[ISN] The High Costs of Hacking

InfoSec News isn at c4i.org
Tue Jun 14 12:48:18 EDT 2005


June. 15, 2005 
CIO Magazine 

One fixture of computer break-in stories is the estimated cost of 
these crimes. The price often runs as high as seven figures—totals 
hard to ken for merely pilfering the digits out of a few boxes of 
metal, plastic and silicon.

One source of these high figures is the Department of Justice. Last
year, the agency reported that a one-night hacking spree by a
disgruntled ex-employee set back Cyber City, a computer network
consultancy, more than $100,000 - and that Acxiom, a data broker,
spent more than $7 million to repair 139 remote attacks against its
database by a hacker in Boca Raton, Fla.

Warehouses have burned to cinders, and the damage has been valued at 
less. So are these figures hype?

While it's true that not all network mischief comes at such a high 
price, John Sgromolo, lead investigator for digital forensics at 
Verizon Communications and a former special agent with the United 
States Naval Criminal Investigative Service, says that such large sums 
are the real deal. More or less.

Consider cases in which a hacker brings down a server that's used for 
selling products. "If you're averaging $3,000 an hour on this server, 
that's not hard to figure out based on how many hours it was down," 
Sgromolo says. Then there's the cost of replacing damaged equipment 
and the hours spent on repairs, installation and recovery.

Nevertheless, he admits, these estimates "are fueled by another 
concern: criminal prosecution, including amounts for fines and 
restitution." Prosecutors tend to aim high, he says, while defendants 
argue for dismissing some of the costs.

Even crimes that don't result in lost revenue can rack up significant 
bills. According to The Associated Press, the University of Texas 
spent $167,000 to mop up the mess presumably left by one of its former 
students, Christopher Andrew Phillips, who was indicted last November 
for breaking into UT's student records early in 2003. Phillips 
allegedly hauled off the identities of more than 37,000 students, 
faculty and staff.

Student records may not have a lot of financial value, Sgromolo 
explains, but those records may need to be recreated. In addition, the 
university may have had to hustle to inform the victims, possibly 
requiring extra staff and overtime charges. UT officials weren't 
available for comment.

In sum, there can be more value floating around inside those 
Internet-wired boxes than in a Brink's safe. Therefore, it's more 
important than ever for businesses to make sure their digital property 
is locked up tight. 

More information about the ISN mailing list