30th August 2022

Fallout from cyber attacks

Successful cyberattacks are affecting all types and sizes of organisations, seemingly at a greater and greater pace than ever before. But what are the effects of being a victim?

Fallout from cyber attacks

Impact of cyber attacks

The impact of a cyber attack depends on the extent and severity of the attack. Some cyberattacks overload the systems and prevent an organisation from using them, without actually breaching the defences.

In this case, the threat is financial through inability to trade:

  • Ability to access data without some or all of the ICT systems
  • Ability to continue operating without access to funds to make and receive payments

Impact of a data breach

Some attacks go further and successfully overcome the defences, leading to a breach
In the same way, the impacts of a data breach depends on the type and severity of the attack.

In general terms, though, the main risks are:

  • Attackers changing account details and taking control away from the victims, commonly leading to actual or threat of theft
  • Attackers gaining access to user accounts (directly or via usernames and passwords) for other services and impersonating the victims
  • Attackers leveraging one breach to be able to gain access to another, linked organisation
  • Impact of having stolen data made public - staff personal details, financial details, third parties, etc
  • Reputational damage and subsequent impact on operations
  • Possible legal action from external agencies who have actually or possibly been put at risk

Different types and effects of cyber attacks & data breaches on society

Reputational risks and damage from cyber attack

The reputational damage for the victim of a successful attack can vary widely. For smaller organisations, the reputational losses are generally secondary to the challenge of continued operation. Commonly, operators in this space understand the risks and do not have the resources to defend on every front, and understand when an event occurs. While other operators tend to distance themselves at the time, the long-term reputational risk is often fairly minimal.

For larger organisations, i.e. those who undertake significant PR activities, the reputational damage can be a bigger challenge than dealing with the attack itself. Larger organisations have a proportionate presence on the world stage, the stakes are higher, a breach is bigger news, and affects so many more organisations. The subsequent investigations and findings are very public and can drag on for some time. Managing communications and operations under such scrutiny can become a significant undertaking and have implications lasting for a considerable time.

Data breach reputation damage examples

Sony Pictures was hacked in 2014. Data was made public concerning actor compensation, and there were exposures of email including racially insensitive comments from the top levels of the organisation. Job losses and settlement payments followed, and production plans were derailed.

American retailer Target was the subject of a data breach where 40 million credit card details were stolen. The source of the breach was one of their supplier organisations who themselves were breached and held network credentials for Target's systems.

Vision Direct were victims of a hacker who stole over 6,000 credit card details. In this case, the reputational damage was made worse because there were claims that the CVV codes had also been stored against regulation guidelines.

Issues of data breach & cyber attacks

Cyber attack & data breach legal issues

There are two main pieces of legislation that may affect organisations in the UK. The first is the ICO, to whom the victim is required to report an actual breach. The second piece of legislation if data has been compromised is GDPR, which governs the data held and associated control measures the victim had at the time of the breach.

Although there is no general legal directive, it's also likely you'll need to inform the Police, your insurers and your bank; you'll also need to communicate with staff and other third parties at various stages of the follow-up.

Cyber attack security issues

Most incident response plans are designed to identify and then contain the attack. During this phase security is tightened as far as possible to stop the attack from continuing. This can lead to loss of service for some or all parties, including staff. The security teams will need to understand how the breach happened and examine their protection measures to ensure a further attack is not possible. Once such measures are in place and the recovery systems are deployed and connected, security can be gradually relaxed and normal operations can resume.

This period of loss of service can be critical. Minimising the impact of this phase of the recovery is one of the main aims of the Intrusion Response plan.

 

Social and ethical issues of data breaches

The main social issue relating to a data breach is that of exposure of personal information for public examination, particularly on data presented on forums designed to appeal to other criminals looking for victims to exploit. The GDPR regulations provide rules for organisations regarding the types and amounts of data that can be held, with the goal of ensuring control of an individual's data remains with the individual.

Cyber attack punishment

The main punishment from the attack are the potential financial, operational and reputational losses from the attack. However, failure to comply with rules regarding required actions can add to the impact. Rules can be imposed by the legislature, banks, insurers, professional bodies, investors, other organisations.

Types of Impacts of data breach

The following sections describe the impacts of a successful attack on various groups related to the victim.

Impact of data breach on employees

Employees of the victim may have their personal details stolen by the attacker and perhaps exposed publicly. Employee information is likely to contain details including banking information, performance, salaries, personal details including next of kin, and so forth. Information on employees is characterised as being narrow and deep - there are not so many employees but the information on each is very detailed. Such information may be used by criminals to create a convincing impersonation of the employee to engineer very sophisticated attacks on the employee or people they know.

Impact of data breach on individuals

As part of dealings with the victim, information about individuals may be requested and retained. Such individuals may have this information stolen and subsequently exposed. Information on individuals is characterised as being wide and shallow - details on any individual is not very detailed but can cover a lot of individuals. Such information may not itself be sufficient for a successful onward attack, but may be useful to criminals who can combine several sets of such information together in a subsequent attack on the individual or their contacts.

Impact of data breach on companies

Similar to the data on individuals, data on other companies associated with the victim is generally wide and shallow. And again, such data may be combined with other such sets of data to construct a detailed profile of another company in preparation for a targeted attack.

In addition, there may be impact on other companies through reputational damage of potential or actual association with the victim. Such impact may be direct loss of business, credit, credibility, professional membership or even inability to conduct business in specific markets.

Impact of data breach on customers

Data on customers is generally narrower and deeper. Such information may be used to directly target those customers or to put additional pressure on the victim.

Customers may very well decide to cease trading with the victim, from a fear of losses to their own business. Again, it may lead to loss of business, credit, credibility, professional membership or even inability to conduct business in specific markets.

Impact of data breach on shareholders

Shareholders of the victim may have their personal details stolen by the attacker and perhaps exposed publicly. Similar to employee information, it is likely to contain extensive details of the shareholder and their dealings with the victim organisation.

Shareholders often have relationships with other organisations or other shareholders. As such, they may suffer from the reputational damage in much the same way as organisations described previously.