Security loves simplicity; however, on the contrary, security itself represents a very complex ecosystem comprising several types of security controls. This blog, as a starting point of a security-related blog series, discusses the importance of cybersecurity capabilities which absence may result in incidents, which can be severe enough to endanger business processes and the reaching of business goals. Supporting the statements, the post contains a few examples of incidents and their business-related effects, showing that security is not just a compliance issue – in other words, being compliant is oftentimes not enough.
Compliance is necessary but not enough
In recent decades, the rapid technological improvements and the increased digitization have caused an extremely advancing dependence on information and communication technology (ICT) services, demanding the appropriate level of organizational cybersecurity capabilities. Recognizing the economic importance of cyberspace, the European Union (EU) accepted the equal importance of the Digital Single Market and even made it a foundation for the economy [1]. Due to these relations, more and more compliance obligations are with us for more entities not only in the European Union [2] but worldwide. However, focusing on the EU, there are a few central measures, regulating specific sectors or even a broader set, from which in the following stand the most important ones.
In the Digital Single Market and online government services, trust services play a significant role, providing electronic identification, authentication, and trust services (eIDAS) [3]. The Payments Services Directive 2 (PSD2) [4] promotes the development of digital financial services, supporting the entry of new service providers into financial markets. PSD2 enables external third parties to access the banks’ current account management system and their data on behalf of bank customers. Because of this, it prescribes cybersecurity-related objectives for companies that it covers. Furthermore, the proposal of the Digital Operational Resilience Act (DORA) [5] aims to set uniform requirements for the financial-sector companies as well as critical third parties providing ICT-related services to them, such as cloud providers.
For a broader set of regulator entities, realizing the underregulated nature of processing personal data and the technological changes, the quality and quantity changes in personal data procession, the General Data Protection Regulation (GDPR) [6] was announced in 2016 and entered into force in 2018. However, GDPR looks at security from the privacy viewpoint. So, it incorporates several tasks and obligations for data privacy and data protection; however, it takes security obligations in a very high-level form.
In the same year, the Directive on security of network and information systems (NIS Directive) [7] entered into force, posing a critical milestone as it brought cybersecurity closer to the critical infrastructure protection defined previously [8] to elevate security levels for any asset, system, or part of them located in the Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people. Recently, the NIS 2 Directive proposal [9] aims to expand the current scope by adding new sectors based on their criticality for the economy and society, enhance the security of supply chains and supplier relationships, and prescribe a minimum list of basic security requirements.
Beyond EU-level obligations, there are national laws, of course, and even international, national, and industry standards. For the category of international standards, the ISO/IEC 27001:2013 [10] of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) probably was the best well-known example for years; however, in 2022, the newest version [11] got published. Just the same meaning has the Payment Card Industry Data Security Standard (PCI-DSS) [12] as industry security standards, mandated by the card brands but administered by the PCI Security Standards Council, aiming to increase controls around cardholder data and reduce credit card fraud.
As the short review of typical obligatory measures depicts, not only the ICT services are getting more complex involving a devastating number of stakeholders in cyberspace, but the law is getting convoluted creating a complicated nexus, while it tries to follow technology and other kinds of advancements. However, to be compliant with relevant obligations does not mean that one tackles security in the proper way as (1) external obligations may be incomplete due to the gap between the regulator and regulated sectors or (2) external obligations can be fulfilled with minimal efforts resulting insufficient or incomplete security controls with which corporate data and processes remain endangered – resulting in an incident with higher possibility.
Incidents
While some incidents occur consciously, such as users locking down their user accounts due to forgotten or simply mistyped passwords, some happen unwillingly represinting a higher danger for anyone. To give some deterrent examples, at first, there will be a short discussion in the following based on [13], about the infamous WannaCry and NotPetya showing that despite of being basically untargeted, one can be easily hit. Secondly, a more recent incident is mentioned which is a well-known supply-chain attack. Lastly, we go back in time showing that an incident’s effects may last over heavy years.
The rising of ransomware
In 2017, WannaCry ransomware hit more than 200,000 devices in as many as 150 countries in no time [14], from which the Bristol airport, the German Deutsche Bahn, and the National Health Service (NHS) of Great Britain are shortly discussed.
The Bristol airport should have recovered its information screens. During the two days of downtime, informing passengers about departing flights and gates was done on paper-based notes. The German Deutsche Bahn’s passenger information display systems and ticket automats were down on approximately four hundred seventy railways stations for several hours in the middle of the weekend traffic. Fortunately, traffic controlling systems were not affected in both cases.
In the case of NHS, the infection made ICT unavailable for days resulting in delayed planned operations and rerouted emergency treatments to unaffected hospitals. The NHS staff were locked out of devices, which prevented or delayed accessing and updating patient information, sending test results, and transferring or discharging patients from the hospitals.
Shortly after WannaCry, NotPetya ransomware was in the wild with us. In June 2017, the Danish shipping company, Maersk, belongs to the victims. As a result, the company’s operation was lowered for ten days shutting down several ports and forcing the company to handle 80 percent of its operations manually, resulting in market loss.
