€350bn cyber crimewave to become a tsunami as high-tech heists soar
A cyber crimewave is hitting Irish firms and last week’s raid on Tesco Bank was another wake-up call, writes Simon Rowe
HIGH-TECH heists are costing businesses worldwide €350bn a year and a cyber crimewave is hitting Ireland. This was the message from the Central Bank this week when it sounded the alarm on Ireland’s preparedness in the wake of last weekend’s cyber raid on Tesco Bank that resulted in £2.5m (€2.8m) being stolen from 20,000 customer accounts.
The Tesco Bank raid is the latest in a long line of high-profile heists where sophisticated cyber defences have been outsmarted by even more sophisticated hackers.
But cyber security experts and financial regulators believe Irish businesses and consumers need to up their game if they are to defeat cyber criminals.
“If a ‘bricks and mortar’ bank was robbed of £2.5m, sales of bank safes and blast-resistant vaults would soar,” said one cyber security expert. “So, the financial sector should be reacting in the same way after the Tesco Bank theft by making big improvements to their cyber defences.”
A rapid digitisation of consumers’ everyday lives — from internet banking, to mobile payments, through to the growing interconnectedness of our online and offline worlds — has provided modern-day John Dillingers with unprecedented opportunities to steal our identities and our cash.
When Dillinger, one of America’s most notorious bank robbers in the Depression-era, was asked why he robbed banks, he replied: “Because that’s where the money is.”
Similarly, today’s cyber criminals are targeting businesses and online consumers because that’s where the money is. And rather than machine guns and getaway cars, today’s bank robbers are armed with malware, botnets and phishing equipment.
In a bid to encourage Irish firms to up their game and alert them to the rising threat levels, the financial regulator has published new guidelines on cyber security.
Central Bank director of policy and risk Gerry Cross said: “The guidelines are a clear statement of the standards and quality in this area that Central Bank supervisors will expect to see firms meeting.
“The Central Bank encourages firms to participate in cybersecurity information sharing networks.
“These can provide valuable intelligence on current threats, attacks and vulnerabilities which will support effective security risk identification and mitigation. The Central Bank will continue to drive firms to take actions to better address IT related risks.”
Cybercrime is the world’s fastest-growing industry with the annual cost to the global economy estimated at a whopping $400bn — more than the GDP of some countries.
LinkedIn, Yahoo, Sony and eBay have all been hit by data breaches that have affected hundreds of millions of customers.
US retail giant Target was targeted in 2013 when 40 million customers had their credit and debit cards compromised after malware was introduced to the point-of-sale system in almost 1,800 stores.
In March this year, US retail giant Home Depot paid $20m (€18.3m) to compensate US consumers hit by a 2014 data breach affecting more than 50 million cardholders
One of America’s largest health insurers, Anthem, had 80 million customer accounts breached last year in what was by far the largest data breach in healthcare history.
And closer to home, in 2013, Co Clare firm Loyaltybuild suffered a massive data breach that involved the personal data of 1.5 million people, including 376,000 whose credit card data was compromised.
Loyaltybuild specialises in discounted travel breaks for loyalty schemes. The breach affected hundreds of thousands of customers, including 70,000 SuperValu customers and over 8,000 AXA Leisure Break customers.
In recent months, An Garda Siochana was hit by an embarrassing breach, too. In August, Garda bosses reported a malicious cyber attack on its internal network when a malware threat forced IT staff to shut down a number of systems.
The security breach was identified as a ‘zero-day’ attack —when malware is used to exploit a software vulnerability, which can affect programmes, data and networks.
The Garda network hosts thousands of sensitive documents such as intelligence reports, as well as the personal information of victims of crime, forensic and DNA evidence.
Although gardai said no data was compromised during the security threat, it showed yet again the ever-present danger that is posed by cyber criminals.
Indeed, Ireland is seen as a “prized target” by criminal hackers due to our close links to online giants such as Google, Yahoo, Facebook, PayPal, Microsoft and LinkedIn, a top cyber security expert has warned.
