Tag Archives: hacking

The biggest tech turkeys of 2015

The year’s most notable embarrassments in technology run the gamut from the industry’s inability to secure our personal data to the blunders of Airbnb, Twitter and Tinder.

Thanksgiving is almost here, but a look at this year’s list of tech turkeys may stir up memories of Halloween.

It’s scary just how vulnerable we are.

In 2015, hackers went to town with seemingly nonstop breaches. Anthem, the big health insurer, fell victim to the theft of personal information of 80 million customers and employees. That’s one out of every four Americans. Meanwhile, the identities of 30 million would-be adulterers were revealed after hackers got into Ashley Madison, the cheat-on-your-spouse website.

Companies also had a frightening habit of tripping over themselves. Airbnb insulted its hometown of San Franciscowith a billboard campaign that appeared to gripe about paying the taxes it owed for short-term rentals in the city. Sean Rad, CEO of dating-app maker Tinder, meanwhile, demonstrated surprisingly poor knowledge of the English language.

Volkswagen gets a special mention for gaming fuel-emission tests via the software in its cars. And BlackBerry, long proud of going its own way, finds itself pinning its comeback hopes on a phone that leans heavily on software from another company, Alphabet’s Google.

Lastly, all of Silicon Valley gets a turkey this year because the tech industry still can’t figure out how to hire, retain and promote more women and minorities.

Since innovation apparently can mean figuring out new ways to screw up, we’ve rounded up a supersized 17 examples of the most cringe-inducing tech turkeys for your holiday entertainment.

Tagged , , , , , , , , , , , , ,

Prosecutors Announce More Charges in JPMorgan Cyberattack

Billing it as the largest hacking case ever uncovered, federal prosecutors in Manhattan on Tuesday described a global, multiyear scheme to steal information on 100 million customers of a dozen companies in the United States and use the data to advance stock manipulation activities, illicit online gambling and fraud.

Prosecutors said they uncovered the complex scheme in their investigation of a computer hacking last year atJPMorgan Chase that involved the breach of contact information, such as emails, from 83 million customer accounts.

Before long, investigators had uncovered a trail of 75 shell companies and a hacking scheme in which the three defendants used 30 false passports from 17 different countries. The group’s activity goes back as far as 2007, and it has reaped “hundreds of millions of dollars in illicit proceeds,” some of it hidden in Swiss accounts and other bank accounts, prosecutors said.

The data breaches “were breathtaking in their scope and size,” said Preet Bharara, the United States attorney for the Southern District of New York, at a news conference on Tuesday. The activity, described as a 21-century twist on tried-and-true criminal activity, unveiled the existence of “a brave new world of hacking for profit,” perhaps signaling the next frontier in securities fraud.

The accused — two Israeli citizens and a United States citizen — face 23 counts of fraud and other illegal activities, according to an indictment unsealed Tuesday that added hacking to manipulation and fraud charges that were filed against the three in July. The charges are the first directly linked to the JPMorgan hack.

Two of the accused, Gery Shalon and Ziv Orenstein, remain in custody awaiting extradition from Israel after being arrested in July. A third defendant, Joshua Aaron, the American, is believed to be in Russia. The Federal Bureau of Investigation has issued a “wanted notice” for him “for his alleged involvement in a scheme to hack major American companies in order to acquire customer contact information.”

A separate indictment on Tuesday outlined seven charges against Anthony Murgio, a Florida man previously accused of running an unlicensed Bitcoin exchange. That exchange was owned by Mr. Shalon, whom prosecutors described Tuesday as the founder and leader of the sprawling criminal enterprise.

Lawyers for the four men could not immediately be reached.

Another man facing fraud charges, Yuri Lebedev, has not been charged with hacking. Mr. Bharara said on Tuesday “there are discussions between the parties.”

Prosecutors charged that the group led by Mr. Shalon hacked seven financial institutions and two newspapers to get contact information with which they could advance their pump-and-dump stock manipulation scheme. They “took the classic stock fraud scheme and brought it into the cyber age,” Mr. Bharara said.

Prosecutors said the group was involved in a broad array of activities, including processing payments for illegal pharmaceutical suppliers, running illegal online casinos and owning an unlicensed Bitcoin exchange.

Nearly all the activities “relied for their success on computer hacking and other cybercrimes,” prosecutors said on Tuesday.

According to the indictment, the three used a rented computer server based in Egypt to try hacking into customer databases at the brokerage firms TD Ameritrade and Fidelity Investments as well as JPMorgan. The ring also gained access to a computer network at what was called “Victim 8,” or Dow Jones, publisher of The Wall Street Journal, containing up to 10 million customer email addresses, prosecutors said.

