As opposed to black hat hacking, which often causes data breaches in companies, white hat hacking seeks to prevent data breaches, whether solicited by the company or unsolicited. The majority of the time, white hack hackers are independent contractors, university level students, or even teenagers, according to Julia Kanouse, CEO of the Illinois Technology Association. Most ethical hackers aren’t seeking money, but rather a story with the company’s name in it, she continued.
Many companies, however, aren’t prepared for help from ethical hackers and may not have a procedure put in place. In an interview with Security Baron, Kanouse cited the example of a casino gaming company that ignored ethical hackers’ warnings about a weakness in their system. Later, the hackers posted their findings on social media, “blurring the lines between ethical and unethical, as other bad guys might be able to take advantage of [the weakness]”, Kanouse told Security Baron.
To prevent this from happening, Kanouse recommends that companies have a standard procedure to deal with inbound disclosures in terms of how investigation and compensation work. Some companies even offer a “bug bounty” where they offer monetary compensation to anyone who can find a bug within their system. Regardless of whether a company has a “bug bounty”, they should be prepared to listen to ethical hackers and compensate them in some way, be it with money or company merchandise.
Security Breaches Affect Millions
As security breaches become more common, companies must be open to help from ethical hackers, Kanouse explained to Security Baron. Last spring, hackers stole over five million debit and credit card numbers from Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity firm. Soon after that, Fin7, a hacking syndicate, acquired the data and has sold tens of thousands of records, compromising the stores’ entire networks, most of which were from New York and New Jersey locations.
Similarly, T-Mobile’s security breach affected over two million customers last August. After T-Mobile’s internal cybersecurity department discovered the beach, they reported the hacking to authorities and disclosed it to its users. Despite these actions, many user passwords were compromised. Even with cybersecurity measures, companies can still be at risk of data breaches. Ethical hacking serves to prevent security breaches, whether the company solicits their help or not.