Seven years ago, Burger King’s Twitter account was hacked. The outcome was harmless enough — its profile picture was replaced with the McDonald’s logo, its display name changed to “McDonald's” and its biography altered to “Just got sold to McDonalds because the whopper flopped =[.”
Which, although frankly hilarious, sparks more than a little concern as to how resilient the passwords of multi-billion dollar companies are.
When it comes to cybersecurity, corporations tend to blunder. Big time.
This year alone, iconic names including Microsoft, Estée Lauder, Nintendo, Facebook and Zoom suffered data breaches that exposed sensitive user details numbering in the hundreds of millions. The holes were swiftly patched up, consumers were duly informed and apologized to and more comprehensive safeguards were installed, but not without significant losses for all parties.
So far, the aforementioned malicious hacks were planned and achieved the correct results — limited for the most part to identity theft and leaked credit card information — as intended by the orchestrators.
But as 2020 has acclimated us to doing, consider the situation from a more sinister angle. What if the hackers messed up? What if they tried to execute an already destructive program that backfired, inflicting direct, life-threatening harm in the process?
A particularly dangerous form of malware, ransomware is precisely what the term implies: It is “designed to deny access to a computer system or data until a ransom is paid,” according to the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security. Kind of like the seafaring pirates of old, except upgraded, and far more capable of widespread turmoil.
Especially if it boomerangs in a way even the creators did not foresee.
Just last Thursday, hackers struck Heinrich Heine University Düsseldorf in Germany. Or so they thought. The address was written in an extortion note found on one of the compromised servers in Düsseldorf University Clinic, a major treatment center, instead.
The bungled cyberattack rendered critical patient data inaccessible, and hospital administration initiated emergency shutdown protocol. The next day, a woman in need of urgent care “was rushed to a hospital roughly 20 miles away, delaying her treatment by about an hour, which resulted in her death.”
When notified of their monumental mishap by local police, the culprits “dropped the extortion attempt immediately and provided a decryption key to unlock all hacked servers.” How kind. Unfortunately, authorities have lost contact with them, and the perpetrators are now once again under investigation for negligent manslaughter.
This incident is not standalone. CISA warns that ransomware attacks have spiked across the globe. The same vulnerability targeted in Düsseldorf University Clinic was exploited by Beijing-based hackers, this time through software and gaming companies, to enable money laundering, identity theft and other fraudulent activities.
This May, celebrities including Bruce Springsteen, Madonna, Mariah Carey and Jessica Simpson fell victim to schemes aimed at their representative law firm Grubman Shire Meiselas & Sacks. Approximately 750 gigabytes of personal information were exposed.
Ransomware scams forced $2 million out of Travelex, a foreign currency exchange company. Similarly, Garmin, the GPS and watch-making company, and even the Texas state court system were sabotaged of millions of dollars. It is estimated that by mid-2019, ransomware attacks robbed around 150 organizations of nearly $38 million.
Yet these trends belie a more worrisome, and very real, possibility. CISA and BSI, Germany’s cybersecurity agency, both published advisories urging organizations using the defective service that led to the woman’s tragic death to update their network gateways. But, the warning came too late, a follow-up to a preventable demise, and governments are notoriously slow to respond to the volume of digital fraud committed every day.
The increasing complexity of these grand, underhanded blueprints further hinders law enforcement’s ability to stay a step ahead of the “bad guys.” So when the scale of these cyberattacks spirals to such an extent that even the masterminds lose control — or go fatally wrong as one already did in Germany — who can resolve the effects before they wind up irreversible?
The main challenge the relevant authorities face is the sheer ease of global connectivity, facilitated by the lack of the very international borders governments are required to obtain approval from in order to function abroad, where they lack jurisdiction.
A 2010 issue of The Atlantic that explores the proliferation of a computer worm (still) shrouded in mystery summarizes the situation perfectly: “You have a guy in Russia selling malware, working with a guy in Mexico doing phishing attacks, who’s talking to a kid in Brazil, who’s doing credit-card fraud, and they’re introducing each other to some guy in China doing something else.”
With locations so geographically dispersed but connections so easily made since as far back as 10 years, how can regulation conceivably keep up in time? It would have to blatantly bypass every law sanctified by contemporary democracy, and the world definitely cannot have that.
Modern technology yields an infinite capacity for progress, but it can also very quickly go awry in ways nobody would have predicted. I wonder if the possibility will ever be addressed beyond an “alert” page added to the CISA website.
Sruti Bezawada is a Rutgers Business School senior majoring in marketing and minoring in Japanese. Her column, “Traipse the Fine Line,” runs every alternate Wednesday.
*Columns, cartoons and letters do not necessarily reflect the views of the Targum Publishing Company or its staff.
YOUR VOICE | The Daily Targum welcomes submissions from all readers. Due to space limitations in our print newspaper, letters to the editor must not exceed 900 words. Guest columns and commentaries must be between 700 and 900 words. All authors must include their name, phone number, class year and college affiliation or department to be considered for publication. Please submit via email to [email protected] by 4 p.m. to be considered for the following day’s publication. Columns, cartoons and letters do not necessarily reflect the views of the Targum Publishing Company or its staff.