovered a previously unknown ten-year-old virus.

 

The OfflRouter virus only infected a limited number of companies in Ukraine, yet it has gotten away with this since 2014. Why was it not detected sooner? The researchers say it's a curious combination: the malware's unconventional design has helped it evade detection, and the coder responsible was inexperienced, making design mistakes that likely limited OfflRouter's spread. This incident is a reminder that advanced threat detection systems are crucial because they track malicious behaviours and not just signatures identifying known attack methods.

 

Ex-Amazon engineer sentenced to three years for hack

Many cybercriminals, particularly those shielded by nation-states such as Russia, Iran and China, operate with impunity and little fear of criminal prosecution. However, there are still frequent wins for law enforcement, and cybercriminals in law-respecting countries can expect harsh penalties. This is the case for US-based Shakeeb Ahmed, a senior cybersecurity engineer recently sentenced to 3 years in jail for stealing $12 million in cryptocurrency.

 

The former Amazon employee had hacked two different finance groups. One closed down due to the losses. He approached the other with a deal to return the stolen funds, minus a finder's fee for his effort and that the victims wouldn't contact the authorities, a common tactic in crypto heists. But his extortion backfired, and Ahmed was arrested and prosecuted, a signal that cybercrime does not always pay, nor is it a victimless crime.

Comments


bottom of page