·A trader at a French bank used computer access codes of other employees and falsified documents to disguise about $70 billion in unauthorized trades, resulting in a loss to the bank exceeding $7 billion.[i]
·During the subprime boom, software makers and lenders boasted how fast they could process loans.[ii]
·A U.S. broker mistakenly entered a sell order for $4 billion instead of $4 million, causing not only a business loss but also a 2% drop in the Dow index.[iii]
·A computer virus penetrated a private computer network at a U.S. nuclear power plant and disabled a safety monitoring system for nearly five hours.[iv]
·The US repair cost for the Y2K problem (the inability of computers to deal with dates in the 21st Century) is estimated to have exceeded $187 Billion, with companies such as GTE spending more than $380 Million on software remediation.[v].
·Intra-company incompatibility of design and manufacturing software reportedly “snowballed into at least a year's delay in delivering the world's biggest passenger aircraft and $2.5 billion in lost profit.”[vi]
Education & Training
·The Chairwoman of a leading U.S. company resigned and faced felony charges for alleged illegal Internet-based gathering phone records of board members, journalists and others in an effort to find the source of news leaks.[vii]
·Government workers lost two computer disks containing personal information and, in some cases, banking details of approximately 25 million residents of the United Kingdom.While the black market value of the data was estimated to be about $2.5 billion, the disks were sent through the government’s interoffice-mail system with no special tracking number and the information was not encrypted[viii]
Security & Privacy
·An employee of a leading online service stole a 30 million member client list, which was later sold and used to bombard AOL members with spam.[ix]
·A14-year old Polish hacker in Poland used a TV-style remote control to change the points at key junctions into a public transport network, derailing four trains and injuring 12 people in one incident alone. [x]
·Immediately following the 9-11 WorldTradeCenter attacks, operational failures and telecommunications breakdowns led to significant liquidity bottlenecks, threatening the safety and soundness of the financial system.[xi]Many firms mistakenly believed that their communications systems were redundant, only to discover that all of their lines traveled through, and were subject to, single points of failure.Assumptions about the availability of human resources also proved wrong when the closure of lower Manhattan blocked personal movement.[xii]
·A malfunctioning network card on a desktop computerprevented Los Angeles airport customs officials from screening more than 20,000 arriving international passengers, both American and foreign, who were stranded in four airport terminals and 60 planes.[xiii]
Sourcing & Extended Supply Chain
·A leading US payment processor was forced out of business after suffering a security breach affecting up to 40 million credit cards.[xiv]
·False assumptions regarding fault-tolerant hardware in a computerized radiation therapy machine appear to have led to “the worst series of radiation accidents in the 35-year history of medical accelerators,” including several deaths.[xv]
Assurance & Validation
·A $125 million Mars orbiter was lost because engineers failed to convert key data from English units of measurement to metric units.[xvi]
·A computer company announced a pretax charge of more than $1B to repair defects in its next-generation game machine related to too much heat being generated by components. [xvii]
[i] “Bank Outlines How Trader Hid His Activities,” New York Times, January 28, 2008, at http://www.nytimes.com/2008/01/28/business/worldbusiness/28bank.html?ref=todayspaper.
[ii] “The Subprime Loan Machine,” New York Times, March 23, 2007
[iii]See, "Erroneous Order for Big Sales Briefly Stirs Up the Big Board,"New York Times, October 3, 2002.
[iv] See, www.securityfocus.com/news/6767 (“An energy sector cybersecurity expert who's reviewed nuclear plant networks, speaking on condition of anonymity, said the trend of linking operations networks with corporate LANs continues unabated within the nuclear energy industry, because of the economic benefits of giving engineers easy access to plant data. An increase in plant efficient of a couple percentage points "can translate to millions upon millions of dollars per year," says the expert.He says Slammer's effect on Davis-Besse highlights the dangers of such interconnectivity.”)
Special Committee on the Year 2000 Technology Problem, S. Prt. 106-10, Feb. 24, 1999,
[vi] See, “Airbus Vows Computers Will Speak Same Language After A380 Delay,” Bloomberg, Sept. 29, 2006, at http://www.bloomberg.com/apps/news?pid=20601085&sid=aSGkIYVa9IZk.
[vii] See, “Ex-Leader Among 5 Charged in Hewlett Case,” New York Time, Oct. 5, 2006;“Chairwoman leaves Hewlett in Spying Furor,” New York Times, Sept. 23, 2006.
[viii] “Too Many Workers Fail to Grasp the Value of Data, Risk of Loss,” Wall St. Journal, November 27, 2007
[ix] See, “How did AOL lose 92 million names?,” USA Today, June 24, 2004, at http://www.usatoday.com/tech/news/2004-06-24-aol-tick-tock_x.htm
[x] See, http://www.metro.co.uk/news/article.html?in_article_id=83457&in_page_id=34.
[xi]Federal Reserve Board, “Summary of ‘Lessons Learned’ and Implications for Business Continuity,” Discussion Note, February 13, 2002, at http://www.federalreserve.gov/boarddocs/staffreports/200202/DiscussionNote.pdf.
[xii] J. Eisenberg, The Internet Under Crisis Conditions, Learning from September 11, National Research Counsel of the NationalAcademy, at www.gtisc.gatech.edu/2004site/ati2004/ppt/Eisenberg_net911-ati2004.ppt.
[xiii] See, “LAX outage is blamed on a single computer,” Los Angeles Times, August 15, 2007, posted at http://blog.wired.com/sterling/2007/08/index.html.
Also see, Adding Math to List of Security Threats, New York Times, November 17, 2007 (“[Adi]Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be “trivially broken with a single chosen message.”Executing the attack would require only knowledge of the math flaw and the ability to send a “poisoned” encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.) at http://www.nytimes.com/2007/11/17/technology/17code.html?ref=todayspaper.
[xiv]See, “Pay By Touch acquires CardSystems' assets for $47 million,” Computer Business Review, December 13, 2005, at http://www.cbronline.com/article_news.asp?guid=8CCC14FB-9609-4C6C-9938-2BCBB9EA0B27;“Visa, Amex Cut Ties With CardSystems Due to Breach,” Computerworld, July 25, 2005, at http://www.computerworld.com/industrytopics/financial/story/0,10801,103443,00.html?from=story_kc; “Visa cuts CardSystems over security breach,” The Register, July 19, 2005, at http://www.theregister.co.uk/2005/07/19/cardsystems/.
See, also “Fidelity Says 2.3 Million Records Stolen,” Washington Post, July 3, 2007, at http://www.washingtonpost.com/wp-dyn/content/article/2007/07/03/AR2007070300758.html; vnunet.com, July 4, 2007 (“Fidelity National Information Services has admitted that personal information on 2.3 million people has been illegally removed from its database.The breach occurred at Certegy Check Services, a company that handles cheque and credit card monitoring for merchants and casinos. Fidelity stressed that no computer systems were compromised in the data theft. The information was collected and transported by a database administrator who was placed in charge of data access privileges.The employee also ran a data brokering business, and the stolen information, which included addresses, phone numbers, dates of birth, and in some cases credit card and bank account numbers, was then sold off to marketers.”), at http://www.vnunet.com/vnunet/news/2193421/crooked-administrator-sells.
[xv] See the Therac 25 case, N.G. Leveson, & C.S. Turner, "An Investigation of the Therac-25 Accidents." Computer, Vol. 26, No. 7, July 1993, pp. 18-41, at http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Therac_1.html.