Cyber security crisis: From the front lines of corporate law

BY ADRIAEN M. MORSE JR

I sat in the meeting, watching as the company’s senior executives each spoke in turn, for the most part directing their remarks to the CEO, who sat poker-faced at the center of the large boardroom table.  Charts and graphs in powerpoint presentations flowed across the screen at the end of the room, but the CEO generally kept his eyes focused on whichever member of his team was speaking at the moment.  The atmosphere was tense, everyone in the room on edge, although none of the executives broke character in this setting.  It was almost as though they believed that maintaining a façade of normalcy could stave off the impending disaster that, through their dry analysis, they were describing for the CEO.

The meeting had been called at my request.  About twenty-four hours earlier, I had received a call from the company’s general counsel, a former colleague of mine when we’d both been in the government.  “I understand your firm deals with data breaches,” he said, “we’ve got one and I think we need outside help to cope with the fallout.  Preferably before this breaks into the news.”

I responded, “Sure, we’ve handled several cases along those lines.  When did this happen and what has your company done about it so far?”

“We don’t yet know how or when the breach happened, just that it has.  Can you get out to San Jose and bring your team?”

“Sure,” I said.  “I’ll be there in the morning.  Let’s meet first thing and then can you get everyone who knows anything about this in a conference room to bring us up to speed?”

So here we were, trying to understand what had happened and how to address it.

The first thing to understand about data breaches is how dynamic the cyber security threat landscape has become.  According to internet security company Malwarebytes, in the second half of 2016 there were “almost a billion malware detections from almost a million consumer and corporate Windows and Android devices distributed in more than 200 countries.”[1]  “Malware” or malicious software, “is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs.”[2]  Corporate computer networks are a prime target for malware and the types of attacks that can result in disruption to business and customers are limited only by human imagination.  Hackers have become adept at using one particular type of malware, “ransomware.”   Ransomware “allows a hacker to access an individual or company’s computers, encrypt sensitive data and then demand some form of payment to decrypt it. Doing so essentially lets hackers hold user data or a system hostage.”[3]  There were over 4 million different samples of ransomware detected in the second quarter of 2015.[4]  Ransomware has become the malware of choice for cybercriminals because it’s easy to use (for $39 someone without coding skills can purchase “ransomware as a service solution” on the dark web) and because it is very effective—it encrypts the files on a victim’s computer with an algorithm that is virtually impossible to break; a business must either pay the ransom or lose the files.[5]

My client’s CIO informed the group that the company’s database containing customer credit card data had been compromised by a new ransomware program he had not heard of before.  The CIO also stated that he had received a communication from a purported hacker group demanding a payment of $25 million to be made to an offshore account in the Cayman Islands to release the data.  It did not appear that the credit card data had been exfiltrated or was necessarily accessible to the hackers, but the CIO could not be sure.

In addition to causing operational problems for the company and a potential public relations nightmare with customers whose credit card data was affected, the company was also on the brink of being acquired by a global multinational which had offered to pay a significant premium to purchase the company’s outstanding shares.  No one in management or the Board wanted that deal to be affected by the compromised data.

* * *

“So what did you do next?” asked Frank, my mentor and friend, as we discussed this recent case over a beer. 

“Well, we did the usual: formed an incident response team that included the General Counsel, CFO, CISO (Chief Information Security Officer), and representatives of IT, Legal, Customer Relations, and Communications/Public Relations.  We established a privileged reporting channel to maintain the confidentiality of our investigation into what had happened.  We retained an outside forensic cybersecurity expert for the investigation and established regular, privileged updates for the executive team and the Board.  The company’s IT folks, working with our external experts, disconnected the database from other critical systems and isolated the breach to avoid further impacts.  We also secured the affected systems, preserved computer logs, and began to document the date and time of the breach.”

“Did you figure out how the breach happened?” asked Frank.

