Do Data Breaches Permanently Affect Business Reputations?
Hint: Ashley Madison, Equifax and Uber Are Thriving
Massive data breaches make headlines, trigger stock price slips and often lead to executives getting fired. Some companies, however, not only recover from breaches, but end up thriving after the dust settles, says Eric Pinkerton, regional director for Sydney-based information security consultancy Hivint.
Pinkerton, who spoke at the AusCERT security conference at the Gold Coast in Queensland, Australia, on Thursday, has researched how breaches affect everything from organizations' stock price and reputation to long-term performance. He examined some of the most egregious and well-publicized breaches over the past few years, including Ashley Madison, Equifax and HackingTeam.
His conclusion: A breach is not necessarily a death knell for a company, although it can lead to harsh consequences for those at the helm. To be sure, breaches can also be an expensive mess, from contracting with incident response services to tangling with regulators and dealing with class-action suits. But some companies also appear to have benefited from bad publicity, eventually allowing them, over the long term, to change the narrative.
Here are Pinkerton's takeaways from five prominent data breaches that he studied.
HBGary Federal, which provided security-related services to the U.S. government, was struck by hackers associated with Anonymous in 2011. HBGary Federal's CEO, Aaron Barr, had planned to expose the identities of some of the collective's members at a security conference.
Anonymous responded by doxing him and then releasing tens of thousands of emails exposing the inner workings of the company. Still, the hack didn't prove fatal. A separate but related company, HBGary, was acquired in 2012 by ManTech International. Pinkerton says the hacking incident generated free publicity for HBGary.
The Italian company HackingTeam, which specializes in interception tools for governments, saw its source code, internal documents, customer lists and more get dumped in 2015. The breach was embarrassing, and critics alleged the documents showed the company was selling its wares to countries with poor human rights records.
Despite the leak, Pinkerton says, "they got awesome free publicity, and they were back up and running and advertising the fact that they were better and stronger the second time around."
Uber paid $100,000 to a Florida man who promised to delete information pertaining to 57 million of its riders and drivers worldwide that he obtained around October 2016. Uber didn't disclose the breach until a year later and subsequently admitted it had been held for ransom, but inaccurately positioned the payment as a bug bounty.
Pinkerton says Uber is a private company, so there was no stock impact. But its CSO, Joe Sullivan, was fired. When the breach disclosure was announced, Uber was already mired in other confrontations, such as over drivers' compensation, that could have overshadowed the breach and impacted the company's reputation.
But six months after the disclosure, Uber still appears to be doing "fantastically well," Pinkerton says. "I don't think the hack was that big of a deal for them."
Avid Life Media/Ashley Madison
The hack in 2015 of Ashley Madison, a dating service for married people, was one of the most sensitive breaches in history. It exposed millions of names, email addresses and personal information of those who had registered for the site. Some of the dumped data also raised questions about whether the service had been stocked with bogus profiles (see No Surprise: Ashley Madison Breach Triggers Lawsuits).
After the breach, Avid Life Media, parent company of Ashley Madison, rebranded itself as Ruby. It eventually settled a class-action lawsuit for $11.2 million, which was a fraction of what plaintiffs sought. Last year, meanwhile, an audit by EY indicated the service was adding 15,000 new users per day, Pinkerton says.
Although Avid Life Media CEO Noel Biderman eventually left in the aftermath of the breach, the company "is now doing far better than it ever was," and is on track for an IPO, Pinkerton says (see Post-Breach Affair: Ashley Madison's $11.2 Million Offer).
Equifax's breach stands as one of the largest known breaches in the history of data breaches. Attackers exploited an unpatched software flaw in Equifax's infrastructure to steal personal information on 147.9 million U.S. consumers, plus tens of thousands others in the U.K. and Canada (see Was the Equifax Breach Preventable?).
The fallout from the breach led to the departure of the company's CEO, CIO and CSO, and the ex-CEO was later called to testify about the debacle before Congress. On the day following the initial breach disclosure, Equifax's stock also plummeted by 35 percent.
Equifax, however, remains in business. In March, the company reported fourth quarter 2017 revenue of $838.5 million, up from $801 million the year before, beating analysts' predictions.
The company's stock price plunged from $147 per share to $90 after the breach, but it has averaged about $120 in recent months. In other words, Equifax's stock price has suffered.
"Here is the best palpable evidence that a breach of this magnitude does affect the share price," Pinkerton says. "However this is a real earth-shattering breach."
Furthermore, previous breaches suggest that the dip in Equifax's share price won't be permanent.
Lessons Learned: How To Prepare
Pinkerton says organizations can and should prepare in advance for the reputational consequences that come as a result of suffering a data breach.
An important point is to be sure an organization is in a "defensible" position prior to a breach. For example, finding out in hindsight that anti-virus software wasn't installed on an endpoint that got hacked is not a defensible position, Pinkerton says.
" If you want a secure company today, find a company that was hacked last month." —Eric Pinkerton, Hivint
He also describes two flavors of reputation: one for executives who are on the firing line following an incident, and one for the organization. Pinkerton says while each one is linked, planning for reputational damage should include taking into account what executives may endure and how they may react.
"Find out their exposure and what their motivations are likely to be so you can get in front of that," Pinkerton says.
Choosing to fire people following a breach may not be an easy solution or solve underlying problems that desperately require fixing, Pinkerton adds. Indeed, his study of breaches has found that companies that suffer a data breach often make dramatic improvements to their overall information security posture, which arguably makes them a better, more reliable organization with which to do business.
"If you want a secure company today, find a company that was hacked last month," Pinkerton says.