Data leaks are a phenomenon of the modern world. Hardly a week goes by before a well-known company hits the headlines with a major data leak. In 2018, there were around 2.9 billion data records breached. But data takes many forms. It can be personal, it can be proprietary, it can be Intellectual Property (IP). Whichever classification it falls into, these data are highly sensitive and can have a seriously negative impact on an organization if it is leaked.
Source code leaks are data leaks that affect a number of areas of a business. Source code is your Intellectual property, and as such, loss of this type of data can have consequences for an organization from share price loss to reputation damage to competitive edge impact.
This article will look at some of the world’s highest-profile source code leaks and how they hurt a company. We will also give you some guidelines on how to make sure your organization doesn’t end up as a source code leak statistic.
Examples of Headline Hitting Source Code Leaks
There are many examples of companies that have lost source code, either accidentally or maliciously. Source code leaks are also commonly seen when an employee shares not all, but some code, without any malicious intent. The mechanism of loss bears the same results. Companies who lose source code end up with issues that make their products vulnerable to cyber-attacks, give competitors an edge, and they suffer financial losses too. These examples here are large companies. However, source code leaks happen to all companies of all sizes. The only difference is that it is the larger companies that make the news headlines.
Source Code Leaks – in order of date
Apple’s IOS source code leak
In 2018, an intern working for Apple took source code on leaving the company. He then shared it with friends in an IOS jailbreaking community, in an effort to find ways to unlock an IOS phone. Unfortunately, and perhaps as expected, the code ended up on a public GitHub repository for the world to share.
Apple initially played down the leak saying that it didn’t affect the security of their devices. However, Apple quickly put a Digital Millennium Copyright Act (DMCA) takedown notice on GitHub to ensure the leaked code was quickly removed. This notice had to cover over a dozen replicated GitHub repositories as the leaked code spread.
Why did the intern do it? Sources say that it was simply because of an interest to share with friends who were security researchers. Notably, the intern had signed a Non-Disclosure (NDA) agreement with Apple.
Snapchat source code
Snapchat source code was leaked in 2018; the company stating it happened when an IOS update occurred allowing the code to be leaked. Again, the company resorted to a DCMA notice on GitHub. The code was stolen by an individual looking for ‘bug bounty rewards’ – he posted on Twitter at his frustration in contacting Snapchat; a tweet from the individual lets Snapchat know that he is posting the code to a public repository. Snapchat shares dropped by 3.4% a day after the breach went public.
Drone maker DJI
A former employee leaked the source code and private keys of DJI agricultural drones to GitHub. The leak resulted in a hacker breaking into the company’s servers and also stealing source code. The employee said he innocently exposed the source code. However, in 2019, the employee received a jail sentence for the leak. The leak is said to have cost the company at least $170,000.
Microsoft Windows 10 source code leak
Source code for a number of Microsoft driver modules was leaked in 2017. Also allegedly included in the leak, were USB and Wi-Fi, and unreleased builds of Windows 10 and Windows Server 2016; the code was uploaded to BetaArchive who subsequently removed it.
Microsoft has suffered from a number of source code leaks over the years. One of the most famous was the leak of Windows NT4 code by Microsoft partner MainSoft. Another was the exposure by an internal employee of the upcoming Windows 8 build to a French blogger who posted screenshots of the code online.
Microsoft has suffered reputation damage and potential vulnerabilities have been found using leaked source code.
Symantec source code leak
When: 2012, 2019
The hacking group “The Lords Of Dharmaraja” admitted to being behind the 2012 breach of Symantec source code. The group originally stated they had stolen it from Indian government systems. However, Symantec updated the situation by revealing the leak had originally been from an undetected ongoing breach going back to 2006.
Symantec had to approach customers and ask them to suspend use of certain products until they could provide security patches. In the case of Symantec, the company had to rewrite their code, at great cost, to allow the product to continue.
More recently, Symantec have again been the victim of a hacking group, “Fxmsp”. They, along with several other antivirus companies, have had source code leaked. Fxmsp posted source code and access to the company’s network at a price of $300,000 for both.
