House Energy & Commerce Committee Republican leadership said Thursday (Aug. 19) that they had big issues with the theft of data from T-Mobile, saying Congress has to pass privacy legislation ASAP.

“The T-Mobile data breach is of serious concern. While we have more to learn to determine how this breach happened and its potential wide-ranging consequences, we urge all companies to do everything they can to safeguard and protect American’s personal information," they said in a statement.

"They" were E&C ranking member Cathy McMorris Rodgers (R-Wash.), Communications and Technology Subcommittee ranking member Bob Latta (R-Ohio), and Consumer Protection ranking member Gus Bilirakis (R-Fla.).

They pointed out that last month the committee approved bipartisan legislation to promote cybersecurity information sharing.

That appeared to be a reference to H.R. 4046, the “NTIA Policy and Cybersecurity Coordination Act,” which would authorize the NTIA's Office of Policy Analysis and Development and re-christen it the Office of Policy Development and Cybersecurity.

The office administers the network security information sharing program established by Congress in the Secure and Trusted Communications Act. It passed along with a raft of tech/cybersecurity bills last month.

But they said more needs to be done. "We need to build on that work to protect Americans’ privacy. This breach is yet another example of why Congress must pass a national privacy and data security law. We need strong national standards that ensure industries can innovate, strengthen cybersecurity and data privacy, and keep up with the evolving ways bad actors steal personal information.”

Both Republicans and Democrats have argued for national legislation, but have yet to agree on just what should be in that law.

The FCC is reportedly investigating the T-Mobile data breach the company acknowledged this week.

T-Mobile said that after a report that data was stolen, it found and closed what it concluded was the access point for the cyberattack.

The company said that account information for about 7.8 million postpaid customers had been stolen, as well as north of 40 million records from former or potential customers who had applied for credit with T-Mobile.

The company said the good news was that no "phone numbers, account numbers, PINs, passwords, or financial information" were stolen.

The company is offering two years of fee identity protection and recommending that all postpaid customers change their PIN, even though it has no evidence postpaid customer PINs were stolen.

It is also creating a web page for "one stop" information on customer data protection.

The bad news is that about 850,000 prepaid customer PINs and phone numbers were exposed, but T-Mobile said it has reset al of those accounts.

"We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack."

Rhode Island is suing Google over a data breach the state said compromised the information of 52.5 million users.

That is according to the office of Rhode Island General Treasurer Seth Magaziner—the state's pension fund is invested in Google.

The pension fund filed a motion with the court to head a class action shareholder suit after it was reported that Google execs had not disclosed the breach, which involved the Google+ attempt by the company to capture some of the social media market. The effort failed and Google announced in October it was shuttering the service, a move that came after claims it had hidden security vulnerabilities that led to the breach.

"Google had an obligation to tell its users and investors that private information wasn't being protected," said  Magaziner of the suit. "Instead, Google executives decided to hide the breaches from its users and continued to mislead investors and federal regulators. This is an unconscionable violation of public trust by Google, and we are seeking financial restitution on behalf of the Rhode Island pension fund and other investors."

The state's move came the same day that Google CEO Sundar Pichai was probed on Capitol Hill on issues including breaches and data security.

The massive data breach Marriott has just revealed has prompted new calls from Capitol Hill for the government to step in and protect the massive amounts of consumer and other data online, whether from hotel chains or Big Tech data collectors.

“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans," said Sen. Mark Warner (D-Va.), vice chair of the Senate Intelligence Committee and co-founder of the Cybersecurity Caucus. "Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

That was seconded by Sen. Richard Blumenthal (D-Conn.), ranking member of the Consumer Protection Subcommittee. 

“Marriott’s failure to prevent the theft of private data has placed hundreds of millions of customers at significant personal and financial risk," he said. "The apparent failure to detect and remove hackers from its systems for four years calls into question whether Marriott took the security and privacy of its customers seriously.... Once again, Americans are left to pay the substantial cost of corporate negligence. Congress must move forward to end this cycle of broken promises. We must set clear consumer data protection standards for all companies — whether they’re hotel chains, online retailers, or big tech — and severe penalties for those who fall short.” 