SolarWinds’ Orion
In 2020, an ICT-related advanced attack was revealed against SolarWinds that has seriously affected its customers via its so-called Orion IT network management tool. Threat actors gained unauthorized access to the SolarWinds network in September 2019 [15]. The malicious code were injected into Orion, which were sent to customers started on 26 March 2020. The affected versions of SolarWinds Orion versions are 2019.4 through 2020.2.1 HF1. SolarWinds had that time 33,000 Orion customers around the world from which around 18,000 SolarWinds customers installed the malicious updates [16]. The company spent $3,5 million in December 2020 [17] and $40 million in the first nine months of 2021 [18]. In January 2021, some experts [19] estimated for businesses and government agencies located in the United States spending upward of $100 billion over many months to contain and fix the damage.
Two data breaches affecting Yahoo!
Yahoo! suffered two enormous cyberattacks that resulted in data theft in 2013 and 2014. In August 2013, criminals stole approximately three milliard user profiles’ data, including username, email address, phone, birth date, and password. The data theft reached the public with a huge delay on 14 December 2016 [20].
Meanwhile, on 22 September 2016, Yahoo! announced that another 500 million user profiles were compromised in 2014, affecting governmental users as well [21], causing SEC (Securities and Exchange Commission) penalty of $35 million in the United States [22]. Furthermore, the ICO (Information Commissioner’s Office) also imposes £250,000 (appr. $180,000) penalty in the United Kingdom [23].
As an effect of the incidents, Verizon reduced its previous offer for acquiring Yahoo!’s core business by $250 million and agreed to share responsibility with the seller for subsequent investigations and penalties. On 8 June 2017, the shareholders approved the acquisition on the decreased amount of money ($4.48 billion); and the transaction was officially closed on 13 June 2017 [24].
Three years later, according to a court decision of 22 July 2020, customers involved directly in the previous data thefts, including natural persons and businesses in the United States, may receive $25,000 as a compensation, for which a fund worth $ 117 million had to be created [25].
What can we do?
So what can one do if an incident occurs? First of all, the most important is not to panic and be on to get back to the normal operation.
However, before that it is essential to prepare for incident detection and response, i.e., implementing the reactive controls. Moreover, well-planned, -implemented, and -operated proactive controls are on to prevent incidents to occur. In overall, the proper administrative, physical, and logical security controls in compliance with external obligations manifasting security capabilities must be with us through the whole lifecycle of any product, platform, etc., ensuring data confidentiality, integrity, and availability. The next blog post will discuss some essential frameworks helping to form these controls.
References
[1] European Commission, “A Digital Single Market Strategy for Europe.” 2015. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:52015DC0192
[2] Z. Bederna and Z. Rajnai, “Analysis of the cybersecurity ecosystem in the European Union,” International Cybersecurity Law Review, vol. 3, pp. 35–49, 2022, doi: 10.1365/s43439-022-00048-9.
[3] Regulation (EU) No 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. 2014, p. 73. [Online]. Available: http://data.europa.eu/eli/reg/2014/910/oj
[4] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. 2015, p. 35. [Online]. Available: http://data.europa.eu/eli/dir/2015/2366/oj
[5] European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014. 2020. Accessed: Jun. 14, 2022. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/reg/2016/679/oj
[7] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/dir/2016/1148/oj
[8] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. 2008, p. 75. [Online]. Available: http://data.europa.eu/eli/dir/2008/114/oj
[9] European Commission, “Proposal for directive on measures for high common level of cybersecurity across the Union,” 2021. https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union (accessed May 23, 2021).
[10] ISO/IEC, “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements,” 2013.
[11] ISO/IEC, ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. 2022.
[12] PCI Security Standards Council, “Payment Card Industry Data Security Standard - Requirements and Testing Procedures version 4.0,” Mar. 2022. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf (accessed Jun. 15, 2022).
[13] Z. Bederna, Z. Rajnai, and T. Szadeczky, “Attacks against energy, water and other critical infrastructure in the EU,” 2021. doi: 10.1109/cando-epe51100.2020.9337751.
[15] S. Oladimeji and S. M. Kerner, “SolarWinds hack explained: Everything you need to know,” TechTarget, Jun. 16, 2021. https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know (accessed May 02, 2022).
[16] SolarWinds, “Form 10-K,” 2020. https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm (accessed May 02, 2022).
[19] G. Ratnam, “Cleaning up SolarWinds hack may cost as much as $100 billion,” Roll Call, Jan. 11, 2021. https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/ (accessed Jun. 11, 2022).
[20] CNET, “Yahoo sets hack record at 1 billion accounts,” Dec. 14, 2016.
[21] TechRepublic, “Yahoo confirms 500M accounts leaked in massive data breach,” Sep. 22, 2016.
[22] U.S. Securities and Exchange Commission, “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million,” 2018. https://www.sec.gov/news/press-release/2018-71 (accessed Aug. 12, 2020).
[23] Information Commissioner’s Office, “Yahoo! fined £250,000 after systemic failures put customer data at risk,” 2018. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/yahoo-fined-250-000-after-systemic-failures-put-customer-data-at-risk/ (accessed Aug. 12, 2020).
[25] CNBC, “If you got an email about the $117.5 million Yahoo data breach settlement, here are your options,” Feb. 06, 2020.
by
Bederna Zsolt
The author of this blog is a PhD candidate at Óbuda University Doctoral School on Safety and Security Sciences, Hungary, with the research topic of information and communication technology’s security in critical infrastructures. He conducted various research on different perspectives of cybersecurity, such as the Union-level governance as well as national-level and business effects of cyberattacks, including financial and non-financial impacts. He is a security expert in the business area, holding ISACA, ISC(2), and EC-Council certificates. He is the founder and CEO of a cybersecurity consulting firm providing such services as risk analysis, virtual CISO, etc.
