Clarissa Garcia

Jason Moore

UHON 401

10/17/19

Big Data and an Exploration into Hacking

A majority of data breaches that compromise user data happen through a practice

called hacking. Hacking can be described as the practice of exploiting vulnerabilities in software

for an unofficial purpose. The results can be disastrous; according to the 2019 MidYear

QuickView Data Breach Report released in June of this year, “3,813 breaches were reported

through June 30, exposing over 4.1 billion records” (“Statistics show…”). For these reasons,

hacking usually carries a negative connotation for exposing the private data of others without

consent. However, multiple types of categories of hacking exist. In order to understand the

ethical dilemmas and boundaries involved in the large field of hacking, we first must

understand the three different categories of hacking.

The first category of hacking that we should examine are illegal hackers, or “black hat

hackers” (“What is the Difference…”). Black hat hackers are usually the hackers behind infamous

data breaches who work by stealing information from systems which they were not authorized

to access. Hackers also change or destroy information through malignant software they spread

called “malware” or “worms”. A Cornell graduate student, Robert Morris, was responsible for

creating the first computer worm software. Originally intending for the worm to give him an idea
of the size of the web, he spread his worm across multiple computers where the worms would

propagate and spread to other computers by themselves. However, the worms replicated

themselves on their host computers so frequently that they crashed vital military and university

systems that spurred an investigation from the FBI (“THE MORRIS WORM…”). The interesting

part of this case is that Morris originally had innocent intentions unlike most typical black hat

hackers today, but his unauthorized access to protected computers broke federal law and he was

convicted under the Computer Fraud and Abuse Act of 1990 (“THE MORRIS WORM…”).

Black hat hacking also targets companies with large databases to increase the amount of

data they can gather. Equifax is one of the three largest consumer credit reporting agencies in

the United States (“Nation’s Big Three…”). In 2017, it was the target of a data breach from black

hat hackers which compromised the information of half the citizens in the United States

(O'Brien). The information exposed by the data breach included sensitive information of the

victims such as “…name, address, Social Security number, and date of birth” (“What is a

Credit…”).

The retail store Target was another company that found its data breached by black hat

hackers. By gaining access to the customer service database through stolen credentials, the

information of 41 million consumers were exposed including their phone numbers, addresses,

and card numbers (McCoy). The data breach affected Target consumer, Target shareholders,

and banks that issued the customer’s credit cards, resulting in over 100 lawsuits and a

settlement of 10 million dollars (“Settlement of Target…”).

 The second type of hacking we should examine are ethical hackers, otherwise known as

“white hat hackers”. Ethical hacking can be described as “… performed with the target's

authorization. The intent of ethical hacking is to find out vulnerabilities from a hacker's

viewpoint so systems can be better secured” (S.Patil). In other words, white hat hackers use all

the same skills and tools as black hat hackers—they are just hacking legally by getting

permission. Santiago Lopez was a 19 year old man when he realized that his hacking skills could

be used to make money legally by finding bugs for companies wanting to find weaknesses in

their software to make it stronger (“How One Teenager…”). After bug payouts from companies

such as Verizon and Twitter, he became the first millionaire bug-bounty hacker on the ethical

hacking platform called HackerOne (Hamilton). White hat hackers usually help to strengthen

company security, saving the information of millions of people that would otherwise be

exploited by black hat hackers.

The third type of hackers have characteristics between black and white hat hackers.

Appropriately termed “grey hat hackers”, these hackers show a grey area between black and

white hat hacking, showing elements of ethical but illegal activities in their exploits. Grey hat

hackers may, for example, hack a company, determine weaknesses in the company’s software,

then notify the company of the weakness while asking for a fee to fix it. They may also decide

to take unethical injustices into their own hands regardless of legality. The Impact Team, a grey-

hat hacking group threatened the website Ashley Madison, a dating site that promoted their

users’ extramarital affairs (Brown). After The Impact Team demanded Ashely Madison bring its

website down and Ashley Madison failed to comply, the website became the subject of The
Impact Team’s data breach that exposed user information of over 33 million accounts

(Robinson).

Another grey hat hacking group, Anonymous, claim themselves to be “hacktivists”—a

group of hackers that use their skills without permission to make activist statements. When the

Parliament of Uganda was considering a law that would increase the penalty of homosexuality

from 14 years in jail to life, Anonymous hacked the prime minister’s website and publicly

posted a message expressing their disagreement (“Uganda Prime Minister…”). The group has

undergone different activism operations with mixed reactions from people who either support

their activist messages or to those who disagree with the means of spreading their message

through use of illegal access of software.

