The following investigation is an examination to analyse the economic impact of data breaches incidents on business organization in general and on Honda Canada in particular. The data breaches incidents are increasing every day and such incidents significantly impact consumer’s trust in the firm about their privacy and confidentiality of their personal information. With computer security breaches growing at a rapid pace, this research is of critical significance. Hence, it is imperative for every business organization to implement strict data security policies to safeguard their consumers’ personal information from unauthorized intruders. The recent incident of data theft of Honda Canada significantly inspired to conduct an exploratory study to examine the economic impact of data breaches on firm’s financial performance.
Whole study is based on mixed approach of data collection techniques. Primary data will be collected though email surveys and secondary data by exploring literature and a comparative case study of three different multinationals, this study is set out to uncover what are the possible economic impacts of data breach to the economy of Honda Canada and what possible measures to be taken to mitigate such incidents. These cases were particularly good examples to demonstrate what can go wrong during a data breach.
Findings of this study demonstrate that there are some important factors that count for data breaches incident with the organization such as week email security system and poor employee training. This research provided a basis for analyzing the economic impact of data breaches, the manner in which information security best practices are utilized in firms, and the issues regarding validation of the intended security policies. Moreover, the study reveals that the breach has left a great economic impact on Honda, not even in monetary terms but also a great loss of brand perception.
Keywords: Data Breach, Honda Canada Data Breach, Comparative Case Study, Data Leak Threats.
Table of Contents
List of Figures
CHAPTER ONE: INTRODUCTION
Business organisations are entrusted with highly important and confidential data that contains personal and economic information of their clients and employees. The repercussions of any breach, irregularities and unauthorised access to the confidential data can prove be critical for the organisation. The corporate sector has an obligation to maintain, store, and secure this sensitive information and to ensure their clients’ privacy (Comerford, 2006; Nelson, Isom, & Simek, 2006). Data breaches are incidents consisting of unauthorized access to sensitive or confidential data of the firms (Kraemer & Carayan, 2007; Schwartz & Janger, 2007; Silverman, 2007).
A data breach can result in the risk of an intrusion into the firm’s sensitive information (Comerford, 2006; Kraemer & Carayan, 2007; Ries, 2007; Schwartz & Janger, 2007). For instance, the intruder could potentially gain access to firm-client privileged documents that may contain proprietary information, trade secrets, shareholder information, and/or other private data that may be damaging to the firm if it were to become public (Comerford; Johnson, 2008; Ries). Therefore, the problem examined in this investigation is to determine the impact of data breaches on business organizations. The author intends to examine the impact of data breach on Honda Canada as a case study analysis.
1.1.1Automobile Industry Background
One of the major mergers was between Daimler and Chrysler which was powerful companies representing Germany and USA respectively. The impact of this mega-merger on automobile industry was huge which took the automobile industry to new parameters, lots f tie-ups triggered across the borders during this merger. For example, Alliance between Nissan and Renault, Ford acquired the passenger car department of Volvo, Tie-up between Fiat and Mitsubishi. Not even these companies but more tie-ups took place between the companies, which already had a joint relationship, i.e. Toyota-Nissan, Daihatsu and GM-Suzuki. These all joined hands to increase their stock holding ratio, which is a corporate strategy of their groups.
Honda Canada manufactures and distributes vehicle products such as motorbikes, automobiles and trucks (interview.com, 2011). It also produces marine engines, jet engines, suv (sports utility vehicles), Fuel - cell cars. The company has expended globally with its focus especially in US, Japan, South America and others. The company has been successful in the car industry for several years and was more conscience about the security of customer’s data. However, the incidents of data breaches have shocked the industry to a great extent.
1.1.2 Honda Canada background
Honda Canada is also one of those companies, which were affected very seriously during the recent economic recession. The company encountered a serious hacking accident in which personal detail of almost 280,000 Honda some hacking group stole customers. Honda Canada is dealing 6 major production categories: Honda automobiles (Honda Acura, bikes, cars), Honda Marine, Honda Energy equipment, Honda Engines (jet engines). The company is leader in automobile industry. Honda is a market leader in automobile industry.
Soichiro Honda was a mechanic at a Japanese tuning shop where he tuned cars and entered them for race (iloveindia, 2011). He was a self –learned engineer. He tried to improve the piston rings of Toyota by inventing some new technology. Initially his designs were rejected but after a long struggle he was able to get a contract with Toyota to design their engines. He set up a new factory with the help of Toyota, where Toyota piston rings would have been designed but the earthquake destroyed the factory. After this huge destruction, he started an institute called "Honda Technical Research Institute", in Hamamatsu, Japan. In November 1947, the ½ horsepower A-type Honda was being manufactured. After this Honda made collaboration with "Takeo Fujisawa" in 1948 and introduced a new 90cc engine known as B-type version which was found very successful. After the success of 90cc, in 1950 Honda introduced a new bike C100 Super Cup that was for women riders. With this bike Honda entered into US market and established American Honda Co. in 1959. Next year in 1960, Honda penetrated the Japanese market by introducing Formula one racing cars. However, Honda got success in car market when it introduced N600 model in US market. This car won Americans heart because of its fuel efficiency and affordability. Honda believes in innovation so the success is made regular and continues by introduce innovative products in the market continuously. Honda is one of leading automobile companies.
Honda entered in Canada in 1969, and from that time to till now company has set up great milestones in the history of Canadian automobile industry. On (Honda Canada, 2011) official website all achievements are mentioned under the heading "Honda Canada milestones" as follows: -
In 2000, North America’s first gasoline-electric hybrid is launched
In 2001, 2 million Honda vehicles sold in Canada
In 2002, achieved "Gold Champion Level Reporter" for energy conservation at "Voluntary Challenge and Registry"
In 2003, Honda Canada receives "Leadership award" for auto manufacturing category at the VCR awards ceremony
In 2005, Honda Canada foundation was launched.
In 2006, the Honda Civic Hybrid also won the AJAC award for alternative power vehicle.
