For Sony Pictures, the gift of litigation came early this year.
On the week before Christmas, the entertainment company was struck by no fewer than six class-action lawsuits from ex-employees, all seeking damages for the harms suffered as a result of the company’s data leak, in which the Social Security numbers of tens of thousands were made public on the web.
They argue that Sony could have avoided being hacked if it had adequately invested in security, and reports emerged of Sony’s gross incompetence in securing its data. Unnamed Sony employees told Fusion.net that Sony’s information security team was a “complete joke,” and a Sony executive said in 2007 that it was a “valid business decision” to accept certain security risks.
But while the Sony hackers’ decision to upload their loot to public file-sharing hubs was unusual, and the scale of the attack unprecedented, the hacking of major corporations is a routine affair in the 21st century, a consequence of the economy’s digital makeover.
A survey of 59 U.S. corporations with more than 1,000 employees found that the average cost of cyberattacks per year was $12.6 million in 2014, according to the Ponemon Institute. Every one was hit with at least a minor attack, with the minimum cost incurred by a company totaling over $1.5 million.
Accelerating
Mega-breaches, defined as an attack where over 1 million records are lost, are ten times more frequent in 2014 than in 2005, and the rate of major attacks is only accelerating, according to Larry Ponemon, founder of the eponymous security think tank.
“Mega-breaches were very rare in 2005, now it seems to be every day,” Ponemon said. “Many of these attacks aren’t even reported anymore, Staples was attacked [in December and lost 1.2 million credit card numbers], it wasn’t even on the front page of the Wall Street Journal.”
Breaches became better known after a landmark 2003 California law required businesses to notify customers of attacks that resulted in the loss of their private information. As of 2014, similar laws have been adopted in 46 other states.
With the new data, Ponemon has been trying to develop a cybersecurity equivalent to Moore’s Law that can map the growing risk of cyberattacks, but the project has stalled because the ever-changing nature of cybersecurity makes even cautious estimates difficult to obtain.
Still, Ponemon is certain that at the moment, cybersecurity is on a downward slope.
“There’s no question” the rate of major cyberattacks is accelerating, Ponemon said. “If we can come up with a metric, it would be pretty high.”
The Perils of a Cyber-World
At first blush, our increasing vulnerability to cyberattacks may be a sign of progress, an inevitable consequence of the economy becoming more digital, or as venture capitalist Marc Andreessen puts it, “software is eating the world.”
More than a few of the companies—Amazon, Netflix, Spotify—lauded in Andreeseen’s 2011 essay have suffered serious data breaches since then. Traditional retail companies transitioning into the digital space have been hit even harder; 2014 saw chains like Target, Neiman Marcus, Michaels, and Home Depot lose the financial information of tens of millions of shoppers to hackers.
“Everything is going digital. Because there’s so much attack surface, every time you add a new system to your enterprise, it becomes a ticking time bomb” said Adam Meyers, VP of Intelligence at CrowdStrike, a security technology company.
The number of vulnerabilities in everyday software are so numerous that hackers always find new exploits when old one are secured. When Microsoft in 2008 patched vulnerabilities in Word used by Chinese hackers, they moved onto Adobe PDFs, and after that was patched, Adobe Flash.