Just this week at an oversight hearing, Blumenthal slammed the Federal Trade Commission for not doing enough to companies accountable for breaches. He said that hearing was about whether the FTC was ready and willing to take on hard problems and "robustly" protect privacy, something he suggested they have not had either the resources or the will to do up to this point.

“Checking in to a hotel should not mean checking out of privacy and security protections,” said Senator Ed Markey (D-Mass.) another veteran voice for privacy protections (as well as a noted phrase-turner). "Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon. The American people deserve real action. It’s time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them.”

Marriott Friday disclosed what it called a "Guest Reservation Database Security Incident" That translated to a hack of the information of about a half-billion of those guests. The information included for some or all of those guests credit card numbers, name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

While the credit card numbers were encrypted, and that it is a two-step decryption, Marriott said it could not be sure the thieves did not get both of those, too.

Marriott reported the incident to law enforcement as well as outlining it on its Web site.

Marriott was informed in September of a possible breach, and found on investigation it dated from 2014.

“We deeply regret this incident happened,” said Marriott president Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Consumer Watchdog used the breach to pitch California's Consumer Privacy Act, which passed earlier this year.   .“Currently many companies opt for inadequate data security because it’s cheaper than the consequences of a data breach,” said Privacy and Technology Project Director John M. Simpson. “The Consumer Privacy Act fixes that and would hold companies accountable.  That’s why big business and big tech are fighting to weaken it.”

The Justice Department said Wednesday (March 15) that it has indicted two members of the Russian Federal Security Service (FSB), the successor to the KGB, an intelligence agency of the Russian Federation, and two outside hackers, in the theft of about 500 million Yahoo accounts in 2014.

The two Russian officials, Dmitry Dokuchaev and Igor Sushchin, "protected, directed, facilitated and paid criminal hackers [Alexsey Belan and Karim Baratov] to collect information through computer intrusions in the United States and elsewhere," the Justice Department said.

“Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history,” said Attorney General Jeff Sessions in announcing the multicount indictment by a grand jury of the Northern District of California. “But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”

"People rightly expect that their communications through Silicon Valley internet providers will remain private, unless lawful authority provides otherwise," said U.S. Attorney Brian Stretch for the Northern District of California. "“Working closely with Yahoo and Google, Department of Justice lawyers and the FBI were able to identify and expose the hackers responsible for the conduct described today, without unduly intruding into the privacy of the accounts that were stolen. We commend Yahoo and Google for providing exemplary cooperation while zealously protecting their users’ privacy.”

The indictment comes as members of Congress are looking into both that hack, another Yahoo! breach and allegations the Russians hacked Democrats' email accounts to influence the 2016 election.

Yahoo! agreed to cut the price Verizon is paying to buy the company by $350 million in light of its two breaches.

The hackers targeted "accounts of Russian and U.S. government officials, including cybersecurity, diplomatic and military personnel," according to the indictment. In addition, they targeted "Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities."

Ironically, the FSB unit that the indicted officials worked for is the point of contact for the FBI in Moscow for cybercrime matters.

Verizon Communications added about 36,000 Fios TV customers in the third quarter, reversing a loss of 41,000 video customers in Q2 spurred by a six-week strike over the summer, while it tried to calm  investors worried about its wireless resale agreements with cable operators and its pending $4 billion purchase of Internet icon Yahoo.

The Fios TV growth was expected – analysts’ consensus estimates were for 28,000 additions. The telecom company also added about 90,000 Fios Internet subscribers in the third quarter, outpacing analysts’ expectations of 62,000 additions.

Verizon chief financial officer Fran Shammo, who announced his intention to retire at the end of the year, fielded questions from analysts about its wireless Mobile Virtual Network Operator (MVNO) agreements with Comcast and Charter. Comcast said it activated its MVNO deal last October and plans to have a wireless product by the middle of next year. Charter Communications, which had Verizon MVNO rights via its purchase of Time Warner Cable in May, said it too has activated those rights.

The MVNO deal are the result of the 2011 sale of wireless spectrum by SpectrumCo (which included Comcast, Time Warner Cable and Bright House Networks).

An MVNO would allow Comcast and Charter to basically resell Verizon’s wireless service under their own brand. It would also allow them to utilize the Verizon wireless infrastructure for a hybrid cellular-WiFi offering.