In 2008, Civic announced as a bestselling vehicle for 11 consecutive years.
In 2009, the four-cylinder Honda Accord and Civic receives the "Eco Energy vehicle award" for canada’s most fuel efficient cars.
In 2010, same awards as in 2009 again and receives one more award for Acura ZDX in category of "Design Breakthrough category".
The above awards has been received from 2000 to 2011, the company has also won many awards before the given period of time period of time.
1.2 Statement of the problem
Cyber crimes are very common these days because of the widespread use of information technology which enables the companies to share their data across the globe via Internet. Hackers with criminal minds always try to take advantage of online data sharing systems. Unfortunately, security issues related to data breaches from online information sharing are at the rise. So, it is imperative to examine and analyze these issues in order to find how business organizations can safeguard the important data from online intruders. Security issues with customers privacy are very critical the impact of data breaches is very negative on business organizations customers is of course great, identity theft is one of the possible consequences of such cybercrimes where identity of the client is used to perform some transactions with malafide intention. During the previous year Google alleged that China was involved in supporting some hacking activities and Google announced some accounts were found seriously infected but China denied all these allegations. That was a big issue last year disclosed by CBC News, 2011 under the article "China denies Google hacking allegations". (CBCNEWS, 2011).
1.2.1 Research aims
The research will be conducted to achieve following aims: -
To achieve a comprehensive detail to convey the investors and customers about the breach and its economic impact.
To find out the best solution to prevent such kind of breach in future.
Finally, the study would unravel the important effects of the data breach to the whole economy. The shareholders in the sense, not only be the customers of Honda Canada but as well as the public. The incident would leave a great impact on the future sales of Honda Canada, because it is quite alarming for such a large corporation Honda Canada is vulnerable from the data breach. This incident definitely going to effect the decisions of the customers, those are thinking for the future deals with Honda Canada. Every customer wants to have a safe transection and his or her confidential information must be confidential and secured. Alternatively, this incident will affect the future sales of the company.
As discussed in the previous sections, the impact of data breaches are very negative on business organizations as the stolen data of customers and the company may be used by its rivals and opponents in the market. However, there is a paucity of the research about what negative consequences are there for the business organizations if the precious data of the organization is stolen or there are some data breaches incidents due to the lack of necessary security measures. The author intends to fill this gap by conducting a research to achieve the following objectives: -
To examine and investigate the impact of data breaches on business organizations
To critically analyze the security measures in place to prevent data breaches
To offer recommendations to the management to strengthen the security measures to avoid data breaches
The above mention objectives are quite achievable because the research would undertake the reason of the breach as suspect, and then it will move on slowly from the cause of breach to impact, economic condition of the company by comparing the balance sheets before and after the breach, discussion on the basis of public perception to company after the breach. Research will move on to find the ways to minimise the bad impact of the breach and to find the best solution to prevent such kind of incidents in the future. This is how the objectives could be achieved after the whole steps of research has completed perfectly.
1.2.3 Research Questions
The research would particularly answer the following questions: -
1) What are the possible economic impacts of data breach to the economy of Honda Canada?
2) What measures should be done to counter the impact of data breach?
This study is organized into five chapters: the first chapter having introduced the aims and objectives of the study the problem statement that it is going to address and the research questions the author will attempt to answer. In the next chapter the author will review the literature on data beaches and the security measures to prevent unauthorized intrusion. In the third chapter the author will offer details of the research design and methods of data collection. The fourth chapter will offer a detailed discussion of the results of the data collected and finally, in the fifth chapter the author will offer conclusions and recommendations based on the findings of this study.
CHAPTER TWO: REVIEW OF RELATED LITERATURE
In this literature review, the author provides an analysis of the impact of data breaches on the business organizations with its special focus on Honda Canada, which the author has taken as a case study. Next, the author examines information security policies and computer security breach incidents in relation to safeguarding client and firm data. Then, the author reviews topics relevant to security breach, data breach incidents, data leakage threats, and information security assessment procedures. The chapter concludes with what is known and unknown regarding this topic along with the contribution this study makes to the field.
2.2 Data Breach Threats
The data breaches threats could be divided into two types: -
Internal threats: this type of threats could be more harmful because these types of threats mainly occurred within an organisation or company. It coves the threats like loyalty compromised by some employee. Any type of data compromise for which any employee is responsible weather it is loose security system, information exposed to some external person or organisation in return of something.
External threats: those type of threats covers attacks like, phishing attacks, password hackers, unauthorised access by some external entity like bypassing firewall system, hard disk stealing, malwares and viruses etc.
Phishing Attack: Originally, phishing was recognised as the use of electronic mail messages, designed to look like mails from a trusted agent, such as a bank, auction site, or online commerce site. Then phisher send these messages to implore the user to take action such as validating their account information. These massages often use sense of urgency to motivate user to take action. Phishing originated in 1990’s on an online email system in America called AOL network. Early 1990’s many hackers (also called phishers) had created fake accounts by registering with a fake identity and automatically generated fraudulent credit card details. According to a book by Jacobson M. & Myers S. (2007, pp. 1-10) attacker didn’t stop to just AOL, soon spread throughout other Internet applications.
Password Hackers: there is another type of external threat called password hacking. Hackers have generated some software, which could cause intrusions for example key loggers, worms, and some other password matching tools. Such malicious software either tries to find a password by matching them or records each keystroke on some PC and sends report back to hacker. According to Jordan (2008), hacking is an art of searching possible circumstances to enter into a secured system.
Whitman and Mattord (2008) classify threats as accidental, deliberate acts, physical attacks, remote penetration attacks, human errors, acts of God, technical control failures, operational issues, or social engineering wherein someone is tricked into divulging his/her username and password. Environmental, natural, and human threats (Bowen et al., 2006) to firm data adversely impact a firm’s operations. Environmental threats include inadequate temperatures in firm server closets, fires, and power outages (Bowen et al.; Nelson et al., 2006). Natural threats to firms include hurricanes, floods, high winds, blizzards, tornadoes, earthquakes, volcanic explosions, and wild fires (Myler & Broadbent, 2006). Environmental and natural threats also adversely impact the availability of firm data. By contrast, a security breach results from lost, stolen, or compromised PII or confidential data through unauthorized access to computerized data (Cassini et al., 2008). Human threats, however, whether accidental or intentional (Whitman & Mattord, 2008) can directly compromise PII by facilitating unauthorized access to computerized data (Cassini, et al.).