Adobe and 30 other associated companies
A vulnerability allowed hackers to access networks managed by Adobe. This access was then used to steal the source code of Adobe as well as 30 other companies. Researchers commented that the stolen source code would be likely used to find zero-day vulnerabilities in Adobe products to facilitate malware infections. Although the breach also resulted in personal data being stolen, lawyers said that the theft of source code was the “most significant commercial implication”.
RSA SecureID token source code leak
The leak of RSA source code in 2011, that underlined their flagship SecureID product, was perpetrated via an external hacking team. Investigations by RSA into the attack on their source code revealed that it was likely caused by an Advanced Persistent Threat (APT).
The SecureID token is used to add a layer of security into the login process for corporate networks and applications. This meant that the very heart of security in an organization that used these tokens was at risk. In the end, RSA had to replace all of the SecureID devices in circulation.
The cost to RSA hit $66 million in terms of replacing the physical tokens. However, other intangible costs such as reputation have a longer and less quantifiable reach.
What happens when source code leaks?
The examples above were all well-known companies. When a big organization suffers a data breach it is headline news. But smaller companies are also under the same threats as their enterprise counterparts. The repercussions of leaked source code are a company’s worst nightmare. Accidental or intentional exposure of source code is like taking your company’s most sensitive information and handing it over to your most aggressive competitor.
When you lose source code you lose more than lines of programming code. The results of source code leaks include:
Loss of first to market
Your competitive edge is often tied up with getting into the market first. If you lose your source code and a competitor gets access, they could potentially use it to circumvent your efforts. You may think that you could easily take the competitor to court. However, stolen source code does not need to be used as is. It can be enough to give the competition intelligence about your approach or architecture. Source code reveals not only the lines of code but the innovation and novelty around a product. It can also be used to create a better version of the product you hoped to release.
Zero-days and other vulnerabilities
Source code is often exposed to groups looking for vulnerabilities to exploit. Malware often uses source code flaws to infect devices. If your source code is leaked, you could end up, like RSA and Symantec, having to recall a product or advise customers to suspend use of your software. You will then have to work quickly to find a patch before anyone using the software is breached.
The Equifax data breach of 2017 ended up costing the company $4 billion. Company ‘harms’ take many forms after the loss of source code. These include:
- Stock price drops: Data breaches come in many forms, including source code leaks. Comparitech performed an analysis of the impact of a data breach on the company share price. They found that share prices generally underperformed even in the long term, post-breach. Typically, breached companies underperform on the NASDAQ by -4.6%.
- Reputation damage: Damaged reputation is an intangible, difficult to quantify the impact of a source code leak. However, it is a major issue as evidenced by the likes of Apple, Symantec, and RSA.
- Data protection non-compliance fines: If your source code is leaked and this subsequently leads to software vulnerabilities being exploited, you could end up with a personal data breach too. Data protection regulations are becoming ever more stringent. If you are responsible for the loss of personal data, you may end up with massive fines for not taking the proper measures to secure that data.
- Sales: Software piracy is a form of harm to a company. If your source code is stolen and used to create a pirated version of your software both your company and customers suffer. Your company by losing sales, and customers from the lack of upgrades and patches if vulnerabilities are found and exploited.
- Lawsuit costs: In 2013, Adobe had a major data breach, that included source code for Acrobat, Reader, ColdFusion, and Photoshop. The company ended up paying $1.1 million in court costs and $1 million to customers. Court costs for leaked source code can cover many areas from IP protection to employee litigation to customer lawsuits.
Keeping your company off the source code leak statistics list
No one wants their company to be part of an article listing source code leaks. But data breaches, including source code leaks, are only increasing. New methods of attack are continuing to evolve – the war of attrition between the cybercriminal and the organization is blooming. But source code leaks have their own particular modus operandi. The developers themselves, as we have seen from our examples, can be behind the leak.
A “safety first approach to data security requires you to place focus on endpoint security as well as have a human-centered approach to insider threats. Making the choice about where to spend security budget can be a challenge when the threat landscape is large and complex. Taking a proactive approach to the prevention of source code leaks means placing your budget where the leak occurs – the human being and the endpoint.
KnowIT offers modulated pricing and features letting you save money whilst giving you the tools to protect your source code.
Want to read more about data leaks and how they can affect you? Check out our white paper “2018 data breach report”.