Introduction
Accounting information systems (AIS) contain sensitive information that comprises an important pillar of a company’s financial and organizational stability and success (Hall, 2015). The data should be kept safe and out of bound for unauthorized personnel because authorized access can have devastating outcomes. For instance, it can lead to identity theft or loss of critical data that is hard to replace (Hall, 2015). One of the effects of loss of accounting data is the crumbling of the accounting department or the entire business.
Arguments have been presented as to whether companies that are victims of AIS attackers should be held liable. Some companies manipulate accounting systems for financial gain and therefore it would be important to ascertain the main reason for cyber attacks. On the other hand, it would be important to evaluate the company’s policy regarding such attacks, its response, and the security measures implemented to prevent such occurrences.
Home Depot cyber attack
In the year 2014, the largest home improvement chain in the world was attacked by hackers who stole about 53 million email addresses and compromised more than 56 million credit card accounts (Banjo, 2014). This data breach was not very severe because the data stole did not clients’ sensitive information such as account passwords or payment card information. The attackers used information stolen from a third party vendor to gain access to the company’s system and aces the sensitive data.
The information contained a password that was used to access the company’s network. In response to the breach, the company addressed a critical vulnerability in its Microsoft’s Windows operating system that had facilitated the intrusion (Banjo, 2014). The solution to the breach was provided by Microsoft Corporation. The company mitigated the attack by repairing a security flaw while the attack was underway. The fraudsters used custom-built malware programs to access client information in different locations (Banjo, 2014). The malware program had been collecting customer’s confidential information for five months before it was detected and removed.
The firm should be held liable for the losses incurred by customers because of its poor security and preventive measures as well as lack of ongoing security checks that could have identified the breach. The attackers took advantage of security flows in the firm’s operating system and the ineffectiveness of its anti-software virus that was unable to detect intrusion and data theft. On the other hand, the company had a poor system design because it used vulnerable tags to identify the 7,500 self-checkout systems that were attacked (Banjo, 2014). The breach was estimated to cost customers and the company more than $62 million in losses. It is the responsibility of companies to protect their systems using strong and breach-free methods.
It is clear that Home Depot had put in place weak security measures that allowed hackers to attack. The firm’s response to the attack was to identify the hackers’ access point, close them, and address security flaws in their operating system (Banjo, 2014). The firm should have used stronger and more complex protection methods such as data encryption, firewalls, and virtual private networks (Gehem, Usanov, Frinking, & Rademaker, 2015). In addition, it should have isolated sensitive parts of the system that were more susceptible to attacks. The company should be held liable for its failure to prioritize the security of its accounting information system and using a weak network design. It is also important to use complex network and system designs that are impervious to external attack and intrusions.
Michaels Stores cyber attack
In 2014, an arts and crafts retailer known as Michaels Store was hacked and credit card data belonging to more than 3 million customers was stolen (Harris, 2014). Investigations into the attack began a few months after Target reported a security breach that affected more than 100 million customers (Gehem et al., 2015). Before the firm identified and stopped the breach, it had been ongoing for nine months (Jayakumar, 2014). The incident increased doubts regarding the security of customers’ information and the effectiveness of companies’ accounting information systems. According to the company, the attack involved a sophisticated malware program that its security companies described as new.
The hackers were able to attack the company’s system because its security companies had never come across such a program before. The attackers targeted its point-of-sale systems and stole information associated with more than 2.6 million debit and credit cards (Harris, 2014). The company should be held liable because of its poor security measures that could not identify a security breach that went on or nine months. One of its subsidiaries (Aaron Brothers) suffered a similar attack in which 400,000 credit cards were exposed to hackers (Harris, 2014). 54 of its stores were compromised and the attack took place even after the company announced that it could have been attacked. The company responded to the breach by hiring to security firms to address the problem (Jayakumar, 2014). The attack affected many customers because they had to be reissued with new credit cards by their banks.
The company should be held liable because of its poor security measures that had been put in place. The attackers used a point-of-sale malware program and targeted payment terminals that lacked point-to-point encryption that could have prevented the attack (Jayakumar, 2014). The company’s network was poorly designed because it lacked encryption that could have prevented the attack. On the other hand, weak security measures were revealed because the attack lasted nine months. The company should also be held liable because that was not the first attack.