2.2.1 Data Breach Incidents
How the firm collects, uses, distributes, and disposes of both client and employee information is impacted by identity theft risks associated with unsecured information on firm computer equipment or networks. There are a number of Websites that report data breaches with different sets of data security breach incidents reported to each. These Websites include government, medical, education and business in their sector categories with a few segregating banking/financial from the business category. The following are a composite of the 2008 breaches.
Pursuant to data compiled by Attrition.org, Etiolated.org, and the Open Security Foundation, there were 386 data breach incidents (Open Security Foundation, 2008). Figure 1 depicts these 386 data breach incidents by sector.
Figure :Incidents by sector
Open Security Foundation (2008) has been collecting security breach information since 2000. There were only a handful of security breaches reported during the early 2000’s (Open Security Foundation). Once the ChoicePoint data breach occurred in 2005, there were 22 states that enacted security breach notification laws (Greenberg, 2008) and consequently there were significantly more security breach incidents reported (Otto et al., 2007). In 2005, 128 data breaches were reported (Open Security Foundation).
On a yearly basis, the Identity Theft Resource Center (ITRC) also compiles a list of security breaches. ITRC has been collecting information for the past four years (Curtin & Ayres, 2009). Bartlett and Smith (2008) report exposure of PII as a risk management threat has been growing exponentially since 2006, up 140% from 2006 to 2007 with 448 data breaches. However, by August 2008, a record number of data breaches (449 compared to a total of 448 for all of 2007) had already been reported on the ITRC (ITRC, 2008a) breach list. As of December 31, 2008 for the year 2008, 656 data breaches and 35.6 million record exposures were reported to ITRC (2008b). This large increase of 47% over 2007 is attributed to underreporting in previous years and more than one organization reporting the same breach (ITRC, 2009).
For the year 2008, businesses lead the way on the ITRC list with 36.6% of the breaches followed by education, government/military, medical/healthcare, and banking (ITRC, 2008b). The banking industry, however, has more than half of the records that were compromised at 52.5% (ITRC, 2008b).
The Privacy Rights Clearinghouse collects security breach incident information from a number of sources, but their primary source is the Open Security Foundation Data Loss Database (Privacy Rights Clearinghouse, 2008). Their chronology of data breaches indicates there have been over 246 million breaches since 2005 (Privacy Rights Clearinghouse). Greenberg (2008) depicts in Figure 2 a 2008 breakdown of the 880 Privacy Rights Clearinghouse reported data breach notifications.
Figure : How data are breached
The majority of the breaches (45%) were attributed to lost or stolen equipment, while hacking only contributed to 18% of these incidents. Inadvertent Web exposure (14%), lost mail (12%), improper disposal (6%), and insider fraud (5%) were the other reasons provided for the incidents reported to the Privacy Rights Clearinghouse (Greenberg).
Schwartz and Janger (2007) believe insider fraud reporting has historically been extremely low due to the fact that companies do not typically report insider abuse. Romanosky et al. (2008) state there may be reporting biases with regard to who reports a data breach. According to Sveen, Sarriegi, Rich, and Gonzalez (2007) data breaches are typically under reported by employees due to disincentives such as embarrassment, lack of positive gains, fear of punitive measures or reprimands, and time allotment being too high for completion of reporting forms. The lack of commitment and/or incentives to report a security breach incident can have serious consequences, such as malpractice and regulatory compliance penalties (Goldberg, 2008). In 2007, TJX Companies, Inc., the parent company of a number of discount retailers, reported a large security breach involving 94 million Visa and Master Card records due to the inappropriate use of WEP (wired equivalent privacy) wireless security, inadequate storage of these records, and a failure to encrypt data at rest (Bartlett & Smith, 2008; Berg et al., 2008; Chandler, 2007; Heitzenrater, 2008). Due to the inadequate security solutions in place, hackers were able to break into the TJX Companies network and compromise these 94 million records for 18 months before being discovered. This data security breach crossed many jurisdictions (Chandler) and cost approximately $4.5 billion (Berg et al.).
Another security breach incident reported in 2008 involved the Hannaford Brothers Supermarket chain (Bartlett & Smith, 2008). Approximately 4.2 million records had been compromised in this breach incident (Bartlett & Smith). As noted by Swartz (2008) the numbers of records compromised typically are grossly understated. According to Bartlett and Smith only a small percentage of compromised records are used in an illegal way. Despite the lack of criminal activity involved with compromised data, the trust of the client in the firm that has reported a security breach incident may be damaged (Bartlett & Smith). However, Chandler (2007) stated that as large numbers of security breach notices are distributed, affected individuals become increasingly desensitized to these notifications.
2.2.2 Information Security Assessment
An information security assessment is a critical exercise for protecting the confidential and sensitive data (Humphreys, 2007; Salmela, 2008) that resides on a firm’s network and portable media devices (Batista, 2006; Heikkila, 2006). A security assessment based on a combination of a risk assessment that identifies the potential threats to mission critical assets of a firm, along with vulnerability scans of applications, ports, and operating systems, including mission critical databases, assist in the mitigation and remediation of potential threats (Batista). Based on the identification of the mission critical assets that need the utmost protection and the level of risk accepted by firm management, the scope of the vulnerability assessment is defined (Humphreys; Salmela). Natural, human, and environmental threats that are identified can aid in determining the management, operational, and technical controls implemented to remediate these threats (Bowen et al., 2006; Heikkila).
