Question

ACCT 326 Writing Assignment #4

When global firms like Home Depot and Target become prime targets for hackers, the attack themselves become front-page news. Firms like these have invested a ton of resources (financial and non-financial) to prevent such an attack, but the attack is successful. Financial and personal data have been compromised, and now everyone wants answers. Your challenge is to argue the position of whether or not companies should be held liable for losses sustained in a successful attack made on their AIS applications (sales, billing, cash collections, credit, etc.) by hackers.      In support of your argument, locate at least two cases where hackers breached a firm's AIS (or business system). Your first case must be either the Home Depot or Target case. The second case must be a case that involves a global entity. Your paper will consist of the following section
- Part I: What are the main facts from Case #1 (either Home Depot or Target, both not both)?

- Part II: What was the firm’s response to the attack and why (or why not) do you agree with their response?

- Part III: What are the main facts from Case #2 (remember, your case has to be a global one)?

- Part IV: What was the firm’s response to the attack and why (or why not) do you agree with their response?

- Part V: In general, why should the firm be held liable (or not held liable) for losses sustained by customers, employees, and suppliers per an attack by hackers?

- Part VI: In general, what can we learn from attacks by hackers, especially those who focus on ransomware

Answer 1

Solution:

Part I

The main facts from the case of Target are - The information of the credit and debit card records of more than 40 million target customers are stolen by the hackers. The hackers installed a malware on the company network and stole the information. When announced, the sales of Target took a major hit and its profit for quarter fell 46 percent. Target agreed to pay $10 million to settle a lawsuit brought by shoppers affected by the breach.

Part II

The response of the Target has been to keep the details confidential and non disclosure of the breach to the public and its customers. We cannot agree with such a response because, when it comes to data breach response, open, honest and timely communication plays a major role. Target should have told the news to its customers in the first place instead of being said by some investigative journalist. Brian Krebs, the journalist exposed it when he noticed a cache of credit card numbers for sale on the darknet.

Part III

The main facts of the case of JPMorgan Chase (a global entity) are - The computer networks of JPMorgan Chase were infiltrated in a series of coordinated, sophisticated attacks that siphoned off gigabytes of data, including checking and savings account information.

JPMorgan Chase said account information of 83 million households and small businesses were compromised. Authorities said the same hackers tried to to gain access to the systems of at least a dozen other financial institutions.

In the JPMorgan attack, the bank said it found no evidence of any fraud or misuse of customer information. JPMorgan said the hackers got access only to customer email addresses, homes addresses and phone numbers but nothing of a more sensitive nature like Social Security numbers.

Part IV

The response of JPMorgan Chase has been to clean up its systems following the attack, lock them down to prevent further attacks of this nature and decline to offer free credit monitoring or identity theft protection services to customers whose data was stolen, since no financial or account information was compromised. We cannot agree with such response because banks are expected to be safe to so much regulations and hence they have to go on the offense and make sure everyone in the staff is really aware and don't ignore the signs when they suspect something is not right.

Part V

The firm shall be held liable and not the customers because the customers have shared the information placing their trust on the regulatory environment of the banks or firms.

Part VI

The various lessons to be learnt include training your people to create awareness about malicious links etc, blocking ransomware with threat intelligence, detection driven by behovorial analysis and responding with dynamic play books.