June 22, 2022
The Importance of Cybersecurity Capabilities
Introduction
Security loves simplicity; however, on the contrary, security itself represents a very complex ecosystem comprising several types of security controls. This blog, as a starting point of a security-related blog series, discusses the importance of cybersecurity capabilities which absence may result in incidents, which can be severe enough to endanger business processes and the reaching of business goals. Supporting the statements, the post contains a few examples of incidents and their business-related effects, showing that security is not just a compliance issue – in other words, being compliant is oftentimes not enough.
Compliance is necessary but not enough
In recent decades, the rapid technological improvements and the increased digitization have caused an extremely advancing dependence on information and communication technology (ICT) services, demanding the appropriate level of organizational cybersecurity capabilities. Recognizing the economic importance of cyberspace, the European Union (EU) accepted the equal importance of the Digital Single Market and even made it a foundation for the economy [1]. Due to these relations, more and more compliance obligations are with us for more entities not only in the European Union [2] but worldwide. However, focusing on the EU, there are a few central measures, regulating specific sectors or even a broader set, from which in the following stand the most important ones.
In the Digital Single Market and online government services, trust services play a significant role, providing electronic identification, authentication, and trust services (eIDAS) [3]. The Payments Services Directive 2 (PSD2) [4] promotes the development of digital financial services, supporting the entry of new service providers into financial markets. PSD2 enables external third parties to access the banks’ current account management system and their data on behalf of bank customers. Because of this, it prescribes cybersecurity-related objectives for companies that it covers. Furthermore, the proposal of the Digital Operational Resilience Act (DORA) [5] aims to set uniform requirements for the financial-sector companies as well as critical third parties providing ICT-related services to them, such as cloud providers.
For a broader set of regulator entities, realizing the underregulated nature of processing personal data and the technological changes, the quality and quantity changes in personal data procession, the General Data Protection Regulation (GDPR) [6] was announced in 2016 and entered into force in 2018. However, GDPR looks at security from the privacy viewpoint. So, it incorporates several tasks and obligations for data privacy and data protection; however, it takes security obligations in a very high-level form.
In the same year, the Directive on security of network and information systems (NIS Directive) [7] entered into force, posing a critical milestone as it brought cybersecurity closer to the critical infrastructure protection defined previously [8] to elevate security levels for any asset, system, or part of them located in the Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people. Recently, the NIS 2 Directive proposal [9] aims to expand the current scope by adding new sectors based on their criticality for the economy and society, enhance the security of supply chains and supplier relationships, and prescribe a minimum list of basic security requirements.
Beyond EU-level obligations, there are national laws, of course, and even international, national, and industry standards. For the category of international standards, the ISO/IEC 27001:2013 [10] of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) probably was the best well-known example for years; however, in 2022, the newest version [11] got published. Just the same meaning has the Payment Card Industry Data Security Standard (PCI-DSS) [12] as industry security standards, mandated by the card brands but administered by the PCI Security Standards Council, aiming to increase controls around cardholder data and reduce credit card fraud.
As the short review of typical obligatory measures depicts, not only the ICT services are getting more complex involving a devastating number of stakeholders in cyberspace, but the law is getting convoluted creating a complicated nexus, while it tries to follow technology and other kinds of advancements. However, to be compliant with relevant obligations does not mean that one tackles security in the proper way as (1) external obligations may be incomplete due to the gap between the regulator and regulated sectors or (2) external obligations can be fulfilled with minimal efforts resulting insufficient or incomplete security controls with which corporate data and processes remain endangered – resulting in an incident with higher possibility.
Incidents
While some incidents occur consciously, such as users locking down their user accounts due to forgotten or simply mistyped passwords, some happen unwillingly represinting a higher danger for anyone. To give some deterrent examples, at first, there will be a short discussion in the following based on [13], about the infamous WannaCry and NotPetya showing that despite of being basically untargeted, one can be easily hit. Secondly, a more recent incident is mentioned which is a well-known supply-chain attack. Lastly, we go back in time showing that an incident’s effects may last over heavy years.
The rising of ransomware
In 2017, WannaCry ransomware hit more than 200,000 devices in as many as 150 countries in no time [14], from which the Bristol airport, the German Deutsche Bahn, and the National Health Service (NHS) of Great Britain are shortly discussed.
The Bristol airport should have recovered its information screens. During the two days of downtime, informing passengers about departing flights and gates was done on paper-based notes. The German Deutsche Bahn’s passenger information display systems and ticket automats were down on approximately four hundred seventy railways stations for several hours in the middle of the weekend traffic. Fortunately, traffic controlling systems were not affected in both cases.
In the case of NHS, the infection made ICT unavailable for days resulting in delayed planned operations and rerouted emergency treatments to unaffected hospitals. The NHS staff were locked out of devices, which prevented or delayed accessing and updating patient information, sending test results, and transferring or discharging patients from the hospitals.
Shortly after WannaCry, NotPetya ransomware was in the wild with us. In June 2017, the Danish shipping company, Maersk, belongs to the victims. As a result, the company’s operation was lowered for ten days shutting down several ports and forcing the company to handle 80 percent of its operations manually, resulting in market loss.