IT risk assessments are performed to protect vital business processes and key assets of a firm (Batista, 2006; Salmela, 2008). According to Humphreys (2007), the goal of a risk assessment is to evaluate the impact of a threat based upon the confidentiality, integrity, and availability (CIA) approach in firm environments (Batista). If a database becomes unavailable, the management sit idle unable to bill time and as a consequence thousands of dollars in revenue can be lost (Bisel, 2007). In the event that a database becomes corrupt or sensitive information is inadvertently disclosed, the cost can include losing the confidence of the client (Comerford, 2006; Desouza, 2008). The firm’s reputation is at stake should the trust the client places in the firm suddenly be destroyed due to the inadvertent or deliberate disclosure of the client’s information to unauthorized parties due to a security breach incident (Alagna et al., 2005; Desouza; Salmela, 2008). The exposure of the firm to lawsuits can range in the millions of dollars.
Risk assessment results can be categorized by likelihood of occurrence, impact on the firm’s tangible and intangible assets, acceptance of risk with remediation, and acceptance of risk without corrective actions (Humphreys, 2007). Whether the firm or an independent third party security firm performs the security assessment, the results of this assessment are usually presented to the firm’s managing partners and the IT Department supervisor (Batista, 2006). Managing partners are not typically trained in information security and, therefore, the final risk assessment results must also be presented in a format that is easily understood by the lay-person (Batista; Heikkila, 2006). As noted by Bowen et al. (2006), this report should not consist of accusations about the risks, but rather documentation on actual and projected threats and risks for enabling informed business decisions regarding appropriate corrective controls necessary. The risk assessment should include the review and analysis of compliance with information security policies and procedures by law firm employees.
2.3 The Theory and Research Literature Specific to the Topic
2.3.1 Security Policies
According to Baker and Wallace (2007), a security policy defines actions that can and cannot be taken with company computers. Security policies outline the acceptable actions and use of computers and networks by firm employees (Doherty & Fulford, 2005; Metzler, 2007; Verdon, 2006). Information security policies consist of written documentation outlining the structure of the organization’s security posture. Typically, security policies provide guidance with regard to the physical and remote access to data of the firm. According to Doherty and Fulford (2006), information security policies should be in line with the firm objectives.
Verdon (2006) found that "threats continually evolve, and the countermeasures must evolve too" (p. 47). After reviewing the potential threats to the firm network, the firm management should develop, implement, and distribute a security policy or policies to all employees. According to Whitman and Mattord (2008) and Greene (2006) an effective security policy must establish key goals for ensuring that authorized users can access the network and information resources. Additionally, the security policy must ensure employees know the penalties of inappropriate behaviour when using the firm information resources and/or assets. Within the policy, it is the responsibility of each firm employee to protect the confidentiality, integrity, and availability of the firm confidential data.
Security policies are generally a snapshot in time (Belsis & Kokolakis, 2005). Thus, Metzler (2007) suggested using standards or security processes rather than just security policies to address the continual need to update the requirements as part of security policy maintenance.
Security policies cover topics such as: acceptable use, access control, business continuity and disaster recovery, change control management, confidentiality, data classification, data backup and recovery, disposal practices, e-mail practices, encryption, information protection, information systems security, Internet use, network security, privacy, physical security, remote access, system administration security, incident response, and termination (Greene, 2006; Metzler, 2007; Rotvold, 2008; Verdon, 2006).
Incorporated in the security policy is a clear explanation of the rules with regard to how the network can be accessed, with a concentration on maintaining confidentiality and identifying the ramifications of a security breach (Greene, 2006; Whitman & Mattord, 2008). Distribution of the security policy to all firm employees (Chen, Shaw, & Yang, 2006; Metzler, 2007) is of paramount importance. Security awareness is a topic all firm employees must understand so their actions will not jeopardize confidential data in their possession (Nelson et al., 2006).
2.3.2 Data breaches at Honda Canada
In the article, "Honda Canada warns customers of major data breach" McCrank (2011) said that data, which was stolen by the hacker was not that much so that it could identify theft or fraud, such as date of birth, email addresses, bank account numbers, driving licence numbers, telephone numbers, credit card numbers, social security numbers or dollar amounts of financing or payments. As per this article, it could be derived, that "hacked data" could not be used directly to gain profit. In the said article, it is mentioned clearly that the data, which was hacked, was collected in 2009 as a part of series of customer mail programs encouraging Honda and Acura owners to store their information by making accounts at MyHonda and MyAcura websites. So it could be derived that the said breach was happened recently when last year in 13 may 2010 Honda found some suspicious activities on the both of mentioned websites, including some unauthorised attempts to access account information. Article said, that Honda informed the affected customers through email, to be aware from any email or massage asking for any personal detail and representing company. It also mentioned that Honda told customers not to take any action at the moment. Honda also gave a toll-free-number 1-800-839-2826 to help customers regarding any problem related to the incident reported by John McCrank in the same article.
Jaikumar Vijayan (2011) reported under the article, "Update: Honda Canada breach exposed data on 280, 000 individuals", in last February, the breach was discovered by the Honda and confirms data of 280, 000 customers had been stolen. It was an identity theft case of one the employee’s email was hacked. After being asked about delay in informing the customers, Jerry Chenkin, executive vice president of Honda Canada said, "that reason for the delay was that the company needed time to figure out the scope of the breach before it could being notifying customers". The breach was exposed very late as in article it is mentioned clearly that breach exposed in last February. So the chances, those customers would have become the victim of some fraud activities. Chenkin said, "Unknown intruders breached a web server that allows Honda and Acura customers in Canada to set up personal MyHonda and MyAcura websites". These both said websites contains the data of about 280, 000 customers, those were contacted through a program in 2009. Chenkin also ensured that company would undergo a program to secure the confidential data of the customers by setting up some extra security measures, so that the incident could not be repeated. Chenkin also informed customers to be aware from any phishing attack.