In 2011, the firm was attacked and customers’ sensitive information was exposed to hackers (Harris, 2014). The company did not implement strong preventive measures after the first attack. The firm should have conducted an ongoing security upgrade on its systems. An ongoing security check and upgrade could have identified and stooped the attack in its early days. In addition, applying point-to-point encryption could have been effective in preventing the attacks. Companies are responsible for protecting their customers’ private information by designing networks that are less susceptible to attacks and intrusions, and that implement preventive measures (Gehem et al., 2015).
Neiman Marcus cyber attack
Neiman Marcus is a leading retailer of luxury products in the United States. It was a victim of a cybercrime attack that affected more than 1.1 million customers. The firm’s system was under attack for several months and the hackers stole information linked to more than 1.1 million credit and debit cards (Harris, Perlroth, & Popper, 2014). Reports indicated that the malware program sued to steal data at Neiman Marcus was the same program that was used at Target. The company’s management reported that a malware program had been secretly installed into its system and had been stealing data for approximately four months before it was detected and eliminated (Harris et al., 2014).
The malware monitored the credit card authorization process and stole data during the process. The RAM-scraping malware program scraped and stole unencrypted data (Harris et al., 2014). The attack affected many customers because MasterCard, Discover, and Visa confirmed that more than 2,400 cards involved in the attack had since been used in fraudulent financial transactions at other locations (Harris et al., 2014). The firm became aware of the attack after reports from its payment processor indicated that it was encountering many unauthorized payments at the firm’s outlets.
The firm should be held liable for losses sustained by customers because the attacks could have been stopped had the company implemented an ongoing security check and upgrade of its systems. The firm’s network had security flaws because the attack went on for several months unnoticed. The company responded to the attack by hiring a digital forensics firm to investigate the issue (Harris et al., 2014). The firm found out that Neiman Marcus was a victim of cyber-security intrusion and many customer credit cards had been compromised. In addition, it informed customers who had been affected of the attack and offering credit card monitoring for a year. This response was insufficient because several credit and debit card companies reported that more than 2,400 credit cards that had been compromise din the attack had been used in illegal financial transactions after the attack (Harris et al., 2014).
Customers were not informed early enough about the attack and were therefore not able to take precautionary measures that could have prevented further use of their credit cards in fraudulent financial transactions. The company’s liability was also evident from the top management’s failure to tell the public about their system’s security flaws that facilitated the attack (Harris et al., 2014). Companies are responsible for securing their customers’ confidential information by ensuring that their systems are safe and secure. The attack came after several retailers announced that they had experienced intrusions that led to theft of sensitive information belonging to their customers. The firm should have taken cautionary measures and conducted an ongoing security check and upgrade on its systems in order to avoid similar attacks (Gehem et al., 2015).
Conclusion
Security breaches of companies’ accounting information systems have been on the rise in the United States. In the past five years, several cases of cyber attacks have been reported among some of the largest retailers in the U.S. Firms such as Home Depot, Michaels Store, and Neiman Marcus have been targets of cyber attacks. Hackers used sophisticated malware programs to infiltrate their systems and steal sensitive customer information linked to their debit and credit cards. In all these cases, hackers took advantage of flaws in the firms’ systems.
The firms were all liable because the attacks went on for several months unnoticed by their system security personnel. On the other hand, poor network designs and weak security measures were responsible for the attacks. The firms responded by hiring private security firms to investigate the attacks after they had been ongoing for several months. This shows lack of initiative because conducting ongoing security checks and upgrades is necessary especially for companies that deal with sensitive information. The customers suffered great losses because many of the credit cards were used in other fraudulent financial transactions after the attacks. It is the responsibility of firms to design secure networks and systems in order to secure their customers’ information.
References
Banjo, S (2014). Home Depot hackers Exposed 53 Million Email Addresses. Web.
Gehem, M., Usanov, A., Frinking, E., & Rademaker, M. (2015). Assessing Cyber Security: A Meta Analysis of Threats, Trends, and Responses to Cyber Attacks. New York, NY: The Hague Centre for Strategic Studies.
Hall, J. (2015). Accounting Information Systems. New York, NY: Cengage Learning.
Harris, E. A. (2014). Michaels Stores’ Breach Involved 3 Million Customers. Web.
Harris, E., Perlroth, N., & Popper, N. (2014). Neiman Marcus Data Breach Worse Than First Said. Web.
Jayakumar, A. (2014). Michaels Says 3 Million Customers Hit by Data Breach. Web.