It’s hard to put a cost on a cyber attack. Each situation is unique, and therefore so is the price tag. But sometimes, just sometimes, the consequence is so catastrophic that the victim organisation is forced to close their doors for good. Kate O’Flaherty reports
As sure as the sun comes up, cyber attacks happen. And occasionally, the impact is so bad that the company goes out of business. Thankfully, it’s a rare occurrence, and even then, the breach is often just one of multiple factors that have put the business under extreme pressure.
History tells us that when firms go bust this way, it’s often down to a lack of basic security. Those who ignore history are bound to repeat it, so Assured Intelligence has taken a look at some of the companies that have gone out of business due to a cyber-attack to bring you the low-down on what happened in each case. We also believe in actionable content, so we have included some advice on avoiding the same thing happening to you and your organisation. You’re welcome!
Perhaps the most widely recognised example is Travelex, the company that fell into administration in January 2020 after being hit by a cyber attack on New Year’s Eve.
The perpetrators, ransomware gang REvil, claimed they had gained access to the firm’s network six months previously and demanded that Travelex pay a $6m (£4.6m) ransom. The attack was devastating, causing a month of disruption with staff unable to use computers to keep track of currency trading.
It took until 17 January for the company to finally announce that services were back up and running. The attack impacted high-profile clients too, including Barclays, Asda and Royal Bank of Scotland.
From there, things continued to tumble downhill. First, Travelex put itself up for sale and then in August, it went into administration with 1,300 of its employees losing their jobs. Its creditors then bought it in a lucky escape for the beleaguered firm.
“While this breach did not solely contribute to the fact that the company entered administration, it certainly had a large part to play,” says independent security researcher Sean Wright. And it could have been avoided: The attack happened, quite simply, because Travelex did not patch its VPN servers, he says.
It was also despite several warnings by US and UK government departments about the unpatched vulnerability being actively exploited by the REVil criminal gang, Wright laments.
Cloud-based code hosting service Code Spaces went out of business in just 12 hours in 2014 when a malicious hacker deleted all its data and backups. It began with a distributed denial of service (DDoS) attack where attackers flood their victim with traffic to overwhelm servers. This was accompanied by an intrusion into Code Spaces’ Amazon EC2 control panel, which left the firm with no choice other than to fold.
The extortion attempt, which saw attackers deleting data and backups, “effectively destroyed the company”, says Jake Moore, global cyber security advisor at ESET. “Unfortunately, Code Spaces was unable to mitigate the attack and regain control of systems.”
It might be too late for Code Spaces, but others can learn lessons from the firm’s misfortune, says Moore. “The incident highlights the importance of implementing robust security measures, including multi-factor authentication, secure backups and intrusion detection systems to protect sensitive data and infrastructure.”
In September 2011, digital certificate authority DigiNotar suffered a cyber-attack that ultimately led to its demise. In the attack, false certificates for hundreds of websites, including Google and Skype, were used to perform large-scale ‘man-in-the-middle’ eavesdropping attacks on users in Iran. If ‘man-in-the-middle’ sounds like a school playground game to you, let us explain what it means in the cybersecurity world; it’s when an attacker gets between two communicating parties to cause damage. In the case of DigiNotar, the adversary had gained complete control of all eight of the company’s certificate-issuing servers, so it’s unsurprising that DigiNotar went out of business less than a month later.
According to Fox-IT, commissioned to investigate, attackers had first breached the firm in mid-June that year, with false certificates used to eavesdrop on email and web browsing for almost two months.
The impact was wide-reaching, made worse by the fact that it could have been avoided if the firm had put proper security measures in place. Fox-IT found that DigiNotar was not implementing anti-virus protection and was using weak administrator passwords.
YouBit cryptocurrency exchange
YouBit, a cryptocurrency exchange used to buy and sell currencies such as Bitcoin, was hacked twice in less than one year, eventually forcing it to shut down. During the first attack in April 2017, which was blamed on nation-state North Korean hackers, nearly 4,000 Bitcoins were stolen.