In the article, "Data breach effects 4.9 million Honda customers" by Vivian Yeo (2010), the data breach incident also explicated. According to the said article, almost 2.2 million customers in US have been into risk because of the said data breach. It was a data
breach wherein the owners and their cars, information was hacked. Specifically, the vital information that was hacked is names, login IDs and passwords, email addresses and 17 characters Vehicle Identification numbers. The Vehicle Identification Numbers was important information because it is used to send massages to those customers who are registered in the company’s owner link account. These accounts are in MyHonda and MyAcura website accounts, which provides a facility to customers to store their confidential information by creating an account in the said websites. Once a existing customer created an account then all the communication between company and customer takes place through that account. If anyone have the VIN then it could be used to send a massage or mail to the customer and hacked could demand for an personal information from the customer like Credit card information etc. so VIN was an important information that was hacked.
In addition, the breach also affected 2.7 million users of My Acura. However, it only includes the email addresses, as claimed by the Honda Officials. It was also noted in this article that the vendor, which is Silverpop system, might have been the main cause of the breach (Yeo, 2010). The Silverpop is a company or mail server, to provide email facilities and Honda is one of the clients of Silverpop email service providers. From the said article, Silverpop was found as a first suspect in hacking/leaking the information from the email account of one employee of Honda Canada. Hackers breached into that email account through Silverpop server.
In the same article (Yeo, 2010), Expert says that the said breach would endanger the identities of the customers if the authorities would not apprehend the responsibilities of the incident. Attachment, links and vital information may compromise the financial status and identities of the customers, which has been the cause of the concern by the authorities.
In another article written by Infosecurity.com (2010) entitled, "Honda admits to breach affecting 283,000 customers", it was noted that through there were information that were compromised, some vital information remained intact and protected from the breach. These are birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver’s licence numbers, or social insurance numbers. In the sense, Honda told the public to remain calm because the on-going investigations and hat a notification process to counter the data breach incident. Unfortunately, the article explained that the breach occurred in 2009 and it was just recently that customers are being notified, which is already a delayed reaction on the part of company.
In the article, "Honda hit with class action lawsuit after the data breach" by Caron Carlson (2011), it was mentioned that the Honda has been receiving class action lawsuit because of the data breach incident. The lawsuit would come from the fact that possible identity theft of the Honda clients due to the neglect of company, as alleged by the customers.
Another company that was involved in the data breach was Google. Unfortunately, when Google opened its website in china, it has encountered certain ethical and legal obstacles. In the article, "A new approach to China" by David Drummond (2010), the ethical and cultural obstacles that Google has encountered in China have been discussed. According to the said article, Google had been a victim of cyber attacks when it operated in china that stole certain intellectual property from the subject international organization. This is one issue that an international organization such as Google has to confront as it operates globally. Google is certainly vulnerable to hacking and other form of cyber attacks due to inadequate protection from such cybercrimes.
The incident that happened in 2010 that victimized confidential accounts of Google had proven that no international organization is fully protected from cyber crimes. In the said incident (Drummond, 2010), the Gmail accounts of Google were hacked by Chinese Human Right Activists, which have caused serious damage on the reputation of mentioned international organization. It was noted that the main objective of the hack was to sabotage the operations of Google in China because of censorship that the company enforce in the website of Chinese Human Right Activists.
One of the ethical and legal implications of the operation of Google in China is that the country was asserting its authority over the company about the freedom of expression. This implies that China was asserting that Google has to abide with its local policy particularly regarding the authority of censor versus the freedom of speech. Obviously, Google is an instrument of knowledge and opinion dissemination as an Internet browser. However, China’s strict enforcement of local laws that allow the government to interfere with the affairs of the people, whether political or otherwise, contradicts certain objectives of Google. In this sense, Google, as a private organization, has the authority to make decisions as regard its operations. However, its freedom to operate has entangled with China’s authoritarian and intervention approach to business.
Honda informed customers very late as mention in many articles that data was breached in 2010 but company get to know about it in February 2011. When asked about the delay from the company executive vice-president Mr Chenkin Jerry said, that company was trying to figure out the scope of the breach, mentioned in article, "Honda Canada breach highlights lax testing, expert says" by Rafael Ruffolo (2011).
Corporate reporting: -
On the official website of Honda Canada, the notice, "HONDA NEWS" under the name "Data Security notice" by Honda Canada (2011), the customers were notified in May 2011, June 2011, and August 2011. Honda also admits that information included names, addresses, vehicle ID numbers and in some cases financial service account number, telephone number, and email addresses. Honda informed customers that company does not share customer information with unauthorised third parties and does not contact customers asking for financial information. This means if customers found any such kind of enquiry, they should inform the company by calling on the provided helpline number, which is 1-800-387-5399. Honda apologised for the incident in the said article on Honda Canada official site.
It could be analysed from the article, "Honda Canada hit by online security breach: 283, 000 car owners’ personal data breached" by Michael Lewis (2011), that Honda does not share/sell customer information with any third party. Data was breached and it was an unauthorised access to the personal information of the customers on their ecommerce sites (MyHonda and MyAcura). Honda felt apology for the inconvenience, and Honda confirmed that there is no sensitive information were stolen. It is clearly stated in the said article, that Federal Privacy Commission has received lots of enquiries form the customers about the breach incident in Honda Canada.
2.3.3 Economic Impacts
Report is presented by "finance.yahoo.com" under the article, "Honda Motor Company, Ltd. Commo (HMC)" the financial health of the company could be measured and compared with the previous years to determine the growth before and after the breach incident. This measurement as depicted in the graph below, is comparing two elements one is Assets and other one is liabilities on the basis of yearly balance sheet of Honda Canada for year ending 31 Mar. 2009, 31 Mar. 2010 and 31 Mar. 2011.