SolarWinds’ Orion
In 2020, an ICT-related advanced attack was revealed against SolarWinds that has seriously affected its customers via its so-called Orion IT network management tool. Threat actors gained unauthorized access to the SolarWinds network in September 2019 [15]. The malicious code were injected into Orion, which were sent to customers started on 26 March 2020. The affected versions of SolarWinds Orion versions are 2019.4 through 2020.2.1 HF1. SolarWinds had that time 33,000 Orion customers around the world from which around 18,000 SolarWinds customers installed the malicious updates [16]. The company spent $3,5 million in December 2020 [17] and $40 million in the first nine months of 2021 [18]. In January 2021, some experts [19] estimated for businesses and government agencies located in the United States spending upward of $100 billion over many months to contain and fix the damage.
Two data breaches affecting Yahoo!
Yahoo! suffered two enormous cyberattacks that resulted in data theft in 2013 and 2014. In August 2013, criminals stole approximately three milliard user profiles’ data, including username, email address, phone, birth date, and password. The data theft reached the public with a huge delay on 14 December 2016 [20].
Meanwhile, on 22 September 2016, Yahoo! announced that another 500 million user profiles were compromised in 2014, affecting governmental users as well [21], causing SEC (Securities and Exchange Commission) penalty of $35 million in the United States [22]. Furthermore, the ICO (Information Commissioner’s Office) also imposes £250,000 (appr. $180,000) penalty in the United Kingdom [23].
As an effect of the incidents, Verizon reduced its previous offer for acquiring Yahoo!’s core business by $250 million and agreed to share responsibility with the seller for subsequent investigations and penalties. On 8 June 2017, the shareholders approved the acquisition on the decreased amount of money ($4.48 billion); and the transaction was officially closed on 13 June 2017 [24].
Three years later, according to a court decision of 22 July 2020, customers involved directly in the previous data thefts, including natural persons and businesses in the United States, may receive $25,000 as a compensation, for which a fund worth $ 117 million had to be created [25].
What can we do?
So what can one do if an incident occurs? First of all, the most important is not to panic and be on to get back to the normal operation.
However, before that it is essential to prepare for incident detection and response, i.e., implementing the reactive controls. Moreover, well-planned, -implemented, and -operated proactive controls are on to prevent incidents to occur. In overall, the proper administrative, physical, and logical security controls in compliance with external obligations manifasting security capabilities must be with us through the whole lifecycle of any product, platform, etc., ensuring data confidentiality, integrity, and availability. The next blog post will discuss some essential frameworks helping to form these controls.
References
[1] European Commission, “A Digital Single Market Strategy for Europe.” 2015. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:52015DC0192
[2] Z. Bederna and Z. Rajnai, “Analysis of the cybersecurity ecosystem in the European Union,” International Cybersecurity Law Review, vol. 3, pp. 35–49, 2022, doi: 10.1365/s43439-022-00048-9.
[3] Regulation (EU) No 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. 2014, p. 73. [Online]. Available: http://data.europa.eu/eli/reg/2014/910/oj
[4] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. 2015, p. 35. [Online]. Available: http://data.europa.eu/eli/dir/2015/2366/oj
[5] European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014. 2020. Accessed: Jun. 14, 2022. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/reg/2016/679/oj
[7] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/dir/2016/1148/oj
[8] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. 2008, p. 75. [Online]. Available: http://data.europa.eu/eli/dir/2008/114/oj
[9] European Commission, “Proposal for directive on measures for high common level of cybersecurity across the Union,” 2021. https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union (accessed May 23, 2021).
[10] ISO/IEC, “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements,” 2013.
[11] ISO/IEC, ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. 2022.
[12] PCI Security Standards Council, “Payment Card Industry Data Security Standard - Requirements and Testing Procedures version 4.0,” Mar. 2022. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf (accessed Jun. 15, 2022).
[13] Z. Bederna, Z. Rajnai, and T. Szadeczky, “Attacks against energy, water and other critical infrastructure in the EU,” 2021. doi: 10.1109/cando-epe51100.2020.9337751.
[15] S. Oladimeji and S. M. Kerner, “SolarWinds hack explained: Everything you need to know,” TechTarget, Jun. 16, 2021. https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know (accessed May 02, 2022).
[16] SolarWinds, “Form 10-K,” 2020. https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm (accessed May 02, 2022).
[19] G. Ratnam, “Cleaning up SolarWinds hack may cost as much as $100 billion,” Roll Call, Jan. 11, 2021. https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/ (accessed Jun. 11, 2022).
[20] CNET, “Yahoo sets hack record at 1 billion accounts,” Dec. 14, 2016.
[21] TechRepublic, “Yahoo confirms 500M accounts leaked in massive data breach,” Sep. 22, 2016.
[22] U.S. Securities and Exchange Commission, “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million,” 2018. https://www.sec.gov/news/press-release/2018-71 (accessed Aug. 12, 2020).
[23] Information Commissioner’s Office, “Yahoo! fined £250,000 after systemic failures put customer data at risk,” 2018. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/yahoo-fined-250-000-after-systemic-failures-put-customer-data-at-risk/ (accessed Aug. 12, 2020).