Photo

Separately, federal prosecutors in Atlanta on Tuesday announced charges against Mr. Shalon, Mr. Aaron and an unnamed defendant in the late-2013 attacks on E-Trade Financial Corporation and Scottrade Financial Services, both major online brokers. The 10 charges include aggravated identity theft, computer fraud and wire fraud.

Prosecutors in Atlanta said they had uncovered online chats in which Mr. Shalon and an unnamed hacker discussed their plans to use stolen customer contact information to build their own brokerage database for peddling stocks to investors.

The New York indictment also charges the three men with hacking two software development companies to obtain information to advance their online gambling activities, and they targeted a market intelligence firm to support their card-processing activities.

The men operated at least 12 unlawful Internet casinos and marketed them to customers in the United States through extensive email promotions. The casinos generated “hundreds of millions of dollars in unlawful income,” prosecutors said, at least $1 million in profits a month.

JPMorgan confirmed on Tuesday that it was identified as “Victim 1” in the superseding indictment.

“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” the bank said in a statement. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”

On Tuesday, E-Trade Financial, based in New York, said it was attacked in late 2013 and found no evidence that sensitive financial information had been compromised. It added that contact information for some 31,000 customers may have been exposed.

“Security is a top priority, and we focus a significant amount of time and energy to help keep our customers’ data and information safe and secure,” E-Trade said in a statement.

Fidelity, based in Boston, said, “We have confirmed with the F.B.I. that there is no indication that our customers were affected.”

In a statement, Scottrade said, “We continue to work closely with the authorities by providing any and all information and resources we can to support their investigation and prosecution of the criminals.” Scottrade, based in St. Louis, previously said 4.6 million client accounts were targeted.

Dow Jones said in a statement on Tuesday, “The government’s investigation is ongoing, and we continue to cooperate with law enforcement.”

Tagged , , , , ,

M&S website temporarily suspended after leaking customers’ details

Updated: Around 800 Marks & Spencer customers had their personal details exposed online due to a technical glitch

British retailer Marks & Spencer temporarily suspended its website on Tuesday night, after some customers complained they could see each others’ details when they logged into their own accounts.

Posting on the company’s Facebook page, customers expressed alarm that they could see other people’s orders and payment details when registering for the new members club and card scheme called “Sparks.

“Interesting, I just created an M&S account to register my new Sparks card and out of a sudden I’m logged in to someone else’s account!” wrote Konstantinos Vlassis.

“M&S this is in breach of privacy and data security. I can see personal addresses, past orders and info of another account holder and I assume they can see mine? I can message you screen grabs if you want but this is not good security!”

Fellow customer Vanessa Frost wrote: “There seems to have been a data breach on your M&S website – if I log into my account on there it brings up another person’s details – this is happening to loads of people.”

M&S website

M&S said that the glitch was the result of an internal error rather than a third-party attack on the site, and said no financial data had been extracted. However, personal data, including names, dates of birth, contacts and previous orders were exposed.

The website was taken offline at about 6.30pm and was back on by 9pm.

“We can confirm that around 800 people were affected by a technical issue that led to us temporarily suspending our website yesterday evening,” a spokesperson for Marks & Spencer said.

“We are now writing to every customer affected to apologise and to assure them that their financial details are safe.”

Commenting on the incident, Phil Barnett, VP Global at Good Technology, said that many companies are flying blind when it comes to security, because they don’t think it affects them.

“Marks and Spencer’s proves that customer data breaches are real threats and have serious consequences. Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority,” he said.

“When GDPR is implemented in 2016, companies experiencing a data breach could face a fine of two percent of worldwide revenue, so it’s not just going to be some painful interviews and a drop in share price, there’s the potential of big fines for every business.”

Last week British telecoms firm TalkTalk suffered a major cyber attack, which potentially compromised the data of more than four million customers. A 15-year-old schoolboy has been arrested in connection with the incident.

Tagged , , , , ,

Security trumps privacy as Senate passes controversial cyber bill

The Cybersecurity Information Sharing Act, known as CISA, could make it easier for the government to abuse citizens’ civil liberties, opponents say.

The Cybersecurity Information Sharing Act, known as CISA, could make it easier for the government to abuse citizens’ civil liberties, opponents say.

In contrast, Minnesota Democrat Al Franken was among the 21 senators voting against CISA and quickly expressed his disappointment. “There is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security: this bill doesn’t do that,” he said in a statement.

