Don’t be fooled by appearances. Today, hackers like him pose perhaps the greatest threat to business, stealing customer data on behalf of their highly organised criminal paymasters. So what can businesses do to protect themselves? Rob Brown reports



They used to wear masks and tote shotguns. Today they sit in darkened rooms studying computer screens.

But this new breed of thief is just as dangerous. Theirs is a world of slaves and zombies, brute force attacks and insidious injections. Their quarry, the personal details of online shoppers, is worth billions. And retailers beware: the hackers have you in their sights.

No-one is safe. Marks & Spencer along with as many as 50 other clients of email marketing company Epsilon, including US retailer Best Buy had thousands of its customers' details stolen at the beginning of April, making the High Street giant the latest in a growing list of British businesses to have fallen foul of the cyber-thieves.

Then came the theft of the personal details, including sensitive financial data, of more than 100 million Sony customers. For the hackers the prize could be worth millions. For Sony the damage could be irreparable. The hacking of a $78bn global giant can leave no-one in any doubt that business has a new worst enemy.

Gone are the days, if they ever existed, when the ranks of the hackers were made up largely of anti-establishment geeks sitting in their bedrooms breaking into computer databases just to prove a point. Today they're often in the pay of criminal gangs and with UK online grocery sales set to be worth £7.2bn by 2014, twice their value in 2010 [IGD], the supermarkets are high on the hacking hit list.

One retailer in particular should be watching its back. "Tesco is the crown jewels for hackers," says Neil O'Neil, a digital forensics investigator at the Logic Group. "It's collecting millions of credit card details every day and storing them in a database. The trophy is to get into that."

So be alert: it's only a matter of time before another UK retail giant falls victim to the hackers, warn experts. The value of the data stored by businesses, ranging from email addresses through to credit card and bank details, is huge.

Email addresses are also highly sought after and hackers don't have to steal a lot of data to cause serious damage, says Bill Bailey, senior manager for payment security at Worldpay. "Breaches can be hugely disruptive, painfully expensive and devastating to a business's reputation," he says. "Even when there's been no card data taken there remains value in personal data."

The risk to consumers is also enormous. Validated email addresses that's those in regular use by named individuals can sell for as much as 10p a piece, says Colin Tankard, MD of online security company Digital Pathways. They can be used by criminals to send spam emails containing a wide and constantly evolving range of viruses (see boxes) designed to rob or dupe victims.

"If a hacker sends out three million emails and gets a few people sending back £400 each, you can see why these validated email addresses are such a valuable commodity," says Tankard. "The value of being able to get on someone else's machine to a hacker is huge you might find they have people's credit cards on there."

Whoever hacked Sony stands to become very rich indeed, not just at Sony's expense. With many people now using work PCs for personal use, thieves could also hit the jackpot by using information particularly passwords gleaned from the initial attack to accessing the databases of other businesses. Their potential spoils are as limitless as the internet itself.

Yet, claims Tankard, many UK businesses are "lackadaisical" in their approach to cyber-security. Their attitude couldn't be more different from that of their peers on the other side of the pond, where businesses are now not just forking out millions on cyber-security, but also insuring themselves against data breaches.

The reason for the different tack? Cold, hard cash. US law requires businesses to notify those who are likely to be affected by a data breach a costly exercise in itself, but it also then opens companies up to the risk of litigation from affected parties and hefty fines from the regulators.

Epsilon, the company involved in last month's M&S leak, "could find themselves in a world of hurt", says Ben Beeson, a partner at insurance provider Lockton who specialises in cyber-liability. "It was a major breach. How much it damages them will come down to the regulation and how much litigation in the US comes out. It could blow them out of the water."

UK businesses that believe the risks are not as great here face a rude awakening. European legislators are currently considering adopting a more US-style approach to cyber-crime via a draft E-Privacy Directive, legislation which, if enacted, will require ISPs and telecoms companies to make breaches public. This could pave the way for further legislation covering other businesses, prompting more companies to invest in protection against attacks.

"In the UK the reason you don't have to tell people if you've had a breach has held people back from buying insurance," says Beeson. "I wouldn't be surprised if, in the next five years in UK retail, 50% of companies were insuring themselves, if not more. Only one or two per cent are today."

Of course, insurance is no replacement for tight security. And while standards such as the Payment Card Industry Security Standard have been widely adopted by British businesses, things are far from tight. It's a point illustrated by Horizon's finding that 19% of British businesses hacked in 2008 were PCIDSS compliant, and by the hacking of web security companies RSA and Barracuda this year. "If security companies can't look after themselves, how can the likes of M&S?" asks Tankard.

