Hacker cartoon

The dangers of hoax security breaches

A fake hack attack can be as damaging as a real one and they're becoming increasingly common.

A falsified attack on entertainment retailer Game earlier this year highlighted the serious damage a fake hack can do to a business. Reports at the time discussed a hack on the entertainment retailer, suggesting its customer database had been compromised and its customer contact details leaked on PasteBin.

Tellingly, while many of Game's peers and consumers were aware of Game's involvement in a high-profile security story, few will have known that the games business was the innocent victim of a malicious hoax, instead assuming that Game was at fault.

And therein lies the problem. Hoax hack attacks – when a party falsely claims to have compromised a firm's security and releases fictional data to the press and public – are capable of causing the same amount of damage as genuine attacks at a much lower cost to the perpetrator because the general public take news on face value.

Within 24 hours it became apparent that the leaked information had nothing to do with Game. An official statement confirmed so, proving the attack had been falsified.

By this point – even though it was only a day later – the damage to Game's reputation had already been done and many will have judged them falsely as an unsecure e-tailer to shop with. For some brands, damage on this scale would be irreparable.

The culprit of the hoax isn't yet known but research by experts tells us the potential perpetrators are varied and often associated with your business.

Ex or disgruntled employees, competitors and unhappy customers are all capable of something like this as well as the usual hacking groups – script kiddies, hacktivists or organised cyber crime units. We've seen hackers demand payment from firms to avoid being victim of a real hack. In fact, those offenders don't have to follow through with a genuine attack – they can have the same impact by faking one.

The ease of sharing information over the Internet, especially through social media, means that no matter how quickly a business denies the attack, it is likely to have already spread across the net – creating a permanent and searchable record of a hack that never happened.

The affected business must also then absorb the cost of crisis management to mitigate the bad PR. It's impossible to put a cost on that kind of reputational damage to a brand but there are things you can do to limit it.

Check the evidence as soon as a threat presents itself. Get someone involved to check the vulnerability and publicise what you find. Address it and keep your clients informed. The worst thing you can do is ignore it and delay your response. Take advice from lawyers if you're unsure.

Develop good relations with your clients, industry contacts and, importantly, journalists so they will check the facts before they publish the story. Make it clear on your website and through social media who the point of contact is for queries.

The knock-on effects of genuine attacks have seen businesses, including DigiNotar – the Dutch certificate authority – file for bankruptcy following hack attacks due to irreparable damage on their brand reputation.

The most concerning thing highlighted by the Game hoax hack is that it could be done to anyone, by anyone. The main message is an age-old one – prevention is better than cure. Make sure you've got the right security in place so you can be confident that any suggestion you've been hacked is unlikely.

Have all of the documentation in order that proves you take security seriously – you can present this quickly if a rumour emerges that your security has been compromised. Be aware of where your brand is. Think about who you are connecting to on social media and justify why you are connected to them. Think about what you post on Twitter – there's no delete in social media. And of course, be aware of your company or employees posting inappropriate content that could entice unwanted retaliation.

Stuart Coulson is director of data centres for internet hosting firm UKFast

(www.ukfast.co.uk).

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close