In less than 90 days, the news surrounding three major computer security breaches have sent a definite chill through the technology world. Even more troubling is that they reveal major holes in an increasingly leaky dike and no one has any confidence that these and other breaches won’t happen again.
In February, word leaked out that a provider of board portal services for over 300 NASDAQ companies had been hacked. Data involving sensitive company board information had been illegally accessed for over a year, an astounding admission for a company whose webpage goes on at great length about the depth of its protection against hackers.
In early April, documents filed in Federal District Court in Virginia showed that a former State Department contractor had pleaded guilty to illegally accessing a database with personal information, including Social Security numbers, of 250,000 federal workers. That hack wasn’t especially challenging. The contractor in this case simply took an office laptop home and dialed into the database directly.
More recently, consumer products giant Sony has been dealing with the fallout of a breach in its PlayStation network. Personal information including names, addresses, phone numbers, birth dates and passwords for 77 million customer accounts were exposed. This breach has forced Sony to shut down its lucrative network and triggered a Congressional investigation.
In the past, hacks of stored information were often found to be the work of pimply-faced teenagers wired on Red Bull who were “joyriding” on the Web. But the NASDAQ and Sony breaches reveal a more troubling side where the hackers knew the information they wanted and built sophisticated tools to quietly get it. An analysis of the NASDAQ breach revealed Trojan horse programs that could send sensitive data back to the criminals on command.
This column recently contacted the IT manager of a large technology company in Silicon Valley. He said that when news filtered out about what had happened at NASDAQ, he was summoned to a meeting with his firm’s board of directors and grilled for nearly two hours about security controls for a portal service (not NASDAQ’s) they use for sensitive board documents.
He confided that he frankly had never paid much attention to security controls for these kinds of portals, because he figured their protections were as good as anything he would use. In light of recent events, he’s paying a lot more attention to them now.
The NASDAQ breach raises the stakes in the cybersecurity game. It’s one thing to steal a few credit card numbers. It’s quite another to gain access to highly confidential company board documents over an extended period of time. The impact on investor trust and the stock market can be highly damaging, which is why the IT manager took the time to audit his portal service and ensure that enough security controls were in place. He also ordered a complete security scan of any corporate databases where board-level documents were kept. And then he finally got a good night’s sleep….for now.