Given that the risks associated with data leaks are set to increase in coming years, the implementation of robust security procedures is one that businesses especially those in the food and beverage industry, which accounted for 57% of breaches in 2010 [Trustwave] need to get to grips with.

And that means companies need to ensure that once inside a network users are not given free rein. "It's no good just having a lock on the front door," says Tankard. "You need them throughout the house."

TJX, the parent company of cut-price fashion retailer TK Maxx, found this to its cost in 2006. By simply hacking into the local wireless network of a US store thieves managed to find their way into the company's global IT system. Insufficient internal security resulted in the theft of the card details of more than 46 million customers, costing TJX an estimated £500m.

With hackers getting ever more adept at breaking into systems (O'Neil says wireless networks can be compromised in just 30 seconds) and the growing number of businesses relying on third parties for data storage and system administration (according to Trustwave, 88% of systems compromised in 2010 were managed by third parties), the need for companies to keep a close eye on who has access to what has never been greater.

And the growth of cloud computing the storing of data and applications online means an increasing amount of data is being put in the hands of third parties, who could in turn be outsourcing to their own partners. "People are almost washing their hands and saying now it's someone else's problem," says Tankard. "But it's not." The companies that gathered the data in the first place are liable for any breach.

But even the experts admit the odds are stacked against them in the war against the hackers. "It's getting to the stage that you don't know what to trust anymore," says O'Neil, pointing to the recent hacking of Visa and Mastercard's 3D Secure system for online card transactions with the so-called Zeus Trojan. "It spoofed 3D Secure pages, so people have been giving their details to the hackers. It's a big, big worry."

Others suggest business will always be one step behind the crooks. "Introduce a new security measure and someone will find a way around it," says Andrew McClelland, director of operations and regulatory affairs at e-retail trade organisation IMRG. "It's inevitable that we'll see more organisations fined for data breaches. The big question is, are the costs going to get bigger? There's a good chance they will."

As commerce continues to move online, the spoils for business's new worst enemy are only going to grow. Retailers beware the war for your customer data has only just begun. 


Hacking: the deadly seven

Dos attacks
Brute force. DoS (denial of service) attacks target websites by simply flooding them with more traffic than they can handle, causing them to crash. Can cost victims millions in lost revenue.

Worms
Self-replicating and virulent malware of many forms. At best, they simply slow systems by eating up bandwidth. At worst, they drop devastating payloads, such as 'back doors' to link PCs to the feared botnet.

Botnets
The ultimate killer app. A botnet is a group of infected PCs (known as bots or zombies) that can be mobilised by 'bot herders' to launch any number of malicious programmes or attacks (see below).

Zeus Trojan
Often the devastating payload of Botnets, Zeus was 2010's online enemy number one. It poses as legitimate web pages to steal info by logging key strokes and copying form data. It's stolen millions.

SQL injections
Simple. Deadly. Structured query language is spoken by web login pages and the data-bases they're linked to. By crafting specific SQL commands, hackers can skip the login process to steal data. Increasingly popular.

Logic flaws
Complex but effective. By exploiting holes in the logic governing sites, crooks can shop for free. By submitting fake data to buy vouchers and open Amazon seller accounts, hackers recently bought goods for nothing by using a fellow seller's store. Cunning.

X-site scripting
The growing sophistication of websites is making some more vulnerable. 'Dynamic' sites (those allowing users to upload data onto them) run the risk of being injected with scripts, allowing hackers to steal site users' data or change web content.


Geek speak – a dummy’s guide
Cracker
One who cracks IT security for malicious reasons. See hacker

Daisy chaining
Cracking a network to access many more in order to avoid detection

Dictionary attack
A means of cracking weak passwords by applying words from an exhaustive list or 'dictionary'

Hybrid attack
Like the above, but adds numbers or symbols to words

Hacker
Strictly speaking, anyone with an interest in computing (Bill Gates has been described so). Now commonly means cracker

Logic bomb
Code inserted into software to trigger a malicious act

Malware
Short for any kind of malicious software

Phishing
Masquerading as a trusted source in order to steal sensitive info

Ransomware
Malware that in effect holds users to ransom, charging to remove malicious code from systems it's infected

Spam
Unsolicited bulk messages. Origin unclear

Security by obscurity
The tactic used by some bodies with security holes: ignoring and hoping no-one finds it

Super user
A system administrator. The profile's extra privileges make it a prime target for hackers

Trojan
A hostile app posing as benign

White hat
An ethical hacker who works to secure clients' systems. As opposed to black hat, a malicious hacker