One fixture of computer break-in stories is the estimated cost of these crimes. The price often runs as high as seven figures—totals hard to ken for merely pilfering the digits out of a few boxes of metal, plastic and silicon.
One source of these high figures is the Department of Justice. Last year, the agency reported that a one-night hacking spree by a disgruntled ex-employee set back Cyber City, a computer network consultancy, more than $100,000—and that Acxiom, a data broker, spent more than $7 million to repair 139 remote attacks against its database by a hacker in Boca Raton, Fla.
Warehouses have burned to cinders, and the damage has been valued at less. So are these figures hype?
While it’s true that not all network mischief comes at such a high price, John Sgromolo, lead investigator for digital forensics at Verizon Communications and a former special agent with the United States Naval Criminal Investigative Service, says that such large sums are the real deal. More or less.
Consider cases in which a hacker brings down a server that’s used for selling products. “If you’re averaging $3,000 an hour on this server, that’s not hard to figure out based on how many hours it was down,” Sgromolo says. Then there’s the cost of replacing damaged equipment and the hours spent on repairs, installation and recovery.
Nevertheless, he admits, these estimates “are fueled by another concern: criminal prosecution, including amounts for fines and restitution.” Prosecutors tend to aim high, he says, while defendants argue for dismissing some of the costs.
Even crimes that don’t result in lost revenue can rack up significant bills. According to The Associated Press, the University of Texas spent $167,000 to mop up the mess presumably left by one of its former students, Christopher Andrew Phillips, who was indicted last November for breaking into UT’s student records early in 2003. Phillips allegedly hauled off the identities of more than 37,000 students, faculty and staff.
Student records may not have a lot of financial value, Sgromolo explains, but those records may need to be recreated. In addition, the university may have had to hustle to inform the victims, possibly requiring extra staff and overtime charges. UT officials weren’t available for comment.
In sum, there can be more value floating around inside those Internet-wired boxes than in a Brink’s safe. Therefore, it’s more important than ever for businesses to make sure their digital property is locked up tight.