Apple, Twitter and Dropbox declined to comment on the passage of the bill, though they all opposed the bill before its passage.

The vote Tuesday marks the end of a five-year struggle to encourage companies to share information about cyberthreats with the Department of Homeland Security. CISA was first introduced in 2014 but failed to reach the Senate before that session of Congress ended. Two years ago, the Cyber Intelligence Sharing and Protection Act (CISPA) was approved by the House, but died in the Senate.

President Barack Obama said he supports the bill.

High-profile cyberattacks on government agencies and companies such as Sony, United, and Ashley Madison might have prompted the Senate to approve the bill, security experts say.

“With security breaches like T-mobile, Target, and OPM becoming the norm, Congress knows it needs to do something about cybersecurity,” Mark Jaycox of the Electronic Frontier Foundation said in a statement Tuesday. “It chose to do the wrong thing.”

At issue is the fact that CISA allows companies to share information directly with law enforcement and intelligence organizations. Even more troubling, that information can include email, text messages and other data that can identify individuals. Companies are supposed to delete that information before they send it, but there’s always the chance that our “personal identifiers” could still slip through.

“I do not believe [CISA] imposes a sufficiently stringent standard for the removal of irrelevant personally identifiable information,” Deputy Secretary Alejandro Mayorkas wrote in a letter to Franken. The bill as written “raises privacy and civil liberties concerns,” Mayorkas noted.

After the vote Tuesday, NSA whistleblower Edward Snowden tweeted the names of senators who approved the bill.

CISA now heads to a conference of Congress members who will match the passed Senate and House bills before sending it to Obama’s desk.

Tagged , ,

Apple customers targeted by fake iTunes email scam

A phishing scam asking users to click refund links in a legitimate-appearing email purporting to be from Apple is doing the rounds

Apple customers are being targeted by a phishing iTunes invoice scam designed to trick them into clicking a link to claim a refund for a purchase they did not make.

An email purporting to be sent from Apple is currently in circulation, appearing to bill the recipient for £34.99. The invoice contains the line: ‘If you did not authorize this purchase, please: Click here for Refund’ [sic] in an effort to trick users into entering their Apple ID into a fake login page, according to internet security blog Malwarebytes.

After entering their Apple ID and password, victims are then prompted to enter credit or debit card information, including their card number, address and full name.

The scam emerges in the wake of the news that TalkTalk’s website was subjected to a “significant and sustained” DDoS attack which may have compromised millions of users’ personal information, including names, email addresses, financial information and telephone numbers.

The attack, which took place on Wednesday October 21, is the third time TalkTalk has been targed this year alone. In August, its mobile sales site was targeted and personal data breached and in February, hackers were able to steal account numbers and names of TalkTalk customers.

The Metropolitan Police Cyber Crime unit said it was currently investigating the attack.

Earlier this week, it was reported that fraudsters were imitating Apple’s remote help site in an effort to gain access to victim’s computers.

Scammers typically try to trick users into landing on such falsified support sites by targeting them with false warnings and pop ups warning of something wrong with their computer.

When legitimate sites ask for sensitive information such as financial or personal details, a padlock icon is displayed in front of the url to indicate the presence of a Secure Sockets Layer (SSL) certificate.

Fraudulent sites impersonating Apple’s iTunes pages and banks including Natwest and Halifax have been wrongly issued with the authentication certificates recently, which can instill users with false confidence when inputting their details.

Tagged , , , , ,

Online Attacks on Infrastructure Are Increasing at a Worrying Pace

Over the last four years, foreign hackers have stolen source code and blueprints to the oil and water pipelines and power grid of the United States and have infiltrated the Department of Energy’s networks 150 times.

So what’s stopping them from shutting us down?

The phrase “cyber-Pearl Harbor” first appeared in the 1990s. For the last 20 years, policy makers have predicted catastrophic situations in which hackers blow up oil pipelines, contaminate the water supply, open the nation’s floodgates and send airplanes on collision courses by hacking air traffic control systems.

“They could, for example, derail passenger trains or, even more dangerous, derail trains loaded with lethal chemicals,” former Defense Secretary Leon E. Panetta warned in 2012. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

It is getting harder to write off such predictions as fearmongering. The number of attacks against industrial control systems more than doubled to 675,186 in January 2014 from 163,228 in January 2013, according to Dell Security — most of those in the United States, Britain and Finland.

