Digital Security and Ethics
Abstract
The purpose of this paper is to evaluate and respond to digital security threats and evaluate information ethics and public policy concerns in areas such as privacy and free speech. The organization identified to have suffered a security threat in this case is known as Under Armor Inc. The company specializes in manufacturing footwear, sports and casual clothing. The company was recently attacked by hackers. The findings of this study revealed that the security threat that affected Under Armor’s customers is quite widespread, and the attack can be attributed to the company’s use of a password hashing referred to as SHA-1, which is notoriously weak. The results also revealed that the organization lost 3 percent of its shares due to the attack. Furthermore, it was revealed that Under Armor became aware of the breach a month later after it occurred and only reported the incident 4 days after finding out. As such, it is recommended that the company uses proper encryption and salt user passwords to prevent such attacks in the future.
Introduction/background
Under Armor Inc. is an organization based in the United States and manufactures footwear, sports and casual clothing. The company is one of the many organizations that were victims of cyber attacks in 2018. Under Armor reported that data from one hundred and fifty million MyFitnessPal diet and fitness application accounts was breached in February this year (Shaban, 2018). The security breach happens to be one of the largest cyberattacks in history. Other large hacks encompass the security breach in yahoo accounts which occurred in 2013, leading to 3 billion accounts being compromised, and cyberattacks on credentials of over 412 million users of adult websites run by FriendFinder Networks Inc. two years ago (Shaban, 2018). The attack on Under Armor resulted in a decrease of its shares by 3% in after-hours trade. The breached data included scrambled passwords, email addresses, and user names for the famous MyFitnessPal mobile application and website (Shaban, 2018). Notably, driver license numbers, payment card data and social security numbers were not affected. Whereas the hack did not target financial data, huge piles of stolen email addresses can prove to be valuable to hackers. For instance, email addresses that were stolen from JPMorgan Chase customers in 2014 were later utilized by cyber criminals to pump and dump schemes to increase the prices of stocks (Lucas, 2017).
Assessment, Ethics, and Public Policy Implications
Assessment
The security threat is quite widespread. Under Armor appears to be the latest victim of a chain of cyberattacks affecting organizations in every industry. For example, Orbitiz which is a travel booking website recently reported that it was a victim of hacks, and the security breach affected approximately 850,000 payment cards from the users’ sites (Lucas, 2017). Also, Equifax, which is a customer credit reporting organization, recently reported that it experienced another colossal breach of data impacting about more than two million clients in 2017, 6 months after disclosing a previous hack that impacted more than 140 million extra individuals. Other main companies that have faced extensive breaches of security in recent years encompass Uber, Yahoo and pentagon (Lucas, 2017).
Under Armor has been in operation since 1996. Throughout the years, the company has run smoothly without any incidents of security breaches. As such, the cyberattack that occurred towards the beginning of this year was the first one of its kind. In fact, the discovery of the attack came as a shock. So far, the company is not aware of how the attack was carried out. For this reason, it is still working in collaboration with leading security companies to identify the hackers and how they conducted the attack (Shaban, 2018). Under Armor is also working with law enforcement agencies to investigate the same and bring those involved to book.
Under Armor protected passwords stored by hashing them, or changing them into incomprehensible characters strings. However, there was one vital issue: In spite of protecting the passwords of its clients very well, the organization committed the mistake of only hashing some of the passwords utilizing the vigorous function referred to as bcrypt; the remaining passwords were guarded by a hashing scheme referred to as the SHA-1, which was weaker, and has known faults (Shaban, 2018). This indicates that the cyber criminals possibly hacked some segment of the stolen passwords with much ease to sell or utilize in other online rip-offs (Nemati, 2008). The circumstance, though not an all-time worst security breach, was a disturbing reminder of the undependable security state on corporate networks. The company has not disclosed the actual amount of financial damage it suffered as a result of the security breach. Rather, it mentioned that its shares in the financial market had dropped by 3 percent due to the attack.
Ethical implications
The security breach occurred in February, 2018, but Under Armor became aware of it on 25th March, 2018. This awareness prompted the organization to take steps aimed at establishing the nature and extent of the matter and to inform its clients about the incident. The company did not report the incident in a timely manner. After learning about the hack, Under Armor took four days to notify its MyFitnessPal community about the matter through email and via in-app messaging (Shaban, 2008). The organization also provided the users of this application with recommendations with regard to account security steps they can apply to assist in guarding their personal information. In addition, it urged the users of the MyFitnessPal app to change their passwords immediately. Nonetheless, compared to other organizations, Under Armor’s reporting was timelier. For instance, companies like Equifax, took some weeks to announce to its users it had been hacked and Uber, took more than 12 months (after trying to cover up the cyberattack) to notify users.
The organization met some of the state and security incident requirement and failed to meet some. Companies are required to report information security events, where the privacy and integrity of civilian information is potentially breached, within 1hr after the company’s security team identifies the breach (Kosseff, 2017). Under Armor did not meet this requirement as it reported the security breach incident after 4 days. However, the company met other requirements. As such, Under Armor was able to report on the impact the breach had on it (lost its shares), the kind of information lost (passwords, email addresses and user names), the first time the hack was noticed (25th March, 2018), and the number of users affected (in this case, they were 150 million)
Public policy concerns (privacy and free speech)
Information privacy entails protecting the confidentiality of individual information and is normally related to individual data stored in computer systems (Kosseff, 2017). The requirement to preserve information privacy applies to individual information like financial data, website data, personal identification data and business related data among others (Vermaat et al., 2016). In this context, the information privacy of Under Armor’s customers was breached. This means that the customers’ personal information was no longer protected, and as such, it was vulnerable to misuse by cyber criminals.
Free speech is the right given to individuals or communities to voice out their opinions and ideologies without fear of punishment or retaliation. As cases of cybercrime become rampant, states increasingly need to commit law enforcement resources to battle the issue. Nonetheless, utilizing cybercrime law and enforcements can restrict freedom of speech. As a consequence, states risk complicating vital cooperation at the international level as well as risk de-legitimizing cybercrime law and enforcement (Owen, Noble, & Speed, 2017). With the increasing requirement for enforcement to frustrate hackers, without which the social and economic chances of the internet may well falter, utilizing “cybercrime” as a tag for restricting speech and regulating content may only lead to the dilution of support, diversion of resources, and complicate global cooperation.
There are gaps in the regulations. For instance, some federal and state laws lack regulations on security risk assessments. As such, there is no standard way of conducting these assessments. Laws on information handling are absent. Therefore, organizations are not able to comprehend and guard the data they have. Incident planning and response is another matter of concern. Federal policies do not clearly spell out the kind of response plans organizations should follow after security breach (Kosseff, 2017). In this case, companies adopt strategies they believe will help them address the breach best. Possible solutions include enacting federal and state laws that clearly define the types of security assessments to carry out and identifying and establishing a standard way of doing the assessments. Other solutions should focus on providing guidelines on information handling.
Recommendation
I recommend proper encryption and utilization of salt user passwords. Under Armor made the mistake of hashing a portion of the users’ passwords utilizing the infamously hackable SHA-1 function. Therefore, in order to properly guard the passwords and meet the security requirements of the General Data Protection Regulation, there is the need to utilize a vigorous hashing function and salting the passwords of users. Even though bcrypt is strong, it is breakable. The cyberattack on Ashley Madison involved over 30 million passwords which were hashed utilizing bcrypt.
Conclusion
Clearly, cyber crime is becoming a notorious in the 21st century. More and more companies are becoming victims of cyberattacks. Under Armor appears to be one of the latest victims in these hacks. Even though the company had took stringent measures to protect the data of its customers, hackers still found a way to compromise its clients’ data. This calls for federal and state governments to tighten their belts in addressing this issue through formulation of policies and enforcement of laws.
References
Kosseff, J. (2017). Cybersecurity law. Hoboken: Wiley.
Lucas, G. R. (2017). Ethics and cyber warfare: The quest for responsible security in the age
of digital warfare. Hershey, Pa: IGI Global.
Nemati, H. R. (2008). Information security and ethics: Concepts, methodologies, tools and
applications. Hershey PA: Information Science Reference.
Owen, T., Noble, W., & Speed, F. C. (2017). New perspectives on cybercrime. Springer
International Publishing AG.
Shaban, H. (2018). Under Armour announces data breach, affecting 150 million MyFitnessPal app accounts. Retrieved from https://www.washingtonpost.com/news/the-switch/wp/2018/03/29/under-armour-announces-data-breach-affecting-150-million-myfitnesspal-app-accounts/?utm_term=.27e5edf59c8c
Vermaat, M. E., Sebok, S. L., Freund, S. M., Campbell, J. T., Frydenberg, M., and Ly, A.
(2016). Discovering computers 2016: Digital Technology, data, and devices. Boston, MA:Cengage Learning.