In a research report just prior to Verizon’s release of Q3 results Thursday, MoffettNathanson principal and senior analyst Craig Moffett wondered if the MVNO deal gave an advantage to the cable operators, by allowing them to offer a similar quality service at a reasonable price.

Moffett continued that it is more likely that the MVNO deal could lead to a later alliance between cable and Verizon.

“Wouldn’t the simplest reading instead be that the MVNO agreement speaks to building bridges, not moats?” Moffett wrote.       

An alliance could have obvious advantages – Verizon could profit from cable’s imbedded wireline infrastructure and the cable companies could benefit from Verizon’s best in class wireless service.

Shammo, in what is likely to be his last quarterly earnings call at Verizon, said its eyes were open when it did the deal severbal years ago.  

“This is a wholesale agreement, and as Lowell [McAdam, CEO] and I have repeatedly said we would do the agreement again today if we had to. It’s a good agreement for V W— it’s a wholesale agreement,” Shammo said. “I can’t speak to the economics of what they’re going to do. The wireless pie continues to grow, everyone wants to get a piece of this pie, [and] the industry itself will continue to grow around that pie. It’s not like I believe the industry with the carriers will lose share to anyone. I just think there’s going to be more opportunity for growth.”     

While the wireless pie gets bigger, analysts and investors are wondering whether the purchase price of Yahoo may shrink. Verizon agreed to buy the Internet search icon in July for $4.8 billion, but that was before Yahoo revealed it had been the target of a massive data breach. In September, Yahoo said more than 500 million accounts had been hacked, including customer addresses and passwords. The scope and cost of the breach is still to be determined, but some have speculated it could result in Verizon shaving as much as $1 billion from the purchase price.

Shammo reiterated Verizon’s earlier statement that it believed the breach could be a material event, but said the companies’ lawyers were just starting to look into it.

“We are still evaluating what it means for this transaction. This was an extremely large breach that has received a lot of attention from a lot of different people. We have to assume it will have a material impact on Yahoo,” Shammo said, adding that lawyers had their first call about the matter Oct. 19.

“From what I understand, that's going to be a long process," Shammo continued. “Unless Yahoo comes up with different processes, it’s going to take some time to evaluate this. Until then, we haven’ t reached any final conclusions around this issue.”    

“This … is … bad.”

The chief information officer at Liberty Global, Veenod Kurup, mouthed those words, mostly to himself, as he saw the Guy Fawkes mask of Anonymous appear in the YouTube video.

It was bad enough that there was an outage in the system, and a big one. Hundreds of thousands of homes and counting — eventually 2.2 million, or nearly two of every three of Liberty’s Netherlands broadband subscribers — were now essentially unplugged.

Worse, the cause wasn’t a late summer storm or a lightning strike, but something far more devious: a breach in the company’s cyber defenses through an overwhelming distributed denial-of-service (DDoS) attack on company servers.

Transfixed by the video, Kurup and other executives realized the unfolding tech nightmare was getting worse. It appeared to be the sinister work of Anonymous, the infamous global Internet vigilante group known for ferocious attacks.

The Liberty executives listened in disbelief in their offices near Amsterdam as the eerie synthesizer-distorted voice on the screen explained how the next attacks would be even harsher. The target: Liberty Global’s newly acquired Ziggo operations in the Netherlands.

The audio ended with a version of the group’s signature coda: “We are Anonymous. We are legion. We do not forget. We do not forgive. F---k your bad services. Expect us.”

When it ended, the room fell silent for a second.

Over the ensuing 72 hours of August 2015, a bizarre chain of events would leave Liberty executives flummoxed, and forever wary. The crisis would embroil an eclectic set of characters, including frazzled cable engineers, detectives with the Dutch Police’s High-Tech Crime Unit, cyber gumshoes at the National Cyber Security Centre, the digital vigilante group known as Anonymous, copycat hackers looking for Internet glory and the true perpetrators, who briefly evaded authorities despite their crude methods.