Figure Breach Cost Based on Past Assumptions
The table below is for exact values of total assets and liabilities for year ending 31 March 2009, 2010 and 2011: -
31 Mar. 2011
31 Mar. 2010
31 Mar. 2009
Currency in USD
From the above chart and table it could be derived that company does not showing any loss as per the annual income or growth. The total equity for year ending 31 March 2009 is $40,572,000 because as per the formula: -
Equity = Total Assets – Total liabilities
Allying same formula for 2010 and 2011, then we have equity $46,325,000 and $53,692,000 respectively. So total equity percentage has been increased in year ending 31 Mar. 2011 then that of year ending 31 Mar. 2010 and more then that of percentage increased in year ending 31 Mar. 2009. Liabilities have been increased more in 2011 then that of 2010 and 2009. From the above bar chart, it is clear that liabilities were almost same in 2010 as it was in 2009, but percentage of liabilities has increased very fast in 2011. So liabilities showing increase in expenses.
The financial health of the Canada could be determined from the article, "Update 5-Canada September auto sales fall, but Chrysler up" by website Reuters (2011), that sales of ford and overall Honda Canada has been declined in November 2011. It is clearly mentioned that sales in Canadian market eased by 4.0% in September 2011. GM of Canada also committed that sales had been declined to 16,799 vehicles in last September.
2.3.4 Cost of Data Breach
"The cost of a data breach to an organization that suffers one is likely to parallel generally accepted costs borne from the experience of the other companies – that are now considered to be upwards of $200 per individual record breached."
The Ponemon Institute "The 2010 Annual Study: U.S. cost of a data breach" Report: -
In this study the 51 U.S. companies from 15 different industries has been explored for the cost of data breach occurred to these companies after being breached. This institute conducted individual in-person and telephone interviews with individuals within these organizations. They found the range of stolen records was approximately 4,200 to 105,000. According to this survey the cost occurred for each compromised record is $214 in 2010 and up $10 from last year. This study is very important for this breach because this breach also exposed in 2010, so the cost of this breach according this report is $214 per record. This report is published in the article," DATA BREACH: WORTH NOTICING?" by Lawford & Lo (2012, pp. 90-91). According to this article the cost of data breach to Honda Canada will be $59,920,000 because the data breach has shown that 280,000 records has been compromised during the breach and the cost of one compromised record is $214. So $214 multiplied by 280,000 records, then the cost will be $59,920,000, which is really a very high cost for the company.
In the article, "millions of Honda owners victims of data breach" by Aik Hesseldahi (2010), it is not yet clear that the breach is connected to recent email breach of Silverpop. Honda was an enthusiastic Silverpop customer; Silverpop is the same company, whose data was breached in theft of data from McDonald’s and DeviantArt. Although no critical data has been stolen which could result in identity theft but some of the customers as article (Hesseldahi, 2010) says has victimised of theft of their VIN numbers.
In the article, "hackers and criminals pose digital threat to the car owners" by sandy Liguary (2011), Canada government is very conscious about the security of customer data. In 2001, the federal government introduced new law for the privacy of customer data called PIPEDA (Personal Information Electronic Documents Act), establishes rules that companies and organizations must follow. But still it is looking weak, because according to the article, there are lots of cybercrime recorded in last two years but no arrest or convictions had been recorded in Canada. There is need to amend information protection laws, reported by the article.
In the article, "Cost of a data breach: Honda Canada sued for US$206 Million" by Lee (2011), clearly mentioned that Canadian customers are suing Honda Canada for CAN $200 million, which is $206 million in US currency. This cost occurred only for customers who had their accounts on Honda websites.
2.4 Security measurements
In the book, ISA Server 2000, by Bordwell (2001, pp. 165-187), Windows server 2000 to 2003 has much broader security measurement techniques and software to incorporate security in server system, which includes: -
Encrypting File System (EFS)
IP Security (IPSec)
Spam Blocker (Junk mail setting)
These are all essential parameters for a server security. Authentication services are for the recognition of user, if right password protection has been assigned to a server then only authenticated user can access the information stored inside. Authorization services are for limiting the access area of an user that one special employee or user can access only limited data or applications or services of a server system, for which he/she is authorised. Authorised user can access a confidential data for example; financial information in a company is accessible for very limited user (e.g. managers, financial department officers, owners). Authorization protects the confidential data from a vast number of employees and only those users can access that information are authorized. The access area of information could be limited through authorization.
Honda Canada has been attacked through an email by hackers, that was a phishing attack and one of the employees has accessed the phishing email link. In the book, "Microsoft Windows 7 Unleashed", by (McFedries, 2009), to protect from phishing attacks, Junk mail filtering is always trade-off between protection and convenience. That is, the strongest protection against phishing attacks. In this protection system one can filter the massages from unknown senders. Putting those addresses in block list could block unknown addresses. After an email address has been blocked, the further massages from these addresses could not enter in Inbox. The stronger the protection used, the less convenient the filter becomes, and vice versa. This inverse relationship is the result of the filter phenomenon called a false positive--- a legitimate massage that the filter has pegged as spam and so on (in Window Live Mail’s case) moved the massage to the Junk E-mail folder.
Firewall is also an essential security to protect from phishing attacks, viruses, worms and many other spammers. Firewall protects the network from incoming packets. In contrast, the reverse firewall protects the outside network from packets flooding distributed denial-of-service (DDoS) attacks that originate on the inside. The reverse firewall reduces the impact of DDoS attacks mounted from inside the network. Honda Canada should have better firewall protection because company dealing with millions of email enquiries each year from the customers and public. Flooding email is an old technique, in which a flood of massages or packets has been sent from many outside machines to confuse the server from sorting email. Firewall is a security system between inside server machines and outside attacker or customer machines. Firewall inspects each and every packet data going out and coming in for its validation. Hackers always uses the flooding method to reach the inbox of the company’s email services and once the phishing email reached the inbox, it is obvious to be accessed by some employee as an enquiry from customer. This is how attackers or hackers able to got access of some employee’s account in Honda Canada. Firewall might be a week point in this case of Honda Canada, that’s why the spam mail reached to an employee’s mailbox.