Security loves simplicity; however, on the contrary, security itself represents a very complex ecosystem comprising several types of security controls. This blog, as a starting point of a security-related blog series, discusses the importance of cybersecurity capabilities which absence may result in incidents, which can be severe enough to endanger business processes and the reaching of business goals. Supporting the statements, the post contains a few examples of incidents and their business-related effects, showing that security is not just a compliance issue – in other words, being compliant is oftentimes not enough.
Compliance is necessary but not enough
In recent decades, the rapid technological improvements and the increased digitization have caused an extremely advancing dependence on information and communication technology (ICT) services, demanding the appropriate level of organizational cybersecurity capabilities. Recognizing the economic importance of cyberspace, the European Union (EU) accepted the equal importance of the Digital Single Market and even made it a foundation for the economy [1]. Due to these relations, more and more compliance obligations are with us for more entities not only in the European Union [2] but worldwide. However, focusing on the EU, there are a few central measures, regulating specific sectors or even a broader set, from which in the following stand the most important ones.
In the Digital Single Market and online government services, trust services play a significant role, providing electronic identification, authentication, and trust services (eIDAS) [3]. The Payments Services Directive 2 (PSD2) [4] promotes the development of digital financial services, supporting the entry of new service providers into financial markets. PSD2 enables external third parties to access the banks’ current account management system and their data on behalf of bank customers. Because of this, it prescribes cybersecurity-related objectives for companies that it covers. Furthermore, the proposal of the Digital Operational Resilience Act (DORA) [5] aims to set uniform requirements for the financial-sector companies as well as critical third parties providing ICT-related services to them, such as cloud providers.
For a broader set of regulator entities, realizing the underregulated nature of processing personal data and the technological changes, the quality and quantity changes in personal data procession, the General Data Protection Regulation (GDPR) [6] was announced in 2016 and entered into force in 2018. However, GDPR looks at security from the privacy viewpoint. So, it incorporates several tasks and obligations for data privacy and data protection; however, it takes security obligations in a very high-level form.
In the same year, the Directive on security of network and information systems (NIS Directive) [7] entered into force, posing a critical milestone as it brought cybersecurity closer to the critical infrastructure protection defined previously [8] to elevate security levels for any asset, system, or part of them located in the Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people. Recently, the NIS 2 Directive proposal [9] aims to expand the current scope by adding new sectors based on their criticality for the economy and society, enhance the security of supply chains and supplier relationships, and prescribe a minimum list of basic security requirements.
Beyond EU-level obligations, there are national laws, of course, and even international, national, and industry standards. For the category of international standards, the ISO/IEC 27001:2013 [10] of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) probably was the best well-known example for years; however, in 2022, the newest version [11] got published. Just the same meaning has the Payment Card Industry Data Security Standard (PCI-DSS) [12] as industry security standards, mandated by the card brands but administered by the PCI Security Standards Council, aiming to increase controls around cardholder data and reduce credit card fraud.
As the short review of typical obligatory measures depicts, not only the ICT services are getting more complex involving a devastating number of stakeholders in cyberspace, but the law is getting convoluted creating a complicated nexus, while it tries to follow technology and other kinds of advancements. However, to be compliant with relevant obligations does not mean that one tackles security in the proper way as (1) external obligations may be incomplete due to the gap between the regulator and regulated sectors or (2) external obligations can be fulfilled with minimal efforts resulting insufficient or incomplete security controls with which corporate data and processes remain endangered – resulting in an incident with higher possibility.
Incidents
While some incidents occur consciously, such as users locking down their user accounts due to forgotten or simply mistyped passwords, some happen unwillingly represinting a higher danger for anyone. To give some deterrent examples, at first, there will be a short discussion in the following based on [13], about the infamous WannaCry and NotPetya showing that despite of being basically untargeted, one can be easily hit. Secondly, a more recent incident is mentioned which is a well-known supply-chain attack. Lastly, we go back in time showing that an incident’s effects may last over heavy years.
The rising of ransomware
In 2017, WannaCry ransomware hit more than 200,000 devices in as many as 150 countries in no time [14], from which the Bristol airport, the German Deutsche Bahn, and the National Health Service (NHS) of Great Britain are shortly discussed.
The Bristol airport should have recovered its information screens. During the two days of downtime, informing passengers about departing flights and gates was done on paper-based notes. The German Deutsche Bahn’s passenger information display systems and ticket automats were down on approximately four hundred seventy railways stations for several hours in the middle of the weekend traffic. Fortunately, traffic controlling systems were not affected in both cases.
In the case of NHS, the infection made ICT unavailable for days resulting in delayed planned operations and rerouted emergency treatments to unaffected hospitals. The NHS staff were locked out of devices, which prevented or delayed accessing and updating patient information, sending test results, and transferring or discharging patients from the hospitals.
Shortly after WannaCry, NotPetya ransomware was in the wild with us. In June 2017, the Danish shipping company, Maersk, belongs to the victims. As a result, the company’s operation was lowered for ten days shutting down several ports and forcing the company to handle 80 percent of its operations manually, resulting in market loss.
