Board Cybersecurity: Massive Data Breaches Signal Need for Stricter Security

Nicholas J Price
Breaking news of new data breaches is becoming so commonplace that it's getting to be old news. The good news is that corporations are learning better how to identify weak spots in security and how to enhance security to bolster their defenses. Each new data breach also teaches corporations about how to present better responses after the discovery of such a breach.

While companies continue to work on stricter security measures, data breaches have a financial impact on companies. At a time where corporations are looking for ways to increase growth over the short and long term, a data breach typically causes a decrease in sales and a drop of the stock price, at least temporarily. Retailers have little left to lose, as they've been struggling to keep up with the popularity of online retailers.

The latest data breaches at Saks Fifth Avenue, Lord & Taylor and Under Armour demonstrate that, just as corporate boards are giving greater attention to cybersecurity issues, they're learning just how much more they need to do to protect shareholders and stakeholders.

Hudson's Bay Company Gets Attacked on Multiple Fronts

Hudson's Bay Company owns several upscale retail establishments offering online sales and high-end brick-and-mortar retail stores in major cities. The chain recently released a statement saying that the cash register systems at certain store locations for Saks Fifth Avenue, Saks Off 5th and Lord & Taylor in North America had been criminally compromised.

Results from the investigation point toward a well-known Russian group of hackers, known as Fin7 or JokerStash, as the originators of the data breach. Investigators believe that the group implanted software into the cash register systems at various stores, which gave them access to customers' credit card information.

While it's still unclear exactly how the hackers accessed the registers, one theory suggests that the criminals sent phishing emails to Hudson's Bay employees. Phishing emails typically ask recipients to click on a file or link, which secretly and automatically installs software onto their computers, giving hackers access to the computers' system.

Hudson's Bay Company identified the matter and took immediate steps to contain the issue and to prevent it from spreading. Current information suggests that the retailer's e-commerce operations remain unaffected.

While the investigation continues, Hudson's Bay Company is posting information about the breach on the websites for its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores. Once Hudson's Bay Company has all the facts, they plan to offer affected customers free identity protection services and free credit and web monitoring services.

Recent Massive Data Breach at Under Armour Company

Under Armour's board wisely took heed of how other corporations that suffered data breaches handled the aftermath of their scandals. Under Armour acted quickly to address a data breach of over 150 million customer accounts.

About three years ago, Under Armour acquired the popular fitness and calorie tracking site My Fitness Pal for $475 million. My Fitness Pal was founded in 2005 and spread virally as health-conscious individuals discovered that the application makes it fast and easy to monitor exercise and food intake.

Due to the preparedness of Under Armour's board, the hackers didn't acquire nearly as much data as they may have hoped. Cyber criminals were able to access little more than email addresses and usernames. My Fitness Pal uses encrypted passwords, which prevented the breach from accessing additional data. While most of the passwords were encrypted using bcrypt, which is considered a strong password hashing tool, Under Armour admits that some accounts were protected by a less-defensive 160-bit password mechanism called SHA-1.

Under Armour's security system prevented the release of sensitive information such as Social Security and driver's license numbers. My Fitness Pal uses a separate process for processing bank and credit card information, so those processes weren't affected.

Under Armour's fast response to the data breach indicates that they are well-prepared to comply with GDPR, which has a May 25 deadline for implementation. Under Armour announced the breach and notified all users within a week. My Fitness Pal users will be required to change their passwords in order to protect their accounts.

Under Armour continues to monitor its systems for suspicious activity and to explore security enhancements to detect and prevent additional breaches as it continues to work with law enforcement officials.

Data Breaches Add to the Demise of Traditional Retailers

In general, brick-and-mortar retailers have been struggling to keep up with the vast emergence of online retailers. The decrease in foreign visitors has also negatively affected high-end retailers. Last October, Hudson's Bay Company's CEO Gerald Storch stepped down due to disagreements with other executives about the direction of the company. Helena Foulkes took over as the new CEO in February.

News of a data breach exacerbates the issues that struggling retailers already have. Stocks typically drop about 5% after the announcement of a data breach. True to form, Under Armour stock prices dropped about 4.6% after they announced their breach. On a positive note, massive breaches at Target and Equifax prove that the long-term impact of data breaches is often not as bad as initially projected.

Massive Data Breaches Signal a Move Toward Even Greater Tightening of Security

Managing cybersecurity is a board-level priority that calls for an even stronger focus on protection and prevention than what boards have been doing. Boards must recognize that untrusted actors may come from within a corporation, as the Hudson's Bay breach proved, and threats may also come from outside the corporation, as the Under Armour breach showed.

Cybersecurity experts are changing their tunes from 'trust, but verify' to 'don't trust, and always verify.' New security standards suggest that boards ensure that their corporations limit access and privilege for employees and others only to systems where they need access to perform their duties successfully. Systems should be in place to verify every user and validate their devices. Security professionals will need to implement security mechanisms that learn and adapt to user behavior while keeping systems highly secure, such as implementing secure hashing algorithms.

Where corporations are reluctant to implement stronger security, state regulations may force them to take greater responsibility for data breaches in the future.

Moving forward, customers may be more affected by the inconvenience of being required to have different usernames and passwords for each application, service, website and mobile device that they use than they might be affected by the announcement of a data breach.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.