Virus protection is one of the important measures of security. Plug-in and add-on components has been published by Microsoft to combat the virus infection and ensures system integrity. These utilities could be used to remove and scan the infected files on Internet for e.g. attachment files. In the book, "E-mail Virus Protection", by Kramer (2000, pp. 1- 12), the e-commerce has become very popular today, B2B transactions and Application Service Provider (ASP) has also a latest trend. Companies using software, applications, and services like e-mail services on rent. This means that there are lots of application providers, which provides services to companies for some charges per month or per year. It is very costly for companies to use their own servers for storage and to buy own application software for each server system. Many of the multinational and national companies are clients of Application Service Providers (ASP) and these ASP’s working as servers of those client companies. So ASP’s and companies has server-client relationship respectively. Honda Canada is also a client of Silverpop service providers. Honda is using email services of Silverpop; the security of email services was not perfect. Hacker had broken their security and able to sent phishing email to Honda employees.
A server is a full flagged machine and operating system, such as an Intel system that is running Red Hat 6.2 Linux Operating system, or a Sparc system that is running a Solaris 8. These server systems are more secured then windows system.
Employee training is also must to handle the spammers. In the book, "security+ training guide", by Tittel (2003, pp.154-160), Spam Mail – "spam is defined as unsolicited email, in other words, junk mail. The content of email doesn’t matter, if sander submit it for their own purpose or gain, or it is something that recipients do not want in their mailboxes, such a massage is considered spam". Multination companies handling millions of spam massages daily. Unfortunately, there is no real solution for this problem, which could guarantee 100% efficiency while filtering spam. There are many spam massaging techniques, among other techniques, spammers often employ bugged massage to track mail-read events and detect live mail addresses. Have you ever noticed that newly open email account on free email sites like Yahoo or Hotmail gets spam even if the person haven’t advertised or used it yet? These addresses are harvesting tools. Employee training to identify and handle spam is very important because there is no real solution of stopping spammers. This means every employee of the company must identify the massage, whether it is spam or not before executing it. One employee of Honda Canada was unable to identify the spam, and it costs Honda Canada for CAD$206 million, not even this, it also costs a lot in respect of perception of the company I the eyes of old and new customers. It is also called brand loss.
2.5 Chapter Summary
Security policies allegedly help with preventing security breach incidents (Baker & Wallace, 2007; Da Veiga & Eloff, 2007; Doherty & Fulford, 2005; Hong et al., 2006; Keller et al., 2005; Metzler, 2007; Myler & Broadbent, 2006; Verdon, 2006). Doherty and Fulford found no statistical relationship between security policies, security breach incidents and its economic impact on firms. However, they did not examine whether or not the security policies were initiated by the security breach or were already in place when the security breach incident occurred.
In this dissertation investigation, the author contributed to the body of knowledge with regard to an affirmation of literature regarding security beaches and security policies that can help business management avoid data beaches incidents (LaRose et al., 2008). This chapter confirmed that users are unmotivated to download security software while in the middle of a project or they feel incapable of making an appropriate decision with regard to whether or not they should install security software (West, 2008).
CHAPTER THREE: RESEARCH METHODOLOGY
This chapter includes information about the different spectrums of research, research approach, research design, and the limitations of the research. The purpose of this chapter is to articulate the research aims and objectives clearly, underscored by the manner in which the aims and objectives will be met by the data analysis. The first section of this chapter includes a description of the research design and the survey. The next section focuses on the setting up a detailed foundation for the research as a whole, which includes the case study methodology.
3.2 Research question design
The research questions have been designed very carefully in such a way that research could meet the aims and objectives of the research. The first question will generate an answer to achieve the first aim, which is:
Aim 1: To achieve a comprehensive detail to convey the investors and customers about the breach and its economic impact.
The first question will provide the information about the scope of the breach and current condition of the company after this serious incident and this information will help investor and customer in making their decisions about future deals. The question is "what are the possible economic impacts of the breach to economy of Honda?" This question will also provide a sound knowledge to meet the first two objectives, which are as follows:
To examine and investigate the impact of data breaches on business organizations
To critically analyse the security measures in place to prevent data breaches
The first question will also explore the identical hidden and visible costs occurred to the organisation and to analyse the total impact, while investigating through security measures used by Honda. The question will answer that what are the security measure and what kind of loop Holes available in security system and how those loopholes could be mitigated.
While the second question will simply investigate the security system from top to bottom and will generate some sound effective recommendations for securing the systems in future. The second aim will be achieved through this second question. The answer to both of these questions will be generated through secondary and primary research.
3.2 Qualitative Research Assumptions
Chen and Hirscheim (2004) asserted that a researcher’s assumptions about the research design, data collection, data analysis, and interpretation of the results are the foundation of the selected methodology. It is important to consider the appropriate techniques for obtaining valid evidence to support such assumptions.
Quantitative research can be research that either describes events or aims to discover inferences or causal relationships. Descriptive studies are used to find out "what is" and rely mostly on observational and survey methods to collect descriptive data (Borg & Gall, 1989).
The method evolved during initial research, following both the investigation of literature and new learning in mixed (qualitative, quantitative) research and exploratory method. The literature enlightened my understanding of practical and effective methods for researching economic impacts of data breach in Honda Canada server. New learning in qualitative and interpretive method enabled my adaptation of appropriate method for the unique focus of this study.
Considering the aims and objectives of this study, the research required qualitative research techniques. Because on the research needs to find the data from the old records like balance sheet reviews, achievements, new milestones to judge the growth of the company after the breach and before the breach.
The research started with the question "what are the possible economic impacts of data breach to the economy of Honda Canada?" This enquiry leads towards exploring the cause of the breach, scope and economic impact of the breach. The particular focus was oriented towards exploring the whole incident, how it happened and its current and future impact on company. The research undertook review of related published resources about the breaches of data and the scope of the impact to the company. The research also reviewed the current and classical literature to find out the relevant solution for the problem so that such kind of miss-happenings could be avoided. Most of the data was collected from the published literature like articles, journals, books, and Internet resources. The research was an exploratory research, to find out the cause of the breach, scope of the economic impact and finally, the best solution or protection technique to protect from such kind of incidents in the future.