SolarWinds’ Orion
In 2020, an ICT-related advanced attack was revealed against SolarWinds that has seriously affected its customers via its so-called Orion IT network management tool. Threat actors gained unauthorized access to the SolarWinds network in September 2019 [15]. The malicious code were injected into Orion, which were sent to customers started on 26 March 2020. The affected versions of SolarWinds Orion versions are 2019.4 through 2020.2.1 HF1. SolarWinds had that time 33,000 Orion customers around the world from which around 18,000 SolarWinds customers installed the malicious updates [16]. The company spent $3,5 million in December 2020 [17] and $40 million in the first nine months of 2021 [18]. In January 2021, some experts [19] estimated for businesses and government agencies located in the United States spending upward of $100 billion over many months to contain and fix the damage.
Two data breaches affecting Yahoo!
Yahoo! suffered two enormous cyberattacks that resulted in data theft in 2013 and 2014. In August 2013, criminals stole approximately three milliard user profiles’ data, including username, email address, phone, birth date, and password. The data theft reached the public with a huge delay on 14 December 2016 [20].
Meanwhile, on 22 September 2016, Yahoo! announced that another 500 million user profiles were compromised in 2014, affecting governmental users as well [21], causing SEC (Securities and Exchange Commission) penalty of $35 million in the United States [22]. Furthermore, the ICO (Information Commissioner’s Office) also imposes £250,000 (appr. $180,000) penalty in the United Kingdom [23].
As an effect of the incidents, Verizon reduced its previous offer for acquiring Yahoo!’s core business by $250 million and agreed to share responsibility with the seller for subsequent investigations and penalties. On 8 June 2017, the shareholders approved the acquisition on the decreased amount of money ($4.48 billion); and the transaction was officially closed on 13 June 2017 [24].
Three years later, according to a court decision of 22 July 2020, customers involved directly in the previous data thefts, including natural persons and businesses in the United States, may receive $25,000 as a compensation, for which a fund worth $ 117 million had to be created [25].
What can we do?
So what can one do if an incident occurs? First of all, the most important is not to panic and be on to get back to the normal operation.
However, before that it is essential to prepare for incident detection and response, i.e., implementing the reactive controls. Moreover, well-planned, -implemented, and -operated proactive controls are on to prevent incidents to occur. In overall, the proper administrative, physical, and logical security controls in compliance with external obligations manifasting security capabilities must be with us through the whole lifecycle of any product, platform, etc., ensuring data confidentiality, integrity, and availability. The next blog post will discuss some essential frameworks helping to form these controls.
References
[1] European Commission, “A Digital Single Market Strategy for Europe.” 2015. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:52015DC0192
[2] Z. Bederna and Z. Rajnai, “Analysis of the cybersecurity ecosystem in the European Union,” International Cybersecurity Law Review, vol. 3, pp. 35–49, 2022, doi: 10.1365/s43439-022-00048-9.
[3] Regulation (EU) No 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. 2014, p. 73. [Online]. Available: http://data.europa.eu/eli/reg/2014/910/oj
[4] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. 2015, p. 35. [Online]. Available: http://data.europa.eu/eli/dir/2015/2366/oj
[5] European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014. 2020. Accessed: Jun. 14, 2022. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/reg/2016/679/oj
[7] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/dir/2016/1148/oj
[8] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. 2008, p. 75. [Online]. Available: http://data.europa.eu/eli/dir/2008/114/oj
[9] European Commission, “Proposal for directive on measures for high common level of cybersecurity across the Union,” 2021. https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union (accessed May 23, 2021).
[10] ISO/IEC, “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements,” 2013.
[11] ISO/IEC, ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. 2022.
[12] PCI Security Standards Council, “Payment Card Industry Data Security Standard - Requirements and Testing Procedures version 4.0,” Mar. 2022. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf (accessed Jun. 15, 2022).
[13] Z. Bederna, Z. Rajnai, and T. Szadeczky, “Attacks against energy, water and other critical infrastructure in the EU,” 2021. doi: 10.1109/cando-epe51100.2020.9337751.
[15] S. Oladimeji and S. M. Kerner, “SolarWinds hack explained: Everything you need to know,” TechTarget, Jun. 16, 2021. https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know (accessed May 02, 2022).
[16] SolarWinds, “Form 10-K,” 2020. https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm (accessed May 02, 2022).
[19] G. Ratnam, “Cleaning up SolarWinds hack may cost as much as $100 billion,” Roll Call, Jan. 11, 2021. https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/ (accessed Jun. 11, 2022).
[20] CNET, “Yahoo sets hack record at 1 billion accounts,” Dec. 14, 2016.
[21] TechRepublic, “Yahoo confirms 500M accounts leaked in massive data breach,” Sep. 22, 2016.
[22] U.S. Securities and Exchange Commission, “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million,” 2018. https://www.sec.gov/news/press-release/2018-71 (accessed Aug. 12, 2020).
[23] Information Commissioner’s Office, “Yahoo! fined £250,000 after systemic failures put customer data at risk,” 2018. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/yahoo-fined-250-000-after-systemic-failures-put-customer-data-at-risk/ (accessed Aug. 12, 2020).
[25] CNBC, “If you got an email about the $117.5 million Yahoo data breach settlement, here are your options,” Feb. 06, 2020.
by
Bederna Zsolt
The author of this blog is a PhD candidate at Óbuda University Doctoral School on Safety and Security Sciences, Hungary, with the research topic of information and communication technology’s security in critical infrastructures. He conducted various research on different perspectives of cybersecurity, such as the Union-level governance as well as national-level and business effects of cyberattacks, including financial and non-financial impacts. He is a security expert in the business area, holding ISACA, ISC(2), and EC-Council certificates. He is the founder and CEO of a cybersecurity consulting firm providing such services as risk analysis, virtual CISO, etc.
