In late November 2016, a then-anonymous hacker accessed the San Francisco Municipal Transportation Agency’s (SFMTA) network and opened the system up for free rides to all takers.
The hacker demanded a ransom payment of approximately $73,000, payable in bitcoin, to release the system. In a rare turn of events, two days after the hack occurred, a security researcher turned the tables and hacked the hacker, changing his email password and closing access to his email account.
Unlike many cybercriminals, the SFMTA hacker left enough clues about his identity to allow the researcher to figure out his email address and to guess the answers to the hacker’s security questions.
Like a great majority of hackers, the SFMTA hacker has not been apprehended. An analysis of his email account suggests that the hacker successfully extorted an aggregate of more than $140,000 from his targets, using forms of ransom attacks that he used with the SFMTA. Analysts believe that the hacker lives in Russia or the Far East, making it unlikely that he will be caught by U.S. authorities.
The few hackers that have been caught have typically received prison sentences ranging from a few months to a few years, along with restitution orders and restrictions on their ability to use the internet.
In one of the more noteworthy early U.S. cases, the FBI detained Kevin Poulsen without bail for more than five years while they developed evidence against him, but were ultimately able to charge him only with money laundering and wire fraud. Poulsen was released from detention and was barred from using a computer for three years. He used his hacking experience to develop a new career in investigative technical journalism.
U.S. prosecutors have successfully prosecuted a few other high-profile hackers, landing them in prison for several years. Kevin Mitnick spent five and a half years in prison after he was convicted of stealing more than 20,000 credit card accounts.
Albert Gonzalez was sentenced to 20 years in prison for credit card thefts that led to millions of dollars in losses. Jeanson James Ancheta received a 57-month prison sentence for his role in a 14-month cybercrime spree. Ancheta was also ordered to forfeit his car and $60,000 in cash, and to pay restitution of $15,000 to the U.S. government.
Hackers that have been apprehended typically make the news because they are unusual, and so few hackers do get caught. Minnesota-based Computer Forensic Services estimates that less than one percent of all hackers are ever caught.
Whether this is the result of ineffective law enforcement or the hackers’ ability to remain anonymous is an open question. It does suggest that businesses should not rely on a hacker’s leaving tracks that might lead back to them and to any recovery of information or resources that a hacker might steal.
Businesses that are potential targets for hackers should instead erect all possible barriers to cyberattacks in their information systems and networks. As a final backstop, businesses can obtain cyber coverage to insure them against economic losses that result from a cyberattack.
Cyber insurance coverage
Cyber insurance can cover a business’ direct losses, including loss of any physical or electronic assets that are destroyed in a cyberattack, as well as third-party losses from customer or vendor accounts that are stolen or compromised in the attack.
Cyber insurance carriers can also help covered parties to identify areas where their electronic systems are most at risk, and can help mitigate exposure and potential losses from those risks.
No business is immune from hackers, and all businesses are taking immense risks if they fail to protect themselves from a hack attack.
Cyber insurance coverage can be the difference between surviving a hack attack and losing a business altogether.