In bringing down Liberty Global’s Ziggo network, the criminals and the manhunt to capture them yielded some crucial lessons for the many media companies — indeed, any major industrial concern — that will inevitably confront this insidious peril of the Internet Age: that they will be victimized by a hacker or attacker hell-bent on stealing data, demanding money or bringing the system down.

Hacking is big business, and it’s getting bigger. Cybercrime inflicts annual costs to the global economy exceeding $400 billion, according to a study by the Center for Strategic and International Studies, sponsored by cybersecurity firm McAfee. Costs could reach up to $2.1 trillion globally by 2019, according to Juniper Research. Other estimates put the figure at a mind-boggling $6 trillion within five years, including lost productivity, fraud and post-attack disruption.

Cable operators and other ISPs rarely speak about cybercrime for fear of inadvertently revealing network vulnerabilities, but given the widespread, mostly unauthorized revelations about the Netherlands cyberattack, Liberty executives agreed to share limited details to clarify the episode.

Sometimes a breach occurs for all the wrong reasons. A company can do all the right things, create the best safeguards and vigorously review security, but may overlook a tiny flaw in the system.

Liberty’s network, like that of many ISPs, is attacked constantly in a variety of ways (see chart), but the attempts are kept at bay with increasingly sophisticated safeguards. Though outages at big ISPs from hackers are rare, the odds continue to grow in the hackers’ favor as digital commerce and cloud computing thrive. Wireless operations are, in many ways, even more vulnerable.

Evolving prevention and detection strategies are as elaborate as they are endless: “honeypots,” for example, are computer systems set up to act as a decoy to lure cyber-attackers and study their methods. Liberty had long ago implemented a holistic approach to security beyond just firewalls, with a 24-hour monitoring team in a global security operations center. Highly trained executives followed a thoughtful crisis-management process. Recent upgrades had already reduced malware infection rates by 25% since January 2015. With a comprehensive plan backed by best practices, the network security team was comfortable the company could withstand most cyber attacks.

THE ATTACK BEGINS

But last summer, a rupture suddenly and quietly appeared in the front lines. And like all successful attacks, the intruders caught the fortress completely by surprise. It was as if the cable giant had built reinforced steel walls with spotlights and guard dogs in front of the house and then left a window open in the new annex out back.

Around 9:30 pm on Tuesday, Aug. 18, Liberty technicians got word that Ziggo, an incumbent cable operator acquired by Liberty months earlier, was reporting outages.

Ziggo had only just begun the process of integrating its system into Liberty’s, but no matter: Liberty owned them now and complaints were lighting up call centers by the thousands. In just hours, hundreds of thousands of customers would be without broadband services.

Ziggo and Liberty engineers quickly huddled on a conference call to determine the cause of the outage. More often than not, the problem can be traced to an equipment failure. Not this time. Within an hour, the engineers, because of the mushrooming volume of outages, quickly realized Ziggo was under a distributed denial of service (DDOS) attack. This was a Priority 1 incident.

Liberty Global’s chief technology officer, Balan Nair, knew reaction time was critical. “The key to solving all this is a function of how quickly you react initially and how good your team is,” he said. “Up and down the ladder, everyone was taking this very seriously. They were burning the midnight oil on this.”

A distributed denial-of-service attack typically floods a company’s network by inundating it with connection requests, leaving the targeted server overwhelmed, a lot like Lucy at the chocolate factory, frozen by its inability to keep pace with commands. Often the culprit is using an army of hijacked Web browsers or malware-infected computers, or botnets. According to a report by TrendMicro Research, $150 can buy a week-long DDoS attack on the black market.

Indeed, DDOS attacks are common — Liberty, like many cable operators, fends off up to 10 Gigabits of DDOS attacks — per day. This particular attack targeted DNS servers, which redirect domain names to correct IP addresses. Social media chatter about the outage began building — for those that could still get online.

Social media, in fact, supplied the first clues to identifying the perpetrator. Several groups began to claim credit via Twitter. Then came the YouTube video. As it played against a still photo of a Guy Fawkes mask, the synthesized voice began its threat:

“We, Anonymous, have a message to company Ziggo … now we’re going to hold Ziggo offline for a few days because Ziggo offers bad service. This is the last warning. We are Anonymous. We not forgive. We do not forget. F---k your bad services. We are Legion. Expect us.”

