HACKING INCIDENT MOVES WEB SECURITY TO FRONT PAGEPosted On: Sep. 20, 1998 12:00 AM CST
NEW YORK -- Businesses may learn several lessons from a recent breach of computer security that caused the New York Times to shut down its World Wide Web site for nine hours.
While no data was stolen and any business interruption loss was minimal, the break-in by computer hackers is a reminder that these incidents can occur, even with advanced security systems in place.
The incident also shows the need for constant review of computer security and perhaps buying insurance to transfer the liability risk that can arise from computer hacking.
"The fact that this happened to (the New York Times) will raise eyebrows that if it can happen to them, it can happen to anyone," said Frank Johns, managing director for Pinkerton Global Intelligence Services in Arlington, Va.
It is "a good example of how serious the problem is," he said of computer crime. "I don't know what security measures (the Times') Web site has, but if you just look at the quality of their Web site, I suspect it is state-of-the-art, and hackers still got in."
"The real bottom-line message is that it can happen to you. . . .No one's immune," agreed Dave Muckley, chief financial officer of Trident Data Systems, a Los Angeles-based information technology firm specializing in information protection.
On Sept. 13, a group calling itself HFG -- Hacking for Girlies -- commandeered the New York Times Web site, forcing the newspaper's electronic edition to shut down from about 10: 20 a.m. EST to 7: 40 p.m. EST.
The hackers took down the Times' home page and put up images of nude women and a diatribe criticizing the Times' past coverage of Kevin Mitnick. Mr. Mitnick is serving a prison sentence for a computer crime following his arrest by the Federal Bureau of Investigation in 1995; the hackers called for his release.
After a "tug of war" in which the Times' home page and the hackers' document appeared in succession, the New York Times took down its Web site to repair it off line, a spokeswoman said. While the site was back up later that night, some contents, including the New York Times electronic crossword puzzle and archives, were not available in the middle of last week. As of Friday, however, access had been restored.
The New York Times now is working with the FBI on its investigation into the break-in.
The spokeswoman declined to comment on any insurance arrangements or how the hackers might have gained access to the Web site. She did, however, describe the security as "state of the art" and said that the site's firewalls "were not penetrated or compromised" in any way. The Time's public site is on a server located outside its firewalls.
She said that while there are "certainly some technical lessons" to be learned from the break-in, the company is "very pleased" at how its crisis communications team responded to the incident.
Not only did everyone know whom to call after the break-in occurred and responded at once but the paper also immediately took down its subscriber list, which contains e-mail addresses and encrypted credit card numbers, the spokeswoman said.
Observers familiar with the incident say that as employers rely more heavily on the Internet to disseminate information and to conduct electronic commerce, they need to constantly check their security measures.
Not only is the incident an indication that "it can happen to anybody," but it also should cause companies to examine their electronic security systems, said Steve Haase, chief executive officer of Network Risk Management Services Inc., an Atlanta-based wholesaler.
"Companies need to look at security as an ongoing process to reduce potential loss and to respond to potential vulnerabilities," Mr. Haase said. Any upgrade to software and hardware, for example, leads to new vulnerabilities and new security issues, he noted.
While the insurance market is still small, employers can obtain coverage now for such vulnerabilities, observers point out.
American International Group Inc., for example, last year introduced an Internet Security Liability product that addresses the liability exposures of employers that conduct business over the Internet.
The policy covers:
* Third-party losses resulting from the theft of credit card data over a policyholder's Web site, with limits up to $250,000.
* Personal injury claims, such as libel, slander and defamation of character, resulting from the electronic communication of information from, or unauthorized access to, a policyholder's Web site. This coverage has limits up to $1 million.
* Physical damage, including losses involving electronic data that arise from vandalism, computer viruses and other specific perils, as well as resulting business interruption. Limits on that coverage start at $50,000.
Earlier this month, Reliance Group Holdings Inc. also began offering a new Internet insurance product, designed to respond to third-party liability claims arising from failure to secure and manage access to data over a company's Web site.
The policy, called InsureTrust, is written on a non-admitted basis by Reliance Insurance Co. of Illinois and offered exclusively through wholesaler Network Risk Management Services. It has $10 million in capacity; the minimum premium is $5,000.
"Everyone's vulnerable," said Greg Gamble, vp of Reliance National Insurance Co. in New York. Even if an employer has the right technology and the right policies and procedures in place to secure an electronic business environment, there is still a potential for hackers to break into the system. That potential loss exposure gives rise to the need for insurance, Mr. Gamble said.
The insurance market for these types of risks "is a very small market that's about to go crazy," predicts Mr. Haase of Network Risk Management, which also acts as the wholesaler for AIG's Internet product. "I'm covered up with calls."
In addition to AIG and Reliance, several other insurers, especially in the surplus lines market, are offering or developing exploring coverage for Internet businesses, including Steadfast Insurance Co. and Columbia Casualty Co. (BI, Sept. 7)