And in many cases, outages at airports and financial exchanges — like a computer outage that took down computers at airports across the country late Wednesday, including Kennedy International Airport in New York and Logan Airport in Boston — are never tied to hacks.

But it’s clear hackers are trying.

The Department of Homeland Security last year announced that it was investigating an attack against 1,000 energy companies across Europe and North America. In 2012, 23 gas pipeline companies were hacked by online spies, according to a Homeland Security report. Private investigators later linked the attack to China.

Last year, in a disclosure overshadowed by the news of the attack on Sony, a German federal agency said that in an attack at an unnamed steel mill, hackers had managed to jump from the company’s corporate network to its production systems, causing significant damage to a blast furnace.

And in an extensive attack at Telvent, an information technology and industrial automation company now owned by Schneider Electric, Chinese hackers made off with its product source code and blueprints to facilities operated by its customers, which include 60 percent of the pipeline operators in North America.

For now, dire predictions of destructive online attacks on American targets ignore the fact that the actors with the ability to cause the gravest harm to America’s critical infrastructure — China and Russia and allies like Israel and Britain — are sufficiently deterred from doing so by fear of retaliation or because of longstanding trade and diplomatic relationships. And attacks by those aggressively trying to get such a capability — Iran, North Korea and Islamic militant groups — are still several years off.

“Despite all the talks of a cyber-Pearl Harbor, I am not really worried about a state competitor like China doing catastrophic damage to infrastructure,” said Michael V. Hayden, former head of the National Security Agency. “It’s the attack from renegade, lower-tier nation-states that have nothing to lose.”

Just how far off are they? That is the question troubling policy makers at the National Security Council and intelligence and law enforcement agencies. Federal officials have repeatedly warned that Islamic State militants have been exploiting social media for recruitment, and are developing tools to break into their enemies’ systems.

Those capabilities were sufficient to prompt the assassination of Junaid Hussain, the chief of the Islamic State’s cyberarmy, who was killed by an airstrike in Syria in August. But for now, federal officials say, the Islamic State does not have a significant ability to cause damage through online attacks.

“It’s not easy to pull off a spectacular attack,” said James A. Lewis, a security expert at the Center for Strategic and International Studies in Washington. “People are always saying in theory they can do something, but it’s not at the level of a Pearl Harbor or a 9/11.”

Mr. Lewis added: “Could someone acquire the ability to cause a blackout? That’s something to worry about, but the only people who could pull it off don’t have any interest in doing so.”

Most security experts point to the attacks last year at Sony — where hackers leaked internal documents and destroyed the company’s servers — as an example of the destruction that is possible now, and a harbinger of what may come.

There were warnings the year before the Sony hacking that such an incident was possible. In a carefully planned attack in 2013, North Korean hackers knocked out almost 50,000 computers and servers for several days at South Korean banks and media companies.

Less sophisticated attackers are more likely to continue to pursue social media campaigns and isolated attacks, rather than take down parts of the power grid, said Ralph Langner, an independent security expert who was the first to attribute Stuxnet, a virtual weapon used against Iranian nuclear centrifuges, to the United States and Israel.

But the attacks that have rattled American government officials the most were similar attacks at Saudi Aramco, the world’s largest oil company, and RasGas, the Qatari oil giant, in 2012.

At Aramco, the hackers replaced the data on employees’ hard drives with an image of a burning American flag. United States intelligence officials say Aramco’s attackers were hackers in Iran, although they offered no specific evidence to support the claim. Mr. Panetta, then secretary of defense, called the Aramco sabotage “a significant escalation of the cyberthreat.”

Forensics specialists who were called in to analyze the Aramco attack said there was evidence the attackers probed the network that connects the company’s pipelines but were never able to cross from Aramco’s corporate network to its production systems. The same was true for a similar attack at RasGas two weeks later. Hackers tried and failed to hit the Qatari petroleum company’s production systems, but successfully took its corporate networks and servers offline.

But the attack on the German steel mill, disclosed last year, suggests that hackers are increasingly finding ways to cross that threshold. Just last week, it was announced that a group of hackers penetrated the Snohomish County Public Utility District in Washington State. The hackers, members of the Washington State National Guard, had been invited to test the utility’s defenses, and the results were frightening. They were able to break in with an email in under 22 minutes.

Joe Weiss, a crusader for industrial control security and founder of Applied Control Solutions, a consulting firm, is not surprised. He manages a database of 750 incidents that affected control systems and said he was most disturbed that most of them were not classified as attacks at all.