Recalls Kurup: “That shook us to the bone.”

The nature of a DDOS attack is that it ebbs and flows, and by 5 a.m. on Aug. 19, several hours after the first thrust, the attack seemed to ebb with the countermeasures of Ziggo and Liberty engineers. Liberty executives breathed a moment of relief: Customers could be back online when they awoke.

The DDOS attack had not been so unique or complex, so why had the network become so suddenly vulnerable?

While the tech teams were puzzled at first, they soon realized the cause. Despite defenses that Liberty Global had in place, the firewalls in front of newly acquired Ziggo’s DNS servers had not been set up according to Liberty Global standards, and had collapsed. Firewalls prevent routine unauthorized access, but not the kind of voluminous attacks of the sort that targeted Ziggo.

Moreover, the attackers had caught Liberty at its weakest moment — in the middle of migrating an entire network. As the DDoS attack ebbed, Liberty and Ziggo engineers were left chewing on a tough question: how to instantly migrate Ziggo’s network into Liberty’s — usually a months-long task with tests, changes and documentation required — in one day.

The engineers hatched an audacious scheme. Senior managers, confident the team could execute, approved the plan instantly.

“They said, ‘You know what you need to do — do it,’ ” said Kick Fronenbroek, a senior security specialist for Liberty Global.

At some point on the second day, another threatening YouTube video surfaced. This one was more specific, and raised questions about the attacker’s true identity. Posted by someone ominously dubbed “AnonNazi,” it featured a crudely drawn, green, animated, hooded character with a synthesized voice, emblazoned with a banner with swastika icons.

The voice claimed full credit for the earlier attack, dismissing Anonymous. “Some other people are claiming it was Anonymous, but it was not. We attacked the DNS service because of the bad service that Ziggo provides …” AnonNazi boasted.

His next utterances were pointed.

“Because of bad service we want you to pay all of the customers all of their money back for about one week. If you don’t accept this, we will continue with more powerful attacks,” the voice threatened. “You have been warned.”

The question burning on everyone’s mind: if this wasn’t the real Anonymous, who in the hell had just brought down service to nearly 2 million homes? Executives at Ziggo and Liberty were baffled.

Around 4 p.m. on that second day, Aug. 19 — after the first attack, and before the migration of the network — there was another, more ferocious assault using a different entry method.

Again, consumers and businesses across the country were digitally stranded with no broadband service. In just 24 hours, the national network had absorbed two unprecedented cyberattacks. “We had outages before, but this is the first big one we had,” Kurup said. “Nothing like it before.”

That roughly 2 million customers were without broadband (TV service worked fine) was enough. But the self-proclaimed attackers, AnonNazi, took to social media to pour salt in the wound: Liberty stood helpless — for the moment — as a second wave of digital torpedoes directed by the same hackers penetrated the bulkheads.

“We now understand the weakness, but we also see that the system is allowing it to happen,” Kurup said. “We knew we could fix this problem.”

The crisis was escalating. On YouTube, Ziggo was threatened with new attacks. At the same time, the attackers announced a new target, KPN, a Dutch telecommunications company.

The Dutch Ministry of Security and Justice called the attack “serious,” and Liberty executives called in the High-Tech Crime Unit of the Dutch Police Services Agency.

A growing team of technicians were tackling the DDOS attack, and by the evening on the second day, had counteracted the menace of the incoming traffic. The traffic issue was becoming more manageable.

By about 3 a.m. on Aug. 20 — about 50 hours into the attacks — engineers had redirected the flow of traffic, essentially by offloading it to island data centers.

Working around the clock, the teams had finally migrated the network and successfully updated defenses. All mitigation steps in Liberty’s elaborate security protocol were in place. Engineers at Ziggo and Liberty were content for the moment. The back window was shut.

Although the attackers had managed to inflict inconvenience, the company had reason to be proud of how it battled back. Its fast reaction preserved customers’ data and privacy, and minimized downtime for countless business and residential subscribers. An endto- end security plan made the attack manageable. And the incident left Liberty’s security team with invaluable battlefield experience.

As Liberty stated in its annual report, “the overload impacted 2.2 million customers, yet within 24 hours, our teams were moving 130,000 customers per hour to more resilient infrastructure. Two days later, full service was restored.”

