As you no doubt are aware, October is Cybersecurity Awareness Month, a time when President Biden wants Americans to appreciate “the importance of safeguarding our Nation’s critical infrastructure from malicious cyber activity and protecting citizens and businesses from ransomware and other attacks.” Being the Nervous Nellie that I am, I take IT breaches very seriously, although I appreciate I’m pretty much alone with my concerns. Call me the Chicken Little of technology.
I wish I could be nonplussed by such stories as the breach CommonSpirit Health experienced last week. You don’t know what I’m talking about? CommonSpirit, which happens to be America’s second largest “nonprofit” hospital chain with more than 140 hospitals and more than 1,000 care sites in 21 states, had its IT system hacked by shameless cyber pirates demanding ransom as a condition to vacate the hospital company’s technology premises. The disruption resulted in ambulance diversions, system shutdowns and patient appointment rescheduling. One hospital was forced to cancel a CT scan to check on a brain bleed.
The pirates’ shame wasn’t their moral vacuousness hacking into a hospital but rather their cowardice. A hospital ransomware attack is child’s play, the hacking equivalent of mugging a wheelchair confined old lady. That’s because hospital CEOs prefer paying themselves big bucks rather than investing in security to protect the personal data of their customers, which is why 86 percent of global healthcare organizations have been compromised by ransomware and 25 percent were forced to halt operations. A just released survey revealed that one-third of healthcare institutions don’t share details of their hacks with law enforcement. I’m guessing they’re too embarrassed.
“Operational outages put patients at risk,” warned Bharat Mistry, Technical Director at cybersecurity firm Trend Micro and a fellow Chicken Littler. “We can’t rely on the bad guys to change their ways, so healthcare organizations need to get better at detection and response and share appropriate intelligence with partners to secure their supply chains.”
Although I’m just an armchair CISO, I’ve mastered the basics of cybersecurity. One lesson I’ve learned is that bigger means riskier in the IT world. Cyber pirates look for what security specialists call “points of entry,” one of the few technical terms I readily understood. Every person who has login credentials to an IT system is a potential point of entry, so a company with tens of thousands of employees is just begging for trouble.
It’s virtually impossible for big companies to control all their points of entry.
I was saddened to learn that even my beloved Toyota, the automaker I most admire, recently suffered a breach through no fault of its own. The company disclosed last week that nearly 300,000 email addresses and customer numbers of those using T-Connect, a telematics service connecting vehicles to a network, were potentially leaked. Toyota said a contractor that developed the T-Connect website accidentally uploaded parts of the source code with public settings from December 2017 until September 15 this year.
Therein is another cybersecurity lesson I’ve learned. The public mistakenly believes that dishonorable bad people are exclusively responsible for cyber breaches but often they’re the result of human error, or what people less charitable than me might call stupidity. One company where this seems readily apparent is Crypto.com, whose pitchman is A-list actor Matt Damon.
Australian authorities are seeking to help Crypto.com recover more than $10 million the company mistakenly sent in May of last year to Jatinder Singh, a regular trader of cryptocurrency who reportedly used his debit card to amass $49,000 in his Crypto.com wallet. Seven months passed before Crypto.com discovered its error, and not surprisingly Singh and his girlfriend, Thevamanogari Manivel, went on a buying spree, acquiring luxury homes and goods for themselves and their families, and paying off the mortgage of one of their mates.
The fact that it took Crypto.com seven months to discover it mistakenly sent more than $10 million to a customer isn’t what’s most alarming. Rather, it’s how the error was made.
It was revealed in court proceedings this week that a Melbourne company contracted to Crypto.com made the mistake when an employee working out of Bulgaria accidentally copied and pasted the account number of Manivel’s previous job into the refund amount that was erroneously deposited into Manivel’s account.
For all the lofty talk about blockchains and massive computer systems so powerful they can’t be hacked, Crypto.com heavily relies on individuals likely named Dimitar or Yordanka whose Excel skills are possibly more lacking than mine.
My sympathies are with Singh and Manivel, who face 20 years in prison. I adhere to the laws of my childhood playground, which firmly held, “Finders keepers, losers weepers.” There’s also the legal maxim, “possession is nine-tenths of the law.” Singh insisted that when the $10 million landed in his account, he thought he won a sweepstakes he claimed Singapore-based Crypto.com advertised. The company denied that it runs sweepstakes.
Singh is an investor in virtual currencies that have racked up unimaginable real-world losses, so obviously he’s not all that sophisticated. There’s a reason crypto firms pay celebrities big bucks to gain an aura of respectability.
As reported by the New York Times, Tom Brady and Gisele Bündchen have appeared in commercials for the cryptocurrency exchange FTX, a Crypto.com competitor in which they have an equity stake. Kim Kardashian just settled with the SEC for promoting EMAX tokens, the crypto asset security being offered by EthereumMax. Kardashian’s post contained a link to the EthereumMax website, which provided instructions for potential investors to purchase EMAX tokens. Kardashian didn’t disclose that she was compensated for the seemingly independent endorsement.
On Twitter, Reese Witherspoon is a vocal booster (“Crypto is here to stay”), and Snoop Dogg, a lover of blockchain assets known as non-fungible tokens, offers investing advice (“Buy low … stay high!”).
While I understand that in theory cryptocurrencies make sense, it’s become clear to me the industry isn’t dominated by responsible companies run by competent and experienced grown-ups. Binance, the world’s biggest exchange for crypto assets, disclosed last week that scammers stole $580 million of its digital currency, exploiting “an exploit” in the company’s system that led to extra production of the exchange’s dedicated virtual monies.
Yassine Elmandjra, an analyst with ARK Investment Management, this week predicted that Bitcoin, the world’s largest cryptocurrency, could become a “28-trillion-dollar opportunity.” Ark founder Cathie Wood earlier predicted that self-driving vehicles would become a $30 trillion opportunity, but there are more credible people who believe the potential is closer to zero. Wood’s flagship fund is down more than 60 percent this year, and some believe the carnage is not yet over. The smart money bets against pundits popular with the business media.
This morning I had a long meeting with McKinsey – not that McKinsey silly, but Moshe McKinsey, my imaginary childhood friend who’s an investment wizard. He advised that with so much dumb money chasing crypto and other questionable investments, the time was ripe to monetize my Brooklyn Bridge ownership, which I quietly acquired while living in New York City. Infrastructure is a very popular asset class these days.
My deed to the Brooklyn Bridge is stored at a secret location in Bulgaria so I can’t readily produce it, but I assure you I’m the bridge’s rightful owner. To demonstrate my belief in cryptocurrencies, that’s the only form of payment I will accept for purchase of my Brooklyn Bridge shares.
That will make the purchase a guaranteed risk-free investment because if cryptocurrencies continue with their downward trajectories, they could ultimately have zero value. Investors will still have the non-fungible tokens I plan to issue confirming their interest in the Brooklyn Bridge. The tokens will come to be regarded as the pet rocks of investing. Amazon currently sells pet rocks for $29.99 a box.
Wishing everyone a safe cybersecurity awareness month. Love and kisses to all the CISOs out there. You have your work cut out for you!