Bug bounty programmes could have prevented costly data breaches
Four major data breach incidents that took place between 2015 and 2018 and inflicted losses of £265 million to the likes of British Airways, TalkTalk, Carphone Warehouse, and TicketMaster, could have been prevented had these organisations invested between £9,600 – £32,000 in bug bounty programmes to uncover hidden vulnerabilities in their systems.
In 2015, a series of cyber attacks suffered by TalkTalk compromised the personal information of 156,959 customers, resulted in the loss of more than 15,000 bank account numbers, and cost TalkTalk between £40 million and £45 million to remediate its impact.
A year after the attacks took place, the Information Commissioner’s Office issued a record £400,000 fine to TalkTalk “for security failings that allowed a cyber attacker to access customer data ‘with ease’”. The watchdog noted that TalkTalk failed to properly identify a database containing customer records that featured inherent vulnerabilities and the same was infiltrated by hackers through SQL injection.
In June last year, Dixons Carphone also suffered a massive breach that involved hackers stealing 105,000 non-EU issued payment cards, 5.8 million other payment cards, and approximately 10 million customer records that did not include payment card or bank account details. The primary cause of the breach was an out-of-date WordPress interface used by the company.
Similarly, British Airways and TicketMaster also suffered mega breaches of customer records last year after a hacker group known as Magecart exploited a third-party JavasScript vulnerability to steal payment card details and other records of hundreds of thousands of their respective customers.
In July this year, the ICO said it planned to issue a fine of £183.39 million to British Airways under GDPR for failing to prevent the cyber incident that compromised personal and financial information of approximately 500,000 customers. As per security firm RiskIQ, hackers from Magecart used only 22 lines of script to modify a large number of scripts on the British Airways’ website and then exploited the modifications to extract information from payment forms and transfer such information to their own server.
Bug bounty programmes cost a fraction of the amount of money lost to data breach incidents
According to bug bounty and pentesting platform HackerOne, the four organisations suffered total losses of over £265 million in losses and menetary fines because of the four respective data breach incidents. However, had the organisations spent between £9,600 and £32,000 on bug bounty programmes to uncover hidden vulnerabilities in their systems, the incidents would not have occurred.
“By running bug bounty programs and asking hackers to find their weak spots, our customers have safely resolved over 120,000 vulnerabilities before a breach could occur,” said Prash Somaiya, security engineer at HackerOne.
“This research is a rough estimate on bounty prices, based on our existing programmes across the same industries, but it does highlight that companies can save millions and reduce risk by being proactive when it comes to identifying and patching their vulnerabilities,” he added.
A recent study conducted by HackerOne found that whenever bug bounty programmes are launched, hackers are able to uncover the first vulnerability within 24 hours in 77% of the cases. As many as one in four vulnerabilities uncovered by hackers participating in bug bounty programmes are also classified as being of high or critical severity.
Earlier this year, the firm also revealed that five hackers had earned $1 million each by hacking into networks owned by the likes of Airbnb, the US Department of Defence, Goldman Sachs and Spotify. In 2018, hackers earned a total of $21 million by reporting vulnerabilities under bug bounty programmes with hackers from the U.S., India, and Russia collecting 36% of the total value of awarded bounties.