June 22, 2022
The Importance of Cybersecurity Capabilities
Introduction
Security loves simplicity; however, on the contrary, security itself represents a very complex ecosystem comprising several types of security controls. This blog, as a starting point of a security-related blog series, discusses the importance of cybersecurity capabilities which absence may result in incidents, which can be severe enough to endanger business processes and the reaching of business goals. Supporting the statements, the post contains a few examples of incidents and their business-related effects, showing that security is not just a compliance issue – in other words, being compliant is oftentimes not enough.
Compliance is necessary but not enough
In recent decades, the rapid technological improvements and the increased digitization have caused an extremely advancing dependence on information and communication technology (ICT) services, demanding the appropriate level of organizational cybersecurity capabilities. Recognizing the economic importance of cyberspace, the European Union (EU) accepted the equal importance of the Digital Single Market and even made it a foundation for the economy [1]. Due to these relations, more and more compliance obligations are with us for more entities not only in the European Union [2] but worldwide. However, focusing on the EU, there are a few central measures, regulating specific sectors or even a broader set, from which in the following stand the most important ones.
In the Digital Single Market and online government services, trust services play a significant role, providing electronic identification, authentication, and trust services (eIDAS) [3]. The Payments Services Directive 2 (PSD2) [4] promotes the development of digital financial services, supporting the entry of new service providers into financial markets. PSD2 enables external third parties to access the banks’ current account management system and their data on behalf of bank customers. Because of this, it prescribes cybersecurity-related objectives for companies that it covers. Furthermore, the proposal of the Digital Operational Resilience Act (DORA) [5] aims to set uniform requirements for the financial-sector companies as well as critical third parties providing ICT-related services to them, such as cloud providers.
For a broader set of regulator entities, realizing the underregulated nature of processing personal data and the technological changes, the quality and quantity changes in personal data procession, the General Data Protection Regulation (GDPR) [6] was announced in 2016 and entered into force in 2018. However, GDPR looks at security from the privacy viewpoint. So, it incorporates several tasks and obligations for data privacy and data protection; however, it takes security obligations in a very high-level form.
In the same year, the Directive on security of network and information systems (NIS Directive) [7] entered into force, posing a critical milestone as it brought cybersecurity closer to the critical infrastructure protection defined previously [8] to elevate security levels for any asset, system, or part of them located in the Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people. Recently, the NIS 2 Directive proposal [9] aims to expand the current scope by adding new sectors based on their criticality for the economy and society, enhance the security of supply chains and supplier relationships, and prescribe a minimum list of basic security requirements.
Beyond EU-level obligations, there are national laws, of course, and even international, national, and industry standards. For the category of international standards, the ISO/IEC 27001:2013 [10] of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) probably was the best well-known example for years; however, in 2022, the newest version [11] got published. Just the same meaning has the Payment Card Industry Data Security Standard (PCI-DSS) [12] as industry security standards, mandated by the card brands but administered by the PCI Security Standards Council, aiming to increase controls around cardholder data and reduce credit card fraud.
As the short review of typical obligatory measures depicts, not only the ICT services are getting more complex involving a devastating number of stakeholders in cyberspace, but the law is getting convoluted creating a complicated nexus, while it tries to follow technology and other kinds of advancements. However, to be compliant with relevant obligations does not mean that one tackles security in the proper way as (1) external obligations may be incomplete due to the gap between the regulator and regulated sectors or (2) external obligations can be fulfilled with minimal efforts resulting insufficient or incomplete security controls with which corporate data and processes remain endangered – resulting in an incident with higher possibility.
Incidents
While some incidents occur consciously, such as users locking down their user accounts due to forgotten or simply mistyped passwords, some happen unwillingly represinting a higher danger for anyone. To give some deterrent examples, at first, there will be a short discussion in the following based on [13], about the infamous WannaCry and NotPetya showing that despite of being basically untargeted, one can be easily hit. Secondly, a more recent incident is mentioned which is a well-known supply-chain attack. Lastly, we go back in time showing that an incident’s effects may last over heavy years.
The rising of ransomware
In 2017, WannaCry ransomware hit more than 200,000 devices in as many as 150 countries in no time [14], from which the Bristol airport, the German Deutsche Bahn, and the National Health Service (NHS) of Great Britain are shortly discussed.
The Bristol airport should have recovered its information screens. During the two days of downtime, informing passengers about departing flights and gates was done on paper-based notes. The German Deutsche Bahn’s passenger information display systems and ticket automats were down on approximately four hundred seventy railways stations for several hours in the middle of the weekend traffic. Fortunately, traffic controlling systems were not affected in both cases.
In the case of NHS, the infection made ICT unavailable for days resulting in delayed planned operations and rerouted emergency treatments to unaffected hospitals. The NHS staff were locked out of devices, which prevented or delayed accessing and updating patient information, sending test results, and transferring or discharging patients from the hospitals.
Shortly after WannaCry, NotPetya ransomware was in the wild with us. In June 2017, the Danish shipping company, Maersk, belongs to the victims. As a result, the company’s operation was lowered for ten days shutting down several ports and forcing the company to handle 80 percent of its operations manually, resulting in market loss.
