Data breach scenario II

Rahul stared desperately at the phone display, praying to every God he knew to turn the two tick marks blue. He had sent out frantic messages on a popular messaging app to at least three editors at a newspaper publication house. As the seconds ticked away, Rahul’s helplessness increased. He had opened and shut the Sentiment’s website at least half a dozen times already, yet the error message that greeted him as he tried to log in did not change. “The user name and password combination you have entered is incorrect.” A quick look at the stock market indices confirmed his worst fears. There was going to be hell to pay, and Rahul was certain that he would be paying most of it.

As a 27 year old graduate living in Mumbai, Rahul had been blessed with a fortunate life so far. Millennial disillusion with a corporate career pushed Rahul towards the independent life that freelancing offered. After starting out by contributing to a couple of local magazines, his investigative story on insider trading had been picked up by an editor at the Deal Street Sentiment, and published by the 100 year old leading financial daily in New York. Since then, he had become a regular contributor to the Sentiment, and a few other foreign publications that didn’t have a dedicated correspondent in India.

His usual routine was to wake up around 1:00 p.m. and head off to the local coffee shops near his house for brunch and some writing. He liked writing in coffee shops because of the reliable Wi-Fi connection most of them offered for free. Plus the muffins were always freshly baked.

However, 6 April 2018 had been different. Strangely, the local coffee shop was shut without notice. Somewhat frustrated at the disruption to his normal routine, Rahul had made his way to the next café around the Fort area. To make matters worse, it started to rain just as he turned at the corner of the street, forcing him to seek shelter underneath a newsstand. There, among the canopy of headlines, he took note of the top story of the day: The upcoming IPO of a prominent pharmaceutical company, Safeguard & Co. that had recently produced a miracle drug (awaiting FDA approval), which they claimed could cure Alzheimer’s disease. Rahul made a mental note to pitch a story around this topic to one of his London based editors, and moved on as the rain turned into a drizzle.

Rahul was unfamiliar with this new cafe and it took him a while to find the right counter to place his order. Understandably flustered by the day’s events, he failed to notice that the Wi-Fi network had not prompted him to enter a password, and had automatically connected his laptop to the internet. Mid-way through responding to 10 hours’ worth of emails and assorted pings on his phone, he realized this. “Looks like all chains of this coffee shop have the same password. My laptop must have saved the old password and reconnected automatically once it detected a network,” he thought, before getting back to editing one of his stories, which he was sending for publication to the Sentiment.

Cut to today, 1 May 2018, the worst day of Rahul’s life. At 11 a.m. he had been roused from his sleep by a friend who shared the link to a Tweet that was going viral. The Tweet referenced a Deal Street Sentiment article stating that the FDA had banned the miracle drug produced by Safeguard & Co. “That will surely send the stock price crashing,” chuckled Rahul as he read through the article. He froze as he came upon the by-line and the author’s description. “Rahul, 27, is a freelance journalist based out of Mumbai.” In an instant the gravity of the situation became clear to him.

Rainy day troubles

Rahul’s troubles at the Fort cafe didn’t end with the obviously unfamiliar environment. Unknown to him, this cafe was the haunt of Sheila, a gifted 19 year old coder with a knack for hacking and selling the personal data of unsuspecting internet users. Sheila usually set up Wi-Fi hotspots near coffee shops, deliberately using the coffee shop name as the Wi-Fi name. Rahul had, on that rainy day, logged into the honeypot Wi-Fi network set up by Sheila. Once he started using her Wi-Fi hotspot, she could see all his network activity, and even capture the user ID and login information used for the various sites he visited, including his credentials for the Deal Street Sentiment.

By that evening Sheila had sold all of Rahul’s information to a data broker. Rahul’s Deal Street Sentiment credentials, were purchased from the data broker by an anonymous user based in Panama. The user waited until the opportune moment of Safeguard & Co.’s public listing in the New York Stock Exchange before using Rahul’s credentials to log into the Sentiment’s network, and alter a previous story filed by him on this topic. The Sentiment did not have any secondary checks to prevent changes made by authors to their existing articles.

On the morning of 1 May 2018, the user first changed the password of Rahul’s account, and then changed the headline and contents of the existing story to make it seem as if the FDA had just banned Safeguard & Co’s Alzheimer drug on account of it being unsafe. He had already shorted significant amounts of Safeguard’s stock in the derivatives market earlier in the week. The article quickly gained traction on social media and led to a massive investor selloff. The stock value dropped nearly 30% within seven minutes of the story going live, in which time Rahul frantically messaged his editors, and realized that his career in journalism was probably over.

The aftermath

It wasn’t until 3:00 p.m. that the Sentiment was able to take the story off the internet and issue an apology. In the meantime, rumors of a large scale data breach of the Sentiment network had begun circulating, and the organization was forced to issue a clarification and apology. That evening, Safeguard & Co. filed a defamation suit against the Sentiment for running an unverified story and ruining its chances of raising capital. The newspaper was forced to hire security experts to determine how much of its network had been breached, and what could be done to contain the damage. A week later, there was still no clarity on how much data was compromised and the Sentiment had agreed to settle the case with Safeguard & Co. Rahul’s contract wasn’t terminated because of a legal loophole, but it was made clear to him that it wouldn’t be renewed.

A version of this blog post appeared on etcio.com, an initiative of The Economic Times. You may read the article here.

If you have any comments or would like to share your views, please write to us at inforensic@deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publically available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.