“Organisations in Ireland are being increasingly targeted because they are in the supply chain of large US multinationals,” said Mike Harris, head of the cyber security unit at Grant Thornton.
“Rather than targeting the large organisations directly, cyber criminals and hackers are increasingly targeting a thirdparty firm or a supplier of the bigger firm. This is something we are seeing with a lot of the large hacks,” said Harris.
To put the cyber threat that Irish businesses are facing in context, Terry Greer-King, director of security for IT giant Cisco, says his firm “detects and blocks 19.7 billion attacks daily. That is roughly six times more than the search requests that Google manages on a daily basis”.
Greer-King, who is speaking at the Dublin Info Sec 2016 conference — the cyber security event in the RDS on Tuesday featuring top international experts including cyber psychologist Dr Mary Aiken — said: “Cybersecurity is not an issue that can be tackled in isolation by IT departments, it needs to be an issue recognised and addressed at a board level, and throughout the organisation. But what is most troubling is that on average, 60pc of the data stolen is done so within the first few hours of an attack and more than 50pc of attacks manage to persist on systems undetected for months, if not years.”
The price of getting cyber security wrong for EU firms has stepped up a notch.
New regulations due to come into force in 2018 will lead to heavy fines for firms who fall victim to successful cyber attacks.
Had these new EU rules being in effect today, the supermarket chain Tesco, which owns Tesco Bank, would have faced fines of over £1.9bn for last weekend’s hack.
The General Data Protection Regulation (GDPR) will crank up the data protection regulatory regime across Europe, introducing fines of up to 4pc of turnover for an organisation classified as a ‘data controller’ that suffers a breach.
Under the new rules, Tesco Bank would have been slapped with a massive fine as it had a turnover of £955m in the year to the end of September 2016, but the company as a whole filed a turnover of £48.4bn. That would subject the parent company to a fine of as much as £1.94bn, with class-action lawsuits for breaches of data privacy on top of that thanks to the new GDPR rules.
Ireland may be a prized target for cyber criminals, but Dublin is playing a major role in taking the fight to the online criminals. The city has been branded “the Silicon Valley of Europe” when it comes to fighting cybercrime, according to the boss of tech security giant Kaspersky Lab, which opened a new R&D facility in Dublin in September.
With an initial investment of €4.5m, Kaspersky Lab plans to create 50 new Dublinbased roles in the next three years, with the Irish-based team focused on targeted attack detection and investigation.
Nikita Shvetsov, chief technology officer at Kaspersky Lab, said: “Dublin was an obvious choice for the company’s first European R&D office, owing to the quality and density of tech talent there, and especially as the city is becoming known as the Silicon Valley of Europe.”
Ireland is already home to the world’s top five security software firms, FireEye/ Mandiant, TrendMicro, Intel Security Group/ McAfee, Symantec and MasterCard Labs.
The “clustering” of talent and the networking opportunities between industry leaders and research centres is enabling Ireland to develop as a world class cybersecurity practice and innovation hub, said IDA Ireland CEO Martin Shanahan.
Ireland’s track record in cyber security sleuthing is impressive. In 2015, a team of Irish experts was tasked with helping to solve the mystery of one of the most audacious hacking attacks ever.
Sony Pictures hired FireEye’s Mandiant forensics unit — which has a team based in George’s Quay in Dublin — to investigate cyber attacks that crashed its computer network, stole private data and emails, and targeted the entertainment giant’s PlayStation network, knocking it offline on Christmas Day, 2014.
FireEye Mandiant is a multinational IT security firm that helps targeted companies identify the extent of attacks, clean up networks and restore systems.
Before taking on the Sony clean-up job, FireEye’s forensics unit solved one of the largest data breaches uncovered to date — the 2013 attack on US retail giant Target.
In December 2013, Target disclosed a massive data breach which resulted in the theft of 40 million debit and credit card numbers and the potential exposure of personal data of up to 70 million shoppers.
FireEye’s security arm, Mandiant, was also behind a 60-page dossier that exposed how the Chinese government sponsored cyberespionage to attack US firms.