SolarWinds’ Orion
In 2020, an ICT-related advanced attack was revealed against SolarWinds that has seriously affected its customers via its so-called Orion IT network management tool. Threat actors gained unauthorized access to the SolarWinds network in September 2019 [15]. The malicious code were injected into Orion, which were sent to customers started on 26 March 2020. The affected versions of SolarWinds Orion versions are 2019.4 through 2020.2.1 HF1. SolarWinds had that time 33,000 Orion customers around the world from which around 18,000 SolarWinds customers installed the malicious updates [16]. The company spent $3,5 million in December 2020 [17] and $40 million in the first nine months of 2021 [18]. In January 2021, some experts [19] estimated for businesses and government agencies located in the United States spending upward of $100 billion over many months to contain and fix the damage.
Two data breaches affecting Yahoo!
Yahoo! suffered two enormous cyberattacks that resulted in data theft in 2013 and 2014. In August 2013, criminals stole approximately three milliard user profiles’ data, including username, email address, phone, birth date, and password. The data theft reached the public with a huge delay on 14 December 2016 [20].
Meanwhile, on 22 September 2016, Yahoo! announced that another 500 million user profiles were compromised in 2014, affecting governmental users as well [21], causing SEC (Securities and Exchange Commission) penalty of $35 million in the United States [22]. Furthermore, the ICO (Information Commissioner’s Office) also imposes £250,000 (appr. $180,000) penalty in the United Kingdom [23].
As an effect of the incidents, Verizon reduced its previous offer for acquiring Yahoo!’s core business by $250 million and agreed to share responsibility with the seller for subsequent investigations and penalties. On 8 June 2017, the shareholders approved the acquisition on the decreased amount of money ($4.48 billion); and the transaction was officially closed on 13 June 2017 [24].
Three years later, according to a court decision of 22 July 2020, customers involved directly in the previous data thefts, including natural persons and businesses in the United States, may receive $25,000 as a compensation, for which a fund worth $ 117 million had to be created [25].
What can we do?
So what can one do if an incident occurs? First of all, the most important is not to panic and be on to get back to the normal operation.
However, before that it is essential to prepare for incident detection and response, i.e., implementing the reactive controls. Moreover, well-planned, -implemented, and -operated proactive controls are on to prevent incidents to occur. In overall, the proper administrative, physical, and logical security controls in compliance with external obligations manifasting security capabilities must be with us through the whole lifecycle of any product, platform, etc., ensuring data confidentiality, integrity, and availability. The next blog post will discuss some essential frameworks helping to form these controls.
References
[1] European Commission, “A Digital Single Market Strategy for Europe.” 2015. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:52015DC0192
[2] Z. Bederna and Z. Rajnai, “Analysis of the cybersecurity ecosystem in the European Union,” International Cybersecurity Law Review, vol. 3, pp. 35–49, 2022, doi: 10.1365/s43439-022-00048-9.
[3] Regulation (EU) No 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. 2014, p. 73. [Online]. Available: http://data.europa.eu/eli/reg/2014/910/oj
[4] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. 2015, p. 35. [Online]. Available: http://data.europa.eu/eli/dir/2015/2366/oj
[5] European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014. 2020. Accessed: Jun. 14, 2022. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/reg/2016/679/oj
[7] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. 2016, p. 1. [Online]. Available: http://data.europa.eu/eli/dir/2016/1148/oj
[8] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. 2008, p. 75. [Online]. Available: http://data.europa.eu/eli/dir/2008/114/oj
[9] European Commission, “Proposal for directive on measures for high common level of cybersecurity across the Union,” 2021. https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union (accessed May 23, 2021).
[10] ISO/IEC, “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements,” 2013.
[11] ISO/IEC, ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. 2022.
[12] PCI Security Standards Council, “Payment Card Industry Data Security Standard - Requirements and Testing Procedures version 4.0,” Mar. 2022. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf (accessed Jun. 15, 2022).
[13] Z. Bederna, Z. Rajnai, and T. Szadeczky, “Attacks against energy, water and other critical infrastructure in the EU,” 2021. doi: 10.1109/cando-epe51100.2020.9337751.
[15] S. Oladimeji and S. M. Kerner, “SolarWinds hack explained: Everything you need to know,” TechTarget, Jun. 16, 2021. https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know (accessed May 02, 2022).
[16] SolarWinds, “Form 10-K,” 2020. https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm (accessed May 02, 2022).
[19] G. Ratnam, “Cleaning up SolarWinds hack may cost as much as $100 billion,” Roll Call, Jan. 11, 2021. https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/ (accessed Jun. 11, 2022).
[20] CNET, “Yahoo sets hack record at 1 billion accounts,” Dec. 14, 2016.
[21] TechRepublic, “Yahoo confirms 500M accounts leaked in massive data breach,” Sep. 22, 2016.
[22] U.S. Securities and Exchange Commission, “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million,” 2018. https://www.sec.gov/news/press-release/2018-71 (accessed Aug. 12, 2020).
[23] Information Commissioner’s Office, “Yahoo! fined £250,000 after systemic failures put customer data at risk,” 2018. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/yahoo-fined-250-000-after-systemic-failures-put-customer-data-at-risk/ (accessed Aug. 12, 2020).