Should hacked mainframe sites reveal all?

There was a time when people believed that mainframes were too hard to hack. They thought that hackers would be more focused on ‘easier’ targets like Linux and Windows servers. Clearly this isn’t true. Hackers are no longer nerdy loners who gain prestige among like-minded people by breaching data centres and boasting about what they found. Nowadays, hackers are either criminal gangs who are hacking for money, or nation states that are hacking for information (and money). Mainframes are an obvious target for them.

There are also some people who don’t view hacking as that much of a problem. It’s just a bump in the road that all businesses face – much like any other problems that can be overcome quickly and easily with a bit of cash! Again, this just isn’t true. The 17^th annual IBM/Ponemon Institute security report, which was published at the end of July made that perfectly clear.

The report found that the average cost of a breach increased from $3.86 million to $4.24 million in 2020. If you’re in the healthcare sector, the average cost of a breach was $9.23 million per incident. And if you were based in the USA, the average cost of a breach was $9.05 million per incident. Most worryingly of all, for what they call mega breaches – those are breaches of between 50 million and 65 million records – the average cost was $401 million.

And if you were to think that in the event of a breach, you’d identify it straight away and be able to take appropriate steps to rectify it, the survey found that the average time to detect and contain a data breach was 287 days – 212 days to detect a breach and 75 days to contain it.

So, I hear you ask, which mainframes have ever been hacked? In 2008, Luxottica, the parent company of LensCrafters, suffered a mainframe breach exposing nearly 60,000 employees’ records from its US headquarters. In 2013 there were two mainframe hacks. Pirate Bay co-founder Gottfrid Svartholm Warg hacked Logica, a Swedish IT firm, and the Swedish Nordea bank. However, he was cleared on appeal. And in 2015, The US Office of Personnel Management (OPM) was breached. At the time, COBOL was blamed!

As we’re now in 2021, you can draw one of two possible conclusions. Either, only four breaches have occurred in the past 13 years, which isn’t really that bad and clearly shows that mainframes are, on the whole, pretty unhackable. Or, it shows that mainframe sites when they are hacked keep the story to themselves. They don’t release a press release revealing how big the ransom demand was, how much they paid, and how much data was stolen. In the light of the expertise of hackers, I’m coming to the conclusion that it’s the latter situation.

What evidence do I have for this? Many criminal gangs are in the business of breaching company security in order to make money. Wouldn’t it be a great idea to hack ATM machines so that they give the bad actors all the money that they have inside them? That’s what happened last year. Why is that an issue for mainframe sites? The answer is that most credit card transactions run on a mainframe – on IMS, in fact. What happened in 2020 was that criminals gained remote access to a card management system to alter the fraud prevention controls, such as withdrawal limits or PIN number of compromised cardholder accounts. This was probably done by inserting malware, through a phishing attack or social engineering methods, into a financial institution or payment processor’s systems. The criminals were then able to create new accounts or use compromised existing accounts and distribute compromised debit/credit cards to their gang, who made withdrawals at ATMs in a coordinated manner. Because they had control of the card management system, the criminals could manipulate balances and withdrawal limits to allow ATM withdrawals to continue until the ATM machines were empty of cash. Just to be clear, the attacks didn't exploit vulnerabilities in the ATM itself. The ATM was used to withdraw cash after vulnerabilities in the card issuers authorization system had been exploited. The reason we know about it is because the PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin warning sites about the problem.

Typically, in the world of IT, people write blogs and articles, or they give presentations, talking about a bad experience they had and what lessons they learned from those experiences that other mainframe users could learn from. And from that, the security of mainframe sites has improved over the years. The problem is that mainframe-using organizations that have been hacked aren’t talking about it. They are not telling their story so that other sites can learn from their misfortune. Nor are they revealing how big a ransom demand they faced – which would give other sites an idea of how eye-watering a sum they’ll be asked for when the ransom arrives. Nor are they revealing how much they actually paid – which would tell other sites how much to put by in case of an attack, and what percentage of the ransom demand they could get away with paying.

The news was full of stories about Colonial Pipeline and JBS earlier this year, and SolarWinds at the end of last year. Those companies have revealed how much they paid the hackers. The point I’m trying to make is that mainframe users should also be making it public when they have been hacked for the reasons mentioned above. It is for the good of all organizations that use a mainframe that those companies who are breached do reveal all.