Cloud breach at Artys Inc.: A 96-hour disclosure and communication dilemma

Abstract

This case is about a cyberattack on a software publisher where the intruders created and consumed a lot of cloud computing capacity in a very short period of time. It was strongly suspected the purpose of the intrusion was crypto mining. There were no observed traces of any other malicious activity. A professional forensic investigation was inconclusive because of lack of evidence – it did not find any proof of data compromise, nor did it prove there was no data theft. In such situation, the CEO and the leadership team had a tough decision to make. They might be contractually bound to disclose this event to their customers, but there was serious misalignment on the interpretation of contracts. The potential penalties of a wrong judgement were high, and so were the consequences of voluntarily disclosing the incident to the customers. The CEO must decide what to do next – to disclose or not, and manage the risks in either case.

Keywords

cybersecurity data exfiltration data privacy intrusion business ethics cloud security SaaS security IT governance

Get full access to this article

View all access options for this article.

References

Chan

Woon

Kankanhalli

(2005) Perceptions of information security in the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1(3): 18–41. https://doi.org/10.1080/15536548.2005.10855772

Eisenhardt

(1989) Agency theory: an assessment and review. Academy of Management Review 14(1): 57. https://doi.org/10.2307/258191

Simon

(1955) A behavioral model of rational choice. Quarterly Journal of Economics 69(1): 99. https://doi.org/10.2307/1884852