Liberty now was intent on winning the war. Fearing further attacks as a result of the threats hurled over YouTube, Liberty didn’t just drop the matter, as many corporate hacking victims do. The company pressed a criminal investigation, beginning a cat and mouse game to track down the culprits, while bracing for more attacks.

But a strange thing happened — nothing.

Much to the bewilderment (and relief) of executives, no large-scale DDoS hacking attempts were detected in the system. The threatened deadline came and went. Ironically, the hacker’s inaction provided a major clue.

Serious hackers, not to mention ransomware, vow a certain time for an attack — and stick to it. That this code was not honored virtually confirmed suspicions that Anonymous wasn’t behind the attack.

A subsequent Twitter post by AnonOps, which claims to have ties to the actual group, echoed many social-media commenters: “DDoS on #Ziggo is not an #Anonymous operation.”

HACKER VS. HACKER

Then the manhunt took a bizarre turn for investigators: the groups claiming credit for the attack began to insult and threaten one another on social media.

Some dismissed the poster AnonNazi as a pretender. Another self-proclaimed hacker, AnonymousScruggs, claimed credit for the attacks on Ziggo.

“They were having turf wars,” said John Fokker, who, with Ton Maas led the digital team for the High Tech Crime Unit of the Dutch National Police. “Most [professional hackers] are discreet about how they approach the company. They don’t have a beef on Twitter.”

Days later, on Aug. 26, a video narrated by the synthesized voice of a faint image, hooded and tinted purple, and posted by “Code Red,” drew Liberty’s attention:

The hackers began to “dox” one another, an attack wherein all of a target’s personal documents (email addresses, phone numbers and bank accounts) are released on the Internet. On the Twitter account of AnonNazi, a post read simply, “This account has been compromised by @BOEFII.”

Said another post by @BOEFII under a story about the attack on a media website in the Netherlands:

“I would like to thank everyone who participated in helping me to dox every single person from Anon_Nazi. They are destroyed and they will never cause any harm to Ziggo again.”

Had a bunch of glory-hungry hackers claiming credit for the same crime just turned on one another — outing each other in the process?

Top engineers at Liberty were left scratching their heads.

In addition to the police, Liberty called in digital detectives from the National Cyber Security Centre, which collects data and advises organizations on security, and a rapid response team from Deloitte, which focused more on forensics.

Over the next several days, Liberty engineers began turning over discs of data to investigators. Digital detectives scoured social media for clues, conducted interviews and studied logs of interactions between the Liberty/Ziggo servers and outside computers. Investigators searched for patterns and addresses that matched the information they were gathering about the attackers.

As the digital dust settled, Liberty executives reviewed detection and prevention measures all across the Liberty Global footprint. “We had already sanitized the entire system,” said Kurup.

Chasing the digital breadcrumbs, the public claims of credit, and the battle between the hackers, Fokker and Maas moved quickly and made two arrests early on.

Six weeks after the initial attack, on Oct. 7, 2015, Dutch police arrested four minors between 14 and 17 years old and one 21-year-old. The boys come from Berkelland, Lochem, Den Helder, Schoorl and Vinkeveen.

Police seized computers, mobile phones, external hard drives and USB sticks. The young suspects “wanted to show they were capable of having a major effect such as taking down an Internet provider,” the National Prosecutor’s Office said in a statement to Dutch media.

Under Dutch penal code, the suspected hackers face up to two years for the DDoS attack. Because of the extortion threats, they face a maximum of an additional 12 years behind bars. A trial date has not been set, but because of the suspects’ age, leniency will be sought.

Today, the Liberty and Ziggo engineers are sensitive about the incident. “If the same cast of characters had done this anywhere else in our global footprint — Germany, France, Belgium — it wouldn’t have even caused an outage,” said Kurup. “We would have intercepted it. It would have been logged as a routine attack.”

Kurup hopes the apprehension of the hackers, which made big headlines in the Netherlands, deters others. But no matter — the incident has made the entire company more vigilant, and that’s a good thing.

“It’s a constant battle,” Kurup said.

STATE of CYBERSECURITY

500M

Number of accounts that Yahoo said hackers had accessed containing passwords and personal details in 2016.

