Home / Blogs

Mega Hacks and the Employees That Lost

When a business gets hacked and its corporate information is dumped on the Internet for all and sundry to see (albeit illegally), the effects of that breach are obviously devastating for all concerned.

In many ways it’s like the day after a fierce storm has driven a super-cargo container ship aground and beachcombers from far and wide have descended upon the ruptured carcass of metal to cart away anything they think has value or can be sold by the side of road. Mixed in among the spilled contents of the ship’s load are the personal effects of the crew—likely to be treated with the less respect than a crushed shipping container stuffed with sodden boxes of Lego.

The attention being paid to the massive data dumps that have come from the recent high profile hacks, especially the one encountered at a well-known Hollywood studio, tend to reinforce that perspective.

The daily lives of hundreds of employees were suddenly laid bare. And, as if that wasn’t enough, for a sizable period of time before the hack was uncovered, the hackers were using malware distributed throughout the organisations network to eavesdrop on personal communications and steal their credentials.

I think that last point has been missed by many folks.

As employees of our own organisations, we’re all used to the briefings by HR or reading in an employee handbook how our personal Internet use can be monitored by our employers at any time. However, it’s not until an organisation has been breached and hits the headlines that you begin to think about just how much you use work systems to handle personal things in your life. What if the company you worked suffered a hack? How would you feel if some of your personal information was made public?

Getting personal

For example, have you ever logged in to your LinkedIn or Facebook accounts from a corporate laptop or over the business network? Have you ever logged in to your bank account to check your finances or pay some bills online? If you have, then some of that information may have been inadvertently captured by your employer’s security monitoring tools—locked away in logs somewhere.

In a breach the size and sophistication of the recent Sony attack, horribly compounded by the use of malware rootkits, the contents of private communications and login credentials were likely stolen by the hackers—to be used anytime in the future—making the hack deeply personal to the employees unfortunate to have been caught up in the incident.

There are lessons to be learned for all of us though. We often talk with increasing fear that hackers are targeting organisations of all sizes all over the world. But the reality of the situation is that if your employer is a target, then so too are you. And so if your employer is a victim of a hack, then so are you.


In many ways it may be best for employees to view their corporate networks as hostile to their privacy—as let’s face it, all organisations are at risk of cyber attacks nowadays. So you should probably be wary of using your work systems for personal stuff just in case the worst happens.

Whether it’s some pirate raiding a cargo ship off the coast of Somalia or the beachcombers after a storm, it may pay to be overly cautious with your personal Internet communications from networks likely to be targeted by hackers in the future.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC