Academic journal article Journal of the Academy of Business Education

Acknowledging the "M" in MIS: Managing a Data Breach Crisis

Academic journal article Journal of the Academy of Business Education

Acknowledging the "M" in MIS: Managing a Data Breach Crisis

Article excerpt

INTRODUCTION

Technology is the proverbial two-edged sword. Despite enabling tremendous advancements in human interaction on many fronts, the internet, especially accessed via wireless communication, has created a playground for hackers of all stripes. Hackers have many motivations ranging from entertainment (taunting their targets) or simply making a name for themselves (akin to tagging a neighborhood wall) to stealing proprietary or sensitive data for personal gain. To be sure, there are black hat hackers (malicious) and white hat hackers (management allies helping to ferret out system exposure), but the boundaries are dotted at best, with many hackers crossing and straddling the lines.

Rouse [2016] defines a data breach as "an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so. Data breaches may involve payment card information (PCI), personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property."

The attacks themselves come in many flavors, including viruses, malware, Trojan horses, network backdoors, and the implementation of other dangerous technology. Hackers, as it turns out, can even steal passwords and encryption keys by listening to PCs, dampening fan noise using "Trojan horse" software [Liszewski, 2016]. The resulting breaches can result in the loss of critical data, business interruption, burdensome disclosure requirements, regulatory scrutiny, third party litigation, and loss of reputation [Breaux et al., 2014]. As an example of how all of these objectives can merge, hackers stole sensitive customer information from the most famous name in infidelity, namely AshleyMadison.com, and posted the data online. To the embarrassment of many, the files included account details and logins for some 32 million users of the social networking site, touted as the premier site for married individuals seeking partners for affairs. Seven years worth of credit card and other payment transaction details were also posted [Zetter, 2015].

In another high-profile incident, during the 2016 Democratic National Convention, it became clear that the Democratic National Committee email system was hacked. Subsequent email releases served to embarrass the committee and forced the resignation of four high-level operatives, including the committee CEO, CFO, communications director, and party chairwoman [Meyer, 2016; Ausick, 2016].

Data breaches of large retail chains have also drawn attention to the magnitude of the issue. In December 2013, Target reported a breach of its customer data files. In order to gain access to customer credit and debit card numbers, hackers installed malicious software on point-of-sale systems in Target stores. The cardskimming malware compromised the identities of 70 million customers and 40 million credit and debit cards. In very small increments, Target eventually revealed that more than 40 million customer files were compromised [Kerr et al., 2014]. The upshot was that Target senior executives lost their jobs, likely due more to the management of the breach and the resulting bad publicity and customer loss of confidence than to the actual technical lapse.

Subsequently, other eyebrow-raising breaches were reported, including Home Depot (via the same malware used in the Target attack), JP Morgan Chase, and Community Health Systems (operator of 206 U.S. hospitals). As a result of such breaches, a Russian crime ring has amassed a collection of stolen internet credentials, including 1.2 billion user name and password combinations [Kerr et al., 2014], the criticality of which is enhanced by the fact that 39 percent of users employ the same password for all accounts [Kaspersky Report, 2016].

Organizations impacted by a data breach may face fines or other penalties in addition to the costs of future breach prevention. Furthermore, breached companies can incur legal expenses resulting from potential liability exposure [Gatzlaff and McCullough, 2010]. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.