The headline is increasingly common; hackers steal personal information of millions of individuals from a financial institution or retailer. Commander Steve Head from the City of London Police is responsible for tackling fraud in England and Wales, and he has warned that there are not enough officers tackling the crime. He informed the BBC that there needed to be more police investigations into fraud to combat the "huge" number of criminal networks behind it. The National Audit Office estimated that cybercrime cost the UK economy between £18bn and £24bn in 2012 alone.
The cybercrime spotlight was recently on eBay, which revealed that hackers had been able to access the accounts of its 233 million users worldwide. These included users’ names, addresses, dates of birth, telephone numbers, email addresses and passwords; all the necessary information to steal an individual’s identity. The theft is being termed the biggest cyber security breach in the world and its ramifications will, no doubt, be felt many months down the line.
This latest example of cyber theft is part of a growing trend in financial crime. Only a few months prior to the eBay attack, Target Corporation, a large US retailer, revealed that it had been a victim of cybercrime, with hackers stealing the credit and debit card details of around 40 million customers. Many people will also have heard of Heartbleed, an encryption bug that is reported to have remained undetected for almost two years and affected companies such as Amazon, Pinterest and Tumblr. Five individuals are also facing charges in America for the cyber theft of 160 million credit cards from a range of organisations including Nasdaq, Visa and JC Penney. Such stolen data can be sold to third parties who will often use it to create counterfeit debit and credit cards, or steal individuals’ identities for other purposes. It is a crime that affects everyone from individuals to multinational corporations and the last year has demonstrated that even the largest and, one would assume most sophisticated organisations from an online security perspective, are vulnerable to data breaches that can lead to fraud and identity theft.
How is cyber theft perpetrated?
There are many ways in which cyber theft can be carried out and it is often not clear how the hackers gained access until an investigation is carried out. In eBay’s case, it has been reported that hackers were able to access its servers in late February/early March by gaining access to an employee’s login credentials and using the employee’s internal passwords to access and download the information.
In the Target case, how the fraud was perpetrated is still being investigated although it is believed that only cards used in store, rather than online, were affected which has led commentators to believe that a weakness in Target’s point of sale systems was taken advantage of by sophisticated cyber criminals.
Cost of cyber theft
Cyber theft has a huge impact on the organisations that are targeted and the individuals whose personal information is stolen. From a business perspective, the reputational damage that can ensue should not be underestimated. When TJ Maxx’s parent company was hacked in 2007, the CEO was forced to resign and the company’s share value fell. eBay has faced extensive criticism over its delay in notifying users of the security breach. Several months had passed before eBay discovered the breach and it waited a further two weeks before informing its users. This delay may have been caused by the time legitimately taken to investigate the extent of the breach before reporting it but criticism has, nonetheless, been placed on eBay’s doorstep.
Not only do those organisations that lose data suffer unquantifiable damage to their reputation, the cost of remedying the breach can run into millions. Target is reported to have offered its customers one year of free credit monitoring and identity-theft insurance, as well as discounting in-store prices by 10% to pull customers back in. It has been estimated by investment bank, Jefferies LLC that Target may ultimately have to repay banks up to $1.1 billion for fraudulent transactions on the counterfeit cards that will inevitably be generated with the stolen data. Furthermore, millions will be spent on marketing to repair the damaged brand, not to mention the costs of investigating and remedying the breach itself, increasing online security, diverted management time and the impact of any regulatory issues and fines.
Cybercrime can paralyse an organisation for days, leading to further losses. In 2006 a disgruntled former UBS employee unleashed a “logic bomb” that brought down 2,000 computers across UBS's stockbroking unit and cost the company $3.1m to repair. Approximately 17,000 UBS brokers across the US were unable to trade shares for more than a day, costing the company even more in lost business, and vital files were lost as a result of the cyber-attack.
Prevention is better than cure
With all that in mind, it’s clear that preventing cyber theft should be at the forefront of any organisations mind. The evolution of cybercrime is such that it cannot be overstated that organisations must be dynamic and proactive when it comes to preventing cybercrime, particularly as limitations in police resources make public investigation of fraud increasingly challenging.
All organisations, no matter how small or large, are vulnerable to fraud and implementing a fraud prevention plan is key. A good fraud prevention plan should only be put in place after consideration has been given to the organisation’s fraud risks and areas of vulnerability. The plan must be implemented from the top down and should be communicated to all staff so that they are aware of the risks and know what to do if fraud is uncovered. This will involve training all employees to understand the fraud indicators and to reinforce specific responsibilities at each level of the organisation.
It is also important that organisations should consider, as part of their fraud response plan, whether they would need to enlist the services of companies that offer clean-up and function restoration quickly so that business can be resumed.
You can’t win them all
The reality is that no matter how prepared an organisation is, it may still become a victim of cybercrime. Organised criminals based in other jurisdictions are often at the heart of cybercrime and they are innovative when it comes to new ways to perpetrate fraud. Despite this, many organisations have no plan in place as to how they would respond if they uncovered fraud. Being prepared for the discovery of fraud may save days of investigation time with one additional day potentially being the difference between preventing further data loss or obtaining an injunction to retrieve the data and prevent the dissipation of fraudulently gained monies by the perpetrators.
There needs to be a clear chain of command, documents need to be preserved and the appropriate third parties contacted. In an age of financially motivated cybercrimes, every organisation should have sufficient business insurance coverage to recover any financial losses. Some organisations may find that having a fraud response plan in place reduces their insurance premiums because their insurer can have more confidence that the organisation will move quickly if fraud is uncovered and there is a better chance of recovery.
The learning process
Both preventing and responding to cybercrime is a learning exercise. Policies, plans and procedures that are static will not work. They must be monitored and reviewed on a regular basis because each organisation’s fraud risks will change and technology will evolve. Action should be taken if a fraud prevention or response plan becomes ineffective or a preventative or detective control is compromised. Just as your organisation evolves, so should your fraud prevention and response plans.
DWF’s Fraud and Risk Team has specific expertise in advising on fraud prevention and response plans, as well as recovering from cyber fraud.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.