SOURCE : Yahoo

129%

Increase in DDoS attacks in Q2 2016 vs. Q2 2015

SOURCE : Akamai State of the Internet Security Report, Q2 2016.

45%

Increase in 2015 of detected security incidents over the year before for telecommunications companies.

SOURCE : PWC, The Global State of Information Security Survey 2016. Based on responses of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from 127 countries.

100M

Number of fake tech-support scams blocked by Symantec in 2015, whereby pop-up error alerts steer victims to an 800 number where “tech- support reps” sell services.

SOURCE : Symantec

39%

Percentage of companies that cited “budget” as the biggest barrier to adopting advanced security processes and technology.

SOURCE : Cisco 2015 Security Capabilities Benchmark Study

54%

Percentage of companies that cited malicious software downloads as the leading cause of internal breaches.

SOURCE : Cisco Systems, Security Risk and Trustworthiness Study

93%

Percentage of cases in which it took attackers “minutes or less” to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred — and it was typically customers or law enforcement that sounded the alarm, not their own security measures.

SOURCE : Verizon 2016 Data Breach Investigations Report

65%

Percentage of respondents who collaborate to improve cybersecurity and reduce cyber-risks, up from 50% in 2013.

SOURCE : PWC The Global State of Information Security Survey 2016, based on responses of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from 127 countries

HACKING 101: HOW TO GET IN

Cybercrime is any criminal act involving a computer and/or a network. Hacking is the unauthorized access into a computer system. Crimes can take any form, from outright theft of data or funds, damage to a network or harm to a reputation. Increasingly, one of the weakest links in security is the employee. Most attacks on companies involve some sort of malware, a broad term for malicious code, including Trojans, worms and viruses that steal or destroy data, often introduced through emails, downloads or other network weak spots. Some common terms below:

• “Phishing” attempts involve official-looking emails tempting employees to click on a link that can trigger countless malware possibilities. (Spear phishers focus narrowly on a single company or individual.)

• Distributed Denial of Service (DDoS) attackers use multiple hijacked computers to push through a huge volume of traffic through the network until it becomes overwhelmed and no longer functions.

• Botnets, also known as “zombie armies,” are groups of infected computers controlled by third parties for DDoS attacks or for distributing other malware.

• Trojan attacks allow attackers to remotely steal data and manipulate the computer.

• Ransomware demands a ransom after blocking access to the computer by encrypting files on the hard drive.

• Spyware allows attackers to go undetected on infected computers to track users movements on the Internet, even keystrokes for theft of accounts, etc.

• Adware redirects users to unwanted advertising.

• SQL injection inserts a nefarious code in a website/’s entry field that allow attackers to manipulate or steal or destroy data.

Sen. Mark Warner (D-Va.) has asked the SEC to investigate Yahoo! over the hack of more than a half billion accounts.

Yahoo! announced the 2014 breach last week, but Warner wants to know what executives knew and when they knew it.

Warner, cofounder of the Senate Cybersecurity Caucus, wants to know whether Yahoo! complied with federal securities laws to keep the public and investors informed about breaches.

"“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” wrote Warner, a former tech exec. executive. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.” 

But Warner wants the SEC to dig deeper. "[S]ince published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature," he said.

Yahoo! said Thursday (Sept. 22) it had uncovered a hack of info that might have included "email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," though it said it does not think the stolen data included banking or

Warner immediately called for passage of breach notification and said he is currently working on a bill to create a "comprehensive, nationwide and uniform data breach standard."

As an unsavory group, phishing, hacking and malware together comprised the number one cause of data security "incidents."

They caused 31% of all breaches, according to the second annual Data Security Incident Response Report from BakerHostetler, which analyzed more than 300 such incidents the law firm helped manage.

Rounding out the top five causes, in order, were employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%) and internal theft (8%). Just outside the top five, at 6%, was improper records disposal.

The study found that the average time between a breach and detection was in excess of two months (69 days), and in at least one case well more than a year. Almost a quarter (24%) of the breaches resulted in a regulatory inquiry, and litigation was begun in 6% of the cases.

More than half of the breaches (52%) were self-detected.