“What that tells you is that not only do we not have the mitigation, we don’t even have any type of adequate forensics to know this is happening, and whether it was intentional or unintentional,” he said.

The Department of Homeland Security tweeted late Wednesday evening that the computer outages at airports were due to a “brief outage that lasted 90 minutes” on the United States Customs and Border Protection’s computer processing systems.

But Mr. Weiss said in most cases, forensics investigations were still not adequate enough to nail down the real source of such incidents. He said the same was true across the electric, water, oil, gas, and nuclear industries.

“It’s not like with weapons, where you know where it’s coming from,” Mr. Weiss said. “With cyber- and control systems, you don’t necessarily know.”

“Will there be a cyber-Pearl Harbor? Most likely,” Mr. Weiss added. “Will we know it’s cyber? Most likely not.”

Tagged , , ,

Killer USB stick destroys your computer in seconds

Russian hackers have created a USB stick that can instantly fry any machine it is plugged into.

A simple USB stick, created by a Russian security researcher known as ‘Dark Purple’ can instantly fry any machine it plugs into, including your laptop or TV.

In the short video posted by the hackers, the USB is shown in action – all it takes is plugging it into the hacker’s IBM laptop, and it completely kills the machine within seconds.

After the laptop turns off, the demonstrator in the video tries repeatedly to turn it back on but it seems that the USB has blown its circuitry in the process.

The USB destroys laptops by sending 220 volts through the signal lines of the USB interface, rendering anything it is plugging into useless.

Dark Purple claims in a Russian-language blog post that the attack is not just limited to computers, but can used to incapacitate almost anything equipped with a USB drive.

The examples he gives are smart phones that support USB mode, TVs, routers, modems, etc.

His goal, he writes, is to test prototypes of “devices that perform only one function – the destruction of computers.”

Although the laptop looks completely dead after the USB is done with it, Dark Purple claims that it will be restored once the motherboard has been replaced. “It is extremely unlikely that the hard disk or the information on it was damaged,” he wrote.

This is good news as it means hackers who get their hands on the USB won’t be able to wipe the data stored on your computer’s hard drive – which is is probably more valuable to you or your business than the computer itself.

In the past, hackers have used software – lines of code that hide in a webpage or can be transmitted via text message – to wipe or crash phones.

Security researcher warned, “Yet another reason not to plug a USB stick of unknown origin into one of your computers.”

Tagged , , ,

How much is your stolen data worth on the dark web?

A new report reveals how much cyber criminals are willing to pay for stolen data on the dark web

Ever wondered how much your stolen data could be worth? A new report reveals the market value of all the most common types of stolen data available for sale to criminals on the dark web.

The “Hidden Data Economy” report by Intel Security Group’s McAfee Labs draws on years of close work with law enforcement, and ongoing monitoring of online platforms, communities and marketplaces where stolen data is hidden and sold – such as Alphabay and Crypto Market.

The report provides examples of how different types of stolen data are being packaged, and offers an illustration of average prices for different types of data. A few examples include:

  • Average estimated price for stolen credit and debit cards: $5 to $30 in the US; $20 to $35 in the UK; $20 to $40 in Canada; $21 to $40 in Australia; and $25 to $45 in the European Union
  • Bank login credentials for a $2,200 balance bank account: $190
  • Bank login credentials plus stealth funds transfers to US banks:from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
  • Bank login credentials and stealth funds transfers to UK banks:from $700 for a $10,000 account balance, to $900 for a $16,000 account balance
  • Login credentials for online payment services such as PayPal:between $20 and $50 for account balances from $400 to $1,000; between $200 and $300 for balances from $5,000 to $8,000
  • Login credentials to hotel loyalty programs and online auction accounts: $20 to $1,400
  • Login credentials for online premium content services such as Netflix: as little as $0.55

Payment card data is perhaps the most well-known data type stolen and sold. A basic offering includes a software-generated, valid number that combines a primary account number, an expiration date, and a CVV2 number.

Valid credit card number generators can be purchased or found for free online. Prices rise based on additional information that allows criminals to accomplish more things with the core data.

This includes data such as the bank account ID number, the victim’s date of birth, and information categorised as “Fullzinfo”, including the victim’s billing address, PIN number, social security number, date of birth, the mother’s maiden name, and even the username and password used to access, manage, and alter the cardholder’s account online.

Online payment service accounts – like PayPal accounts for example – are also sold on the open market, with their prices determined by additional factors.

