Wells Fargo – SurfWatch Labs, Inc.

A month after announcing one of the largest data breaches ever, Yahoo is continuing to deal with the subsequent fallout and reputation damage related to that massive cyber theft.

On September 22, Yahoo confirmed that information associated with at least 500 million user accounts was stolen. The day after that breach announcement, Yahoo saw a 474 percent rise in online mentions, according to social media monitoring company BrandWatch — 70 percent of which were negative. Since then there’s been an ongoing swirl of negativity surrounding Yahoo’s breach — from lawsuits to concerned regulators to potential lost users — and that has led to reports that Verizon may either push for as much as a $1 billion reduction in its pending $4.8 billion agreement to buy Yahoo or back out of the deal altogether.

The negativity around the Yahoo brand due to its breach poses a difficult-to-answer question: just how much damage does a cyber-attack actually have on the bottom line of a company?

Difficulty of Tracking Brand Damage

Tracking brand damage directly tied to a cyber incident is a difficult prospect; however, there does appear to be at least one correlation. A survey conducted by SANS for a December 2015 paper, Cleaning Up After a Breach Post-Breach Impact: A Cost Compendium, found that “the breaches receiving the most media attention also suffered the greatest loss in brand/reputation.”

Which comes first in that chicken-or-egg scenario is up for debate, but SurfWatch Labs’ data suggests that, for the most part, it’s the scope and potential damage of breaches that drive the media coverage, not the other way around.

The Yahoo breach is one of the most talked about cybercrime events of the year.

A quick glance at the list of the year’s top trending cybercrime events, based on the number of CyberFacts collected by SurfWatch Labs, shows that the most-discussed targets generally line up with the most widespread and impactful breaches: the Philippines Commission on Elections, LinkedIn, the Democratic National Committee, Yahoo and, more recently, targets of major DDoS attacks.

Other High-Profile Incidents Damage Brands

Like Yahoo, Wells Fargo is dealing with similar ongoing brand issues after reports of employees fraudulently opening more than two million customer accounts dominated several news cycles last month. A survey of 1,500 bank customers by management consultancy firm cg42 found that negative perceptions of Wells Fargo had spiked from 15 percent before the scandal to 52 percent afterwards. Likewise, the number of prospects that were very or extremely likely to consider doing business with Wells Fargo has plummeted from 21 percent to just three percent.

“The short and medium term outlook for Wells Fargo is gloomy, and the fallout from the scandal will impact the bank’s bottom line for years to come,” the report stated.

Wells Fargo is attempting to stem the tide with a new advertising campaign that promises, among other things, to begin proactively notifying customers of new accounts that are opened in their names. That campaign follows the firing of thousands of employees and the resignation of CEO John Stumpf.

Similar resignations have followed other high-profile breaches this year, most notably the breach at the Democratic National Committee, which lead to the resignations of chairwoman Debbie Wasserman Schultz, chief executive Amy Dacey, chief financial officer Brad Marshall and communications director Luis Miranda.

The brand damage from a cyber-attack can also move down to the supply chain, as we noted last week with XiongMai Technologies, a Chinese electronic company that makes products used in many of the Internet-connected DVRs and cameras tied to the massive DDoS attacks against Krebs On Security, OVH and Dyn. XiongMai said on Monday that it would issue a recall of some of its U.S. products. That recall notice also threatened legal action against individuals and organizations who “defame” the company with “false statements,” but the threat of legal action has been described by some as simply a face-saving PR effort by a company that’s used to operating behind the scenes and selling its white-labeled products to other brands.

Extent of Yahoo Fallout Uncertain

If the Yahoo breach will have a direct impact on its acquisition by Verizon is yet to be seen. Verizon’s general counsel Craig Silliman told Reuters and other reporters two weeks ago that the incident could trigger a clause in the deal that says Verizon can withdraw if a new event “reasonably can be expected to have a material adverse effect on the business, assets, properties, results of operation or financial condition of the business.”

“I think we have a reasonable basis to believe right now that the impact is material and we’re looking to Yahoo to demonstrate to us the full impact,” Silliman said, adding that Verizon needed to obtain “significant information” before making a final decision.

Like cg42 noted about Wells Fargo, the effects of a major cyber incident can take years to fully play out, and even then, it can be difficult to attribute some of the years-long business trends directly back to one cybercrime event.

One takeaway worth noting is that many of the major cybercrime stories that remain in the spotlight each year contain a similar thread: the lack of proactively addressing cyber risk. That seemingly cavalier attitude around cybersecurity is frequently cited by both data breach litigation and government and private regulators — and it will often prolong the a negative story with hearings, lawsuits and a string of news stories that continue to cause brand damage long after the initial incident occurred.

What’s Everyone Talking About? Trending Cybercrime Events

Yahoo was the week’s top trending cybercrime target as the fallout of a breach affecting more than 500 million accounts continues to play out. CEO Marissa Mayer has faced intense scrutiny from lawmakers and others over the handling of the company’s cybersecurity.

A Wednesday New York Times article citing a group of current and former employees painted a picture of Mayer as a CEO that often clashed with the security side of the organization over spending and refused to take action in several instances – including rejecting an automatic reset of user passwords after discovering a breach.

“Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services,” the Times wrote.

A group of senators issued a letter to Mayer calling the two-year gap between the initial breach and announcement of the breach “unacceptable.” Sen. Mark Warner is also urging the Securities and Exchange Commission to investigate whether Yahoo properly informed investors of its data breach after reports surfaced indicating that Mayer was aware of the breach as early as July of this year.

“Yahoo has been engaged in an effort to sell its Internet business, including the unit affected by the breach, to Verizon since at least July 25, 2016, yet Yahoo reportedly did not inform Verizon of the breach until September 20, 2016,” Sen. Warner wrote in a letter to the SEC. “More puzzlingly, the company noted in a proxy statement as recently as September 9, 2016 that, ‘To the knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems.’”

Mayer isn’t the only CEO to come under fire from lawmakers this week. Wells Fargo CEO John Strumpf has become the butt of jokes on late night talk shows after being publicly lambasted by members of the House Financial Services Committee over the bank fraudulently opening more than 2 million customer accounts without their knowledge. Sen. Elizabeth Warren has repeatedly called for Strumpf to resign, and Rep. Michael Capuano said yesterday that Stumpf is “clearly and unequivocally guilty” of a range of crimes related to the scheme, including conspiracy to commit fraud, conspiracy to commit identity theft and racketeering. The backlash led to Wells Fargo announcing this week that Strumpf and former head of community banking Carrie Tolstedt would not receive a total of $60 million in unvested equity awards.

In addition to angry lawmakers, a group of former employees is suing the company, saying that they were forced to choose between either committing fraud by opening unauthorized accounts or losing their job. That lawsuit adds to a growing list of lawsuits that have filed against both Wells Fargo and Yahoo.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart above.

Cyber Risk Trends From the Past Week

The financials sector was among the biggest risers in cyber risk this week as its SurfWatch Labs’ cyber risk score rose nearly 5.7 percent compared to the previous week. Much of that was driven by chatter on the Dark Web and data leaks such as the one impacting California investment bank WestPark Capital.

On Sunday, a hacker or group of hackers known as TheDarkOverlord released about 20 files allegedly stolen from WestPark Capital after an unsuccessful ransom attempt against the company. They also claimed other groups were using their name to perform attacks in a Pastebin post.

The “signature” business proposal referenced in the Pastebin post is likely similar to the series of extortion attempts the group made earlier this year against various healthcare organizations. TheDarkOverlord has frequently used the media and leaked samples of stolen data to build up a reputation as a legitimate threat and to put pressure on victim companies in hopes that they will decide to pay the group’s ransom demands.

This is the first instance SurfWatch Labs has observed TheDarkOverlord targeting financial organizations, but – if the group’s Pastebin post is to be believed – the media attention is leading to copycats using both TheDarkOverlord’s name and extortion methods. Similar attacks may occur in the future.

Other trending cybercrime events from the week include:

State-Sponsored Actors Target Government: Data breaches previously attributed to nation-state actors trying to de-legitimize the outcome of the upcoming U.S. elections have widened. Law enforcement officials now believe about 10 state election databases have had their systems probed or breached, and the FBI is reaching out to some Democratic Party staffers to investigate possible hacking into cell phones. However, despite all the attention on state-sponsored actors, a new SurfWatch Labs report noted that hacktivists tend to make up the bulk of government-related cyber-attacks, such as the Monte Melkonian Cyber Army leaking data claiming to be from Azerbaijani military, police and bank servers this week.

Employees Continue to Cause Data Breaches: A former Verizon Wireless technician pleaded guilty to using Verizon computer systems to access call records and locations of customers and then sending that information to a private investigator. Congressman Mike Honda is suing Ro Khanna, the man he’s running against in the November 2016 election, over a former intern allegedly stealing thousands of donors’ information from an old Dropbox account years after his access should have been revoked. A former employee of Alberta Hospital Edmonton inappropriately accessed the records of 1,309 patients over an 11+ year period. A former employee of Mastic Beach village impersonated the chief of police and illegally accessed information on 488 Mastic Beach residents. Sensitive Medicare information on Australian citizens was uploaded to the Internet several months ago, potentially putting patients at risk. A software update to the Alberta College of Paramedics’ (ACP) navigation portal led to a security breach.

Hackers Cause Plenty of Data Breaches Too: A hacker said he downloaded more than 2.2 million email addresses and plaintext passwords from social hangout site i-Dressup and that the entire database of 5.5 million entries could be stolen using an SQL injection attack. The entire Florida Bar Association database appears to have been stolen including email addresses, phone numbers, fax numbers, mailing addresses and more, according to databreaches.net. NZME, a media company in New Zealand, said that details of competition entrants may have been accessed due to a cyber-attack on a third-party cloud server. Software company Jive is asking some users of its task management software Producteev to reset their passwords after an August data breach that exposed some email addresses and passwords.

Worry Over Terrorism and Hacking: A hacker who helped to publish a “kill list” of 1,300 U.S. military and other government personnel has been sentenced to 20 years in prison. “This case represents the first time we have seen the very real and dangerous national security cyber threat that results from the combination of terrorism and hacking,” said Assistant Attorney General Carlin.