The most important statistic about 2017’s cyber attacks is that they’re expected to cause $5 billion worth of damages. That’s a staggering fifteen-fold increase over just two years ago.
The future looks equally grim: cybercrime damage is expected to hit $6 trillion annually by 2021, with cybersecurity spending to hit $1 trillion over the next four years. And the industry is going to need 3.5 million new cybersecurity workers to clean up the mess.
WannaCry was a ransomware attack that spread rapidly in May of 2017. Like all ransomware, it took over infected computers and encrypted the contents of their hard drives, then demanded a payment in Bitcoin in order to decrypt them. The malware took particular root in computers at facilities run by the United Kingdom’s NHS.
Malware isn’t anything new, though. What made WannaCry significant and scary was the means it used to propagate: it exploited a vulnerability in Microsoft Windows using code that had been secretly developed by the United States National Security Agency. Called EternalBlue, the exploit had been stolen and leaked by a hacking group called the Shadow Brokers. Microsoft had already patched the vulnerability a few weeks before, but many systems hadn’t upgraded. Microsoft was furious that the U.S. government had built a weapon to exploit the vulnerability rather than share information about the hole with the infosec community.
Petya was just another piece of ransomware when it started circulating via phishing spam in 2016; its main claim to fame was that it encrypted the master boot record of infected machines, making it devilishly difficult for users to get access to their files.
Then, abruptly in June of 2017, a much more virulent version of the malware started spreading. It was different enough from the original that it was dubbed NotPetya; it originally propagated via compromised Ukrainian accounting software and spread via the same EternalBlue exploit that WannaCry used. NotPetya is widely believed to be a cyberattack from Russia against Ukraine, though Russia denies it, opening up a possible era of states using weaponized malware.
2015 – Anthem Blue Cross Blue Shield and Premera Blue Cross suffered data breaches that exposed the PII of approximately 78 million policyholders and cost those companies hundreds of millions in remediation expenses. In June 2017, Anthem agreed to pay $115 million to settle lawsuits arising from the breach. However, the total cost Anthem incurred was more than triple that amount and included $230 million for costs associated with incident response and $128 million on post-incident cybersecurity enhancements.
In Massachusetts, there may be “a civil penalty of not more than five thousand dollars for each such violation” and the person may also be required to pay “reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.”
The penalties assessed in the cases settled so far have varied, based, to a degree, on the number of affected consumers.
A Boston restaurant settled a case for $110,000 in which the personal information of “tens of thousands” of customers was compromised, while a South Shore, MA hospital settled a case for $750,000 in which the personal information of 800,000 individuals was compromised. A property management firm was ordered to pay $115,000 when a laptop was stolen which contained the personal information of a mere 600 Massachusetts consumers.
Although the law allows private consumers to file lawsuits, they would have to prove actual harm, rather than claiming the civil penalty. So far, there have been no successful private causes of action. The real risk to data owners and licensors is being sued by the AG.