Request Legal Help Now - Free


The Debate Over the Cost of Cyber Theft

. By
Vancouver, BCThe cyber-crime underworld is a shadowy place. Exactly what happens to the information when it slips out of the hands of trusted proprietors in a data breach event or in the case of privacy violation is not always predictable, but cyber security experts have a pretty good idea what’s going out there.

“There are so many insecure sites,” says Chester Wisniewski, senior security advisor with the international cyber security company, Sophos. “You could find thousands of them every day if you went looking for them.”

Cyber criminals go looking for exactly those kinds of places.

“It’s coordinated opportunism,” as Wisniewski calls it. “They look for places where people have ‘left the door open.’ They are looking for the juiciest one. The ones they are looking for are ones they can make money from. When they find unlocked doors, they go back and search the domain names to see which ones have information they can profit from in some way,” says Wisniewski.

In 2011, a Canadian human resources company in Toronto called Drake International was the target of cyber theft. Cyber ’nappers broke into company files and found the names, social insurance numbers, addresses, e-mails and reams of other personal information related to some 35,000 of Drake’s clients. They copied the records and destroyed Drake’s computer files.

Rather than sell the information on the information black market, they offered to return the information for $5 million.

“They were being extorted. The company’s data had essentially been kidnapped for ransom,” says Wisniewski. “Drake called the RCMP and reported the kidnapping. They didn’t hide, they refused to play ball. They also ended up having to pay for credit monitoring for all the people whose data was stolen,” says Wisniewski.

“I am aware of other cases where companies in the same situation have paid the ransom to have the data returned,” says Wisniewksi, who declines to divulge names.

In 2009, thieves stole hard drives containing data of one million clients in an after-hours burglary at the Tennessee offices of health care insurance company, Blue Cross.

The company was later fined $1.5 million for not maintaining proper data security. It was also ordered to pay for credit monitoring services for its customers. There is, however, little evidence to show that any harm was done to Blue Cross clients.

Law professor and cyber security expert, Fred Cate, from the University of Indiana’s Center for Applied Cybersecurity, says that there is very little reason to believe that consumers are actually done an economic harm as a result of cyber criminals hacking into databases.

“If it is financial data or credit card data (like the recent Target Stores breach), mostly it is banks or companies that are harmed, not the individual,” says Cate.

TransUnion, one of the three national credit bureaus in the US, reports that the Federal Trade Commission says that there were 9.9 million incidents of identity theft in 2013. The credit bureau says that 19 people a minute fall victim to identity theft, and that it costs on average $500 and takes 30 hours to resolve each identity theft crime.

TransUnion also reports that in 50 percent of all identity theft cases it’s a relative, family member, friend, neighbor or an in-house employee that is the perpetrator of the crime.

“I simply don’t accept that there are no victims here,” says Wisniewski. “In the US, the bank owns the credit card fraud. But in Canada, the UK, Europe, Australia and New Zealand with chip and pin credit cards, the fraud is on the consumer,” says Wisniewski. “They are the ones who pay because the assumption is that they gave someone their pin number.”

“And we don’t know where the Tennessee Blue Cross data ended up,” says Wisniewski. “We’re working on the assumption that no one was harmed but we don’t know. The hard drives were probably sold on eBay. We don’t know if someone looked at the data or sold the data.

“Identity theft is a perpetual nightmare,” says Wisniewski. “You can’t get a new birthday and is extremely rare that you would be given a new social security number in the US. You never know when it is going to be over.”


Data Breach Legal Help

If you or a loved one have suffered losses in this case, please click the link below and your complaint will be sent to a media/telecom lawyer who may evaluate your Data Breach claim at no cost or obligation.


Please read our comment guidelines before posting.

Note: Your name will be published with your comment.

Your email will only be used if a response is needed.

Are you the defendant or a subject matter expert on this topic with an opposing viewpoint? We'd love to hear your comments here as well, or if you'd like to contact us for an interview please submit your details here.

Click to learn more about

Request Legal Help Now! - Free