The report claims that illegal sellers list adverts in the same way as any legitimate seller would – offering guarantees on stolen credit cards – and forums name and shame “bad sellers” who have sold stolen cards that don’t have offer up what was promised

“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” said Raj Samani, chief technology officer for Intel Security in Europe, the Middle East and Africa.

“This ‘cybercrime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”

A selection of credit cards in a fan.

The news coincides with the publication of new figures from the Office for National Statistics, showing that cyber crime is now the UK’s most common offence, with 2.5m incidents in the last year.

Cyber crime was previously excluded from official statistics but its inclusion in this latest report has resulted in an overall surge in crime rates of 107 pc – over double.

The most common cyber crimes, offences committed under the Computer Misuse Act, were where the victim’s device was infected by a virus.

Tagged , , , , , ,

French hackers intercept Siri and Google Now to control phones

Researchers claim to have intercepted the digital assistants to control the iPhone and Android devices, broadcasting silent commands from 16 feet away

French researchers claim to have remotely accessed iOS and Android digital assistants and silently delivered commands by using headphones with inbuilt microphones as antennas.

The team from the French government’s Network and Information Security Agency (ANSSI) claim to have discovered “a new silent remote voice command injection technique”, meaning they were able to intercept Siri and Google Now via radio from up to 16 feet away.

An Android device or iPhone with a pair of headphones containing an inbuilt microphone – such as Apple’s standard earbud model – plugged in effectively turns the cord into an antenna, converting electromagnetic waves into electrical signals the phone perceives to be audio commands, without actually speaking a word.

In theory, this means the digital assistants could be hijacked into sending texts or emails, making searches or calls or direct the handset to malicious websites, though the researchers required an amplifier, laptop, antenna and Universal Software Radio Peripheral (USRP) radio.

“The possibility of inducing parasitic signals on the audio front-end of voice-command-capable devices could raise critical security impacts,” researchers José Lopes Esteves and Chaouki Kasmi wrote, as spotted by Wired.

Last month a hacker claimed to have discovered a 30-second method ofinfiltrating a locked iPhone via Siri, which Apple fixed with the updated software iOS 9.0.1.

How to protect yourself

  • Attacks like this are extremely improbable, but in theory could happen. The researchers have suggested the companies improve the shield on their headphone cords, or introduce personalised phrases to wake digital assistants.
  • If you’re really worried, you could disable voice activation or turn the digital assisant on your phone off.
Tagged , , , , , , ,

Computer attack insurance rates rise after high-profile breaches

Hacks of Sony, Target, Home Depot and major health insurers have made it more expensive to cope with data theft, Reuters reports.

Just as you safeguard your home with insurance, companies get insurance to cover any problems with customer and corporate data. With hacking on the rise, that protection is getting harder to obtain and pay for.

A torrent of cyberattacks on US companies over the past two years has led cyber insurers to boost premiums for high-risk companies and in some cases limit damage cover to a maximum of $100 million, according to a Reuters report on Monday. The limits make it hard for companies to operate in the modern networked era and could mean higher costs they’ll have to pass along to customers.

Hacks are expensive. Companies must pay for forensic investigations, credit monitoring, legal fees and settlements. Rising cyber insurance premiums and limited damage coverage effectively mean that companies could be liable to pay more if they’re hit by a cyberattack. Companies without full insurance could easily end up paying hundreds of millions out of pocket.

The 2013 attack on US retailer Target cost the company $264 million. Target expects to only recoup around $90 million of that from insurance payouts, Reuters said. A similar attack on Home Depot forced the US home improvement chain to shell out $234 million in expenses, but insurance will only cover about $100 million, Reuters said.

High-profile attacks, like the ones against Sony, Home Depot and Target, have forced insurers to judge certain companies as too high risk. That’s especially true for health and retail companies, which have highly sensitive customer data. Three insurance companies recently told Reuters that they turned away clients seeking computer attack insurance or limited coverage to $75 million and $100 million after reviewing companies’ computer security mechanisms.

Just like good home security systems can get you a break on your home insurance payments, the price of cyber insurance depends in part on companies’ security measures.

Health insurers are suffering the most from insurance hikes, sometimes seeing premiums triple in price, said Bob Wice, a focus group leader for insurer Beazley, according to Reuters. Massive security breaches at the beginning of 2015 affected millions of customers at two US health insurers, Anthem and Premera Blue Cross.

Upon renewing its insurance after the hack, Anthem only managed to secure $100 million in insurance protection, and that was on the condition that it pay the first $25 million of any damage costs itself, the company told Reuters.

Tagged , , , , , ,