“Yes, and it was interesting, to say the least,” I said.  “Starting out, we thought it might have been someone clicking on a bad link in an email or an employee’s laptop being lost or stolen and hacked—those are pretty common entry points.  However, in this case, the ransomware was triggered when a company employee on the overnight shift browsed the menu of a local pizza parlor to order a pizza for delivery.”

“Really?” asked Frank.

“It’s called a ‘watering hole attack,’ the equivalent of a predator lurking by a watering hole and pouncing on its thirsty prey.[6]  When the employee accessed the menu, he inadvertently downloaded code that gave the hackers access to the network.”

“That’s pretty sneaky,” noted Frank.  “With all the different ways a computer network can be compromised, how are companies supposed to keep up with all this?”

“Well, there’s no way to be completely safe,” I began, “because as technology evolves, new vulnerabilities appear.  As you know, many companies spend significant resources on building up their firewalls to prevent unauthorized external access into their networks.  However, people—a company’s employees—are always going to represent the best route into any system since they require access themselves to do their work.  The biggest issue we found during this particular breach was that, despite state of the art firewalls, the company’s internal systems behind the firewall—email databases, HR databases, customer databases, and other third-party systems—were all on the same network.  Once a single employee’s system was compromised, the hackers had access to all the sensitive data and they pounced.”

Frank asked, “How could this have been prevented?”

“Well,” I said, “the company did learn its lesson.  After this event, the networks were totally overhauled so that access to sensitive data was completely segregated from other systems, the company began remotely monitoring its systems for anomalous traffic, and new security personnel with cyber security backgrounds were brought in to help detect and prevent future attacks.  And the company’s cyber security awareness training was updated and administered on an annual basis to every employee in the company.  Finally, the company periodically will ask outside third party experts to come in and audit its processes and safeguards.”

“That sounds good,” said Frank, “but what ended up happening with the ransom demand?”

“We got lucky.  Once we’d figured out how the breach had happened, we figured other companies in the area might have had similar issues.  We contacted the local FBI field office (initially keeping the client anonymous, of course) and learned that our client was on of eight different companies to have been targeted with the same demand.  What was more, the FBI had been working the case for four months already and were zeroing in on the hackers.  Working together with the FBI, we were able to assist in the apprehension of the group, who are currently under federal indictment.  And the FBI agreed to keep our client’s identity out of the public record.”

“Sounds like a fantastic result,” Frank commented with a grin.

Putting down my beer, I smiled.  “I learned from the best.”

Adriaen M. Morse Jr is a former Chief Ethics and Compliance Officer and senior attorney in charge of compliance, investigations, and litigation at two global, Fortune 500 companies. With over 20 years’ experience as a lawyer, he now practices law with a firm in Washington, DC. The events depicted in this article are fictitious and any resemblance to actual persons, living or dead, is purely coincidental.

 

ENDNOTES

[1]  Kevin Murnane, "The Malwarebytes Report: The 2016 Malware Landscape." Forbes, Jan. 31, 2017: www.forbes.com/sites/kevinmurnane/2017/01/31/the-malwarebytes-report-the2016-global-malware-landscape/#12bd0d973172.

[2] See Wikipedia, https://en.wikipedia.org/wiki/Malware.

[3] "'Ransomeware' Attacks Grow in 2016." Security, Nov. 23, 2015: www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.  

[4] Ibid.

[5] Kevin Murnane, "The Malwarebytes Report: The 2016 Malware Threat Landscape." Forbes, Jan. 31, 2017: www.forbes.com/sites/kevinmurnane/2017/01/31/the-malwarebytes-report-the-2016-malware-threat-landscape/#2b9199021ee9.

[6] See Nicole Perloth, "Hackers Lurking in Vents and Soda Machines." New York Times, Apr. 8, 2014, at A1, also available at www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html (reporting that an oil company's network was hacked when employees ordering from a popular Chines restaurant downloaded infected malware while browsing the online menu).