Just before the 2017 Major League Baseball season kicked off, the final pages in the infamous Cardinals-Astros hacking scandal were written.
In January, MLB commission Rob Manfred added to the penalties levied by a federal judge last July which sentenced Christopher Correa, the team’s former scouting director, to nearly 5 years in jail for hacking the Houston Astros’ player and personnel database. In addition to jail time, the Cardinals forfeit their first two draft picks to the Astros and the team was forced to pay $2 million in fines – the highest ever.
“I violated my values and it was wrong … I behaved shamefully,” Correa said in court last July. “The whole episode represents the worst thing I’ve done in my life by far.”
Correa’s apology may have been genuine. But, in the last few years, it’s clear that similar actions have become increasingly common. Here the stereotypes have changed. No longer are we dealing with lone recluses or even larger foreign or domestic entities. Today’s most sophisticated hacking could be coming from your competitors. If not outright, then through hired third parties.
The Inside Baseball of Competitor Hacking
In the sordid world of computer hacking – defined as a person (or organization) who illegally gains access to and sometimes tampers with information in a computer system – corporate competitors have gotten clever.
While some companies are flirting in the gray area by employing tactics like spymail, media tracking, monitoring employee and customer review websites, following conversations on social media, and stalking at trade shows and events, others are going for the hacking jugular.
These are the so-called “professional hackers.” Virginia-based Engame, Inc. is just one example. Founded in 2008, the company is known for compiling and selling what’s known in the cybersecurity industry as “zero days,” which are errors in software which can be exploited. Some companies even hack themselves to discover unknown vulnerabilities. Yet, as with gun regulations, there’s no law preventing companies from purchasing this information legally. What they do afterwards is anyone’s guess. Though the price tag for such access can be huge: up to $2.5 million for a “zero day subscription package.”
Meanwhile in Italy, another “hack-for-hire” company, Hacking Team, was recently hacked itself when an unidentified group released nearly half a terabyte of information of company documents on BitTorrent, the peer-to-peer file sharing service. Although Hacking Team’s website declares its services are “exclusively focused on offensive security,” there’s plenty of evidence to suggest otherwise.
One Strike and You’re Out
Even if companies are loath to admit they’ve been hacked and even more reticent to acknowledge that they’ve been doing the hacking, it’s becoming increasingly clear that governments and spy agencies aren’t the only entities recruiting the hack-for-hire industry. The dollar value of data breaches alone – $4 million, or about $158 for every stolen record – is more than enough to entice companies to use the information they purchase in unethical ways.
The question is what can be done to prevent such hacks from occurring?
First, don’t ignore basic security protocols. Use strong alpha-numeric case sensitive passwords and use them not for masses of documents contained in a folder, but password protect each individual file. In these instances, a password manager can help. Next, a change in mindset is probably in order too. Don’t assume that your data system’s firewall will protect your company against all threats. It’s better to assume that all your data is at risk and could be hacked at any moment.
It’s also a good idea to beef up your company’s physical security. The Target hack brought this into focus a few years ago. While the company’s data breach was in part accomplished remotely, its success relied on malware installed on physical in-store card readers. So, remember to lock your doors, encrypt your Wi-Fi access, and consider a PIN for your office phone.
Play Ball – With Us!
As a lead supplier of IT centered products, consulting, security, and data support services, Kelly Communications Systems is committed to helping your brand navigate these ethically difficult and financially costly decisions. Our partner, NetSkope, has built a security platform from the ground up, enabling enterprises to secure both sanctioned and unsanctioned cloud services, protect sensitive data in the cloud, and stop the most advanced online threats. Additionally, the company’s April 2017 cloud report (free for download here) highlights that backdoors (hidden entry points into supposedly secure systems) comprise the majority of malware detection. Netskope Threat Protection could be another important anti-hacking safeguard.
The Cardinals’ Christopher Correa may have struck out earlier this year with additional MLB penalties leveled against his former team. But with the proper tools – and the proper data mindset – your chances of getting punished in the form of an offensive hack will be greatly reduced.
It’s time companies’ stop treating cyber security like it’s a luxury they don’t need – until they do.