Ashley Madison hack highlights cyber extortion risksReprints
A recent cyberattack by hackers into the Ashley Madison website brings a new threat to businesses that store client data: Ransom demands.
“Having the data stolen and (the threat of it being) disclosed is what's behind cyber extortion,” said Jody Westby, CEO of Washington, D.C.-based Global Cyber Risk L.L.C. “It's 'pay us, and we will give the data back,' and they (the extortionists) keep their word.”
The website for married men and women looking to have affairs was hacked by vigilantes who demanded the site be taken down or they would publish the private information of the members, according to July 15 news reports. A month after that, a reported 9.7 gigabytes of private data from more than 33 million members of the website had been published. Hackers have a good track record for following through, typically returning the data and not publishing it once their demands are met. In the Ashley Madison case the hackers did not get what they wanted, resulting in the publishing of the hacked information.
At least three lawsuits seeking $760 million in damages have been filed against Ashley Madison and Toronto-based Avid Life Media Inc., the parent company of the hacked website, by anonymous plaintiffs. Avid Life Media is offering a $500,000 Canadian ($378,750) reward to anyone who provides information that leads to the identification, arrest and conviction of the person or persons responsible for the theft of proprietary data, Avid Life Media said Aug. 24 in a statement.
Insurance coverage critical
Although companies are acutely aware of the risks to their clients' data, there still is not a reliable way to prevent a hack. So having insurance is one way a company can protect itself, experts say.
“There are cyber extortion or cyber ransom attacks that are becoming more common. Companies are willing to pay money to get this data back and not have it disclosed because they realize the consequences,” Ms. Westby said. In a KPMG L.L.P. health care cyber security survey released Wednesday, eighty-one percent of 223 polled health care executives say that their organizations have been compromised by at least one malware, botnet, or other cyber-attack during the past two years, and only half feel that they are adequately prepared in preventing attacks, according to the Toronto-based KPMG survey.
However, many companies are still underinsured for cyber attacks. In a January 2015 press release by KPMG, 74% of senior information security professionals whose organizations are members of KPMG's International Information Integrity Institute (I-4) stated in a survey that their businesses had no cyber insurance in place, yet 79% said they believe cyber security threats are likely to increase over the next 12 months. The biggest reason given for not purchasing cyber insurance, cited by 48% of respondents, was because they did not believe the policies would pay out on a claim. “Of the information security professionals we spoke to, 30% believed the market for cyber insurance does not appear to be sufficiently mature yet,” said Mark Waghorne, head of KPMG's International Information Integrity Institute. “Insurers will need to deliver more comprehensive packages in order to convince the business community that they can and will protect against losses on cyber crime. However, recent discussions during a later debate at the most recent I-4 Forum showed that the availability of specialist, focused cyber-related insurance has much improved during the past year with clear evidence that carriers do pay out, indicating that those organizations which have avoided cyber insurance in the past should perhaps revisit their positions.”