By the second time it was hacked, YouBit had lost 17% of its assets, and its owner Yapian was forced to file for bankruptcy.
Finnish psychotherapy provider Vastaamo was forced into bankruptcy in 2021 following a ransomware attack the previous year that saw its patient database hacked. Frustratingly, the breach could have been avoided. Adversaries have accessed systems since 2018 due to poor security practices, including weak passwords and unencrypted data.
Following the attack, adversaries threatened to publish the sensitive data unless the firm paid a ransom of 40 bitcoins (roughly €450,000).
They were true to their word, publishing hundreds of patient records daily on a Tor message board, including 300 high-profile patients’ therapist session notes. When their attempts to get money out of Vastaamo failed, the attackers contacted the patients themselves. With reputation damage at a catastrophic high, it’s no wonder that Vastaamo’s days were numbered.
American Medical Collection Agency (AMCA)
Healthcare billing vendor American Medical Collection Agency (AMCA) filed for bankruptcy in 2019, a few months after a breach of its customer payment site exposed 20 million Americans’ data. The information accessed by adversaries included names, addresses, dates of birth, social security numbers and medical information.
AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. And security researchers later found 200,000 patient payment card numbers on sale on a darknet marketplace. This led to multiple class action lawsuits alleging negligence, breach of contract and other violations.
It filed for bankruptcy, with Russell Fuchs, the CEO of Retrieval-Masters Creditors Bureau, saying the company had incurred “enormous expenses that were beyond the ability of the debtor to bear”.
The firm is still technically in business, but it had to go all the way down before it could get back up. It was given a strict programme to follow, including appointing a chief information security officer to ensure the plan was implemented.
The impact of cyber attacks
As these cautionary tales show, cyber attacks can have a massive impact on an organisation’s prosperity and survival. However, it’s rare for a company to go out of business altogether. Ian Thornton-Trump, CISO at Cyjax, says cyber criminal activity is “a stress on an organisation which, when combined with other factors, may push a business to the tipping point”.
“All businesses have an intolerable harm threshold—a point at which the harm to them or their customers becomes impossible to recover from” Lisa Forte
While he doesn’t see cyber-attacks as an existential threat to businesses on their own, he concedes that they can “massively impact revenue”.
Lisa Forte, a founder at Red Goat Cyber Security who works in incident response, says the cost of both the immediate response and the “clean up” and subsequent lawsuits can be “phenomenally high”.
“It’s also worth noting that all businesses, whatever industry, have an intolerable harm threshold—a point at which the harm to them or their customers becomes impossible to recover from,” Forte explains. “This is partly why we see so many companies pay ransoms; it’s cheaper.”
Forte has seen companies’ profit margins suffer for over a year following an attack. “These firms had to accept that they would lose a substantial market share due to their inability to operate fully,” she warns.
Travelex declared bankruptcy “almost certainly” due to the attack, Forte says. For others, she thinks the link may be less clear. “But for those that filed for bankruptcy in the year or two after an attack, it’s fair to say the incident played a huge role.”
Hindsight is painful, preparation is essential
Experts agree that avoiding the impact of a cyber attack means first ensuring you perform fundamental security steps. Make sure you are patching systems and have a plan for when an incident happens, Wright advises. “It’s incredibly important to be prepared: When it does happen, you won’t have the luxury of things such as time.”
During and following a breach, communication is key, says Wright. “Being open and honest will not only show that you care and take the matter seriously; it could buy you some friends at the time when you most need it.”
While cyber attacks can be damaging, the outcome isn’t inevitable, says Forte. “There are things you can do to influence it. Have a plan and playbooks for the most likely cyber incidents. Test them, invest in robust cyber insurance and ensure your comms and cyber team talk before an incident occurs to get those crucial early comms right.”
There’s a common theme: Hindsight is painful because most of these attacks could have been avoided. That’s why it makes sense to consider security first and hopefully prevent disaster before it happens.