The research approach followed the method of secondary research for its data collection using the qualitative techniques as per the nature of the topic, because the research intended to answer the following questions: -
What are the possible economic impacts of the data breach to the economy of Honda Canada?
What measures should be done to counter the impact of data breach?
It is imperative that while undertaking a research of this nature, different research paradigms should be taken into consideration. Looking at the research paradigms, and to answer the research questions, research required qualitative and quantitative research data. Furthermore, research explored the related qualitative literature from the journals, articles, and newspapers, surveys for judging the financial loss to the brand name of the company after the breach. It was also essential to scan through several secondary resources to tackle the impact of the breach and to reach the best solution of the problem so that such kind of incidents could be avoided in future.
There is a varied range of different research philosophies that can be considered when undertaking a research topic, there are three basics: positivism, Interpretivism and realism. The three positions themselves can be thought of as follows:
Figure Positivism, Interpretivism and Realism (Coleggment, 2011)
3.3.1 Positivism and Realism
The whole meaning of positivism is that, study should be objective type. The objective data is based on the scientific research, observation, survey, interview results and unbiased. No personal feeling or opinions should be included. The conclusion should be based on the facts or research results. On the other hand realism approach of research concentrates on facts that are more realistic and conclusive. Moreover, it also refers to real facts that are already published, and is utilised for the purpose of further research.
Interpretivists McNeill & Chapman (2005, pp.14-20) argue that only through the particular interpretation of and intervention in authenticity can that reality be fully tacit. The report of phenomena in their natural environment is key to the interpretivist philosophy; together with the acknowledgement that scientist cannot avoid affecting those phenomena they study. They admit that their may be many interpretation of reality, but maintain that these interpretations are in themselves a part of the scientific knowledge they are forceful. The entire force should be resulting to the subjective research. Subjective means, that investigator can include his/her personal views or feelings about the topic. The researcher can derive finales on personal feelings, which could be biased.
This research will obey the first approach known as "positivism". The whole research will be centred on the actual evidences, survey and observation results. The whole study should be unbiased and conclusions will be based on the real outcomes established on the facts. No personal feeling or judgement could be comprised to deliver real condition of Honda Canada. The whole analysis is based on the "economic impacts of the breach", to find out the real situation of the Honda, study requires being objective not subjective. The whole work is based on systematic research, so the data will be collected from printed resources like journals, articles, books etc.
3.4 Data Collection Methods
Generally there are two data collection methods that is primary data and secondary data. We have chosen a mix type research from both primary and secondary sources. For this particular research primary data mainly collected through surveys from Honda customers, Honda employees. This technique of data collection is due to nature of the research questions, it requires data collection from customers and employees as well those are directly affected and cause of this breach incident respectively. The survey among customers will be conducted to know the perception of the customers (existing and new customers seeking of Honda products) about Honda after this serious breach incident. Secondary data is another source of data collection, which includes already published data. For research purposes both type of data will be needed. Secondary data will be collected from various sources that are internal and external. Internal sources are referred to as company’s annual sales reports, balance sheet, budget reports and other performance calculation reports released by company and other company’s data that have faced the similar incidents previously in history. External sources referred to as government publications, Internet based e-journals, Newspapers articles, various Books, journals and other sources. The following figure represents the research methodology for data collection for conducting the research. This dissertation’s main methodology is through four case studies of previous data breach incidents within different companies. A case study approach of research, as defined by academic Robert K. Yin is "an empirical inquiry that investigates a contemporary phenomenon within its real-life context; when the boundaries between phenomenon and context are not clearly evident; and in which multiple sources of evidence are used (Yin, 1984, p. 29). Moreover, "The case describes the scenario in the context of the events, people and factors that influence it and enables students to identify closely with those involved. When multiple cases are examined then it is called a comparative case study" (CAPAM, 2010, pg 1). A case study lays down the foundation to present data from a previous situation and use this information to link it to the research questions. This type of qualitative methodology can be quite broad, and difficult, as an enormous amount of data can potentially be found, particularly if more than one case study is used.
Soy describes case studies to be a six step process in the following order:
Determine and define the research questions
Select the cases and determine data gathering and analysis techniques
Prepare to collect the data
Collect data in the field
Evaluate and analyze the data
Prepare the report
For the purpose of this research, a comparative case study will be used. This will involve case studies of Apple, Sony, Epsilon, and Tricare and SAIC. Furthermore, these case studies allows for an in-depth understanding of these breach incidents and its impacts on the company. It is believed that after conducting a comparative case study of all four companies, and the literature review, issues related to the cause data breach can be understood, learned from, and applied to the Honda Canada breach incident. Furthermore, a better understanding of mitigation of such incidents can also be given a limelight through this study.
Figure Research Methodologies For Data Collection
3.4.1 Sampling Technique and Size:
The research needs a straight sampling technique, which means the random samples has been taken and analysed on the basis of percentage. The target population is Employees and customers of Honda Canada. The sample size is 100 random samples have been taken in each survey. There are two surveys has been prepared, one for employees and other one for customer/public.
Why needs this survey:
There are previous assumptions through which we can estimate relative cost for this breach but as time changes conditions changes the cost for these incidents might also change. We can estimate from the past assumptions but we can enhance the visibility by making a deep primary research in this age of technology to properly investigate the real cost of this breach. This primary research will also explore the possibilities to prevent such kind of incidents in future. In short we are wide spreading our horizons of research by this investigation to get much clear picture of this incident. Honda has denied for interview fro the corporate leaders about this incident, so the second most reliable and trusted pool of information is employees and customers of Honda. This survey will also help in getting insights of customer perception about company after this incident. So this survey is for exploring about Honda’s employees, training programs, loopholes in security system, customer perception, hidden costs etc.
3.4.2 Customers Perception (Sample A):
The target population for survey is Honda existing customers and public of Canada from two major cities Toronto and Vancouver. There are 100 samples has been collected to get more clear insights and surety. My best friends helped me in collecting this information from Canadian customers. It will help to calculate the brand name loss of the company for example what percentage of customers/public is still seeking to buy a Honda product.