Having understood the three types of hackers, the varying boundaries of ethicality can

be seen between the three categories. Hacking is a set of skills that gives a person the potential

to make a difference. But through analyzing the different kinds of hacking, we can see how a

person can either decide to use their skills for good intentions or for bad intentions. We have

finally come to our ethical dilemma: how do we increase the favorable potential of ethical

hacking and lessen the negative effects of illegal hacking when it comes to safeguarding big

data?

We can explore this question by first exploring the laws and repercussions currently in

place for people who use hacking for nefarious purposes. The federal Computer Fraud and

Abuse Act of 1984 was put in place to limit cybercrime. It states that “…persons who access

computers ‘without authorization’ will typically be outsiders (e.g., hackers)… outside intruders
who break into a computer could be punished for any intentional, reckless, or other damage

they cause by their trespass” (Freeman). Locally, New Mexico law has varying punishments for

people who either willfully access a computer without authorization, commit computer abuse

(which is when a hacker attempts to destroy or damage computer property) or for computer

access with intent to defraud or embezzle. The fines and crime seriousness range from a petty

misdemeanor if damage to the computer service is two-hundred and fifty dollars or less to a

second-degree felony if the service is worth twenty-thousand dollars. Across the nation, similar

laws have been put in place in an attempt to discourage illegal hacking.

Enacting laws to reduce an unwanted and harmful behavior that is a net negative for

society is always a positive first step. However, these repercussions do not seem to deter the

record-breaking data breaches that we have experienced from this year alone (“Statistics

show…”). When it comes to finding a solution to lessening illegal hacking, it becomes important

to figure out what would drive a person to go down the criminal route. Santiago Lopez, the 19-

year-old millionaire bug-bounty hunter, was asked in an interview whether he had ever wanted

to use his skills for “bad” hacking. Lopez replied “At the beginning, I was a little tempted…Bug

bounties saved me in that way” (“How One Teen…”). Lopez was lucky to have had a background

in which he already knew about bug bounties when he was fifteen. But this interview might

lead credence to the fact that people might not be exposed to the idea that ethical hacking,

which can be equally as profitable, exists. Media has also played a role in selective information,

glorifying illegal hacking to audiences with over 93 different movies spanning the topic, but not

lending the same attention to ethical hacking and its benefits (Freeze). As well as enacting laws,

supplementing the laws with true social change and conversation could be the difference
between a talented ethical hacker protecting people’s data or a talented unethical hacker

exposing millions of personal records.

Secondly, the ethical dilemmas presented with grey hat hacking should be explored.

Because of the lack of authorization, grey hat hacking can be classified as illegal under federal

and some state laws. Companies and individuals who find themselves targets argue that their

intellectual properties are being damaged or that they are being harassed by the online

activists. On the other hand, “Hacktivists”, hackers who consider themselves activists of a

cause, argue that they use their skills as a way of expressing their beliefs.

When the US government began threatening organizations with legal action for being

connected to the whistleblowing site known as WikiLeaks, organizations such as PayPal cut

contact. When PayPal suspended the account for donations to WikiLeaks, Anonymous grey hat

hackers took it open themselves to launch an attack to bring PayPal down. Afterwards, the FBI

arrested fourteen of the hackers that were behind trying to publicize the information that the

US was trying to keep from the general public (Mills).

Grey hat hackers believe that their way of voicing their opinions of injustices is through

their hacking skills. For example, a Youtuber named Project Mayhem is known for using his skills

as a hacker against scammers (Dunhill). In one instance, the youtuber pretends to be a

prospective victim while he writes a program to render phone-scammer lines unusable as a

form of vigilantism (Dunhill).

To make a decision on grey hat hacking and the free-speech argument used by its

advocates, keeping in mind what would be the best and most cyber-secure route for everyone,
I believe that privacy and legality should be considered before freedom of speech. Although

Anonymous arguably launched attacks on targets that were fighting against human rights, it

blurs the line between what is socially acceptable as an activist cause and what is not. If a

hacktivist’s cause is deemed appropriate, then that may give permission to future hackers to

take down sites or software even if they only mildly disagree with them. This would leave

software business, independent developers, and website that promote the public’s well-being

to be at the whims of the ones who have hacking skills. I believe that this is a greater threat

than to let questionable websites or software to continue existing. The safest route for

everyone as they use services online is to express feelings of dissent through ways other than

hacktivism.

Since there will always be illegal hackers waiting to exploit weaknesses in code, software

fortification is a next step for business to take to secure the information of their user base.

Businesses should be held financially accountable to the people who has had their sensitive

data exposed to illegal hackers. Businesses who are at risk of becoming targets through the

information they collect should pass quality control tests on their software standards, coding

standards, and undergo required white hat hacking tests before they are cleared to handle user

information. This would incentivize businesses to pass the tests that would ensure the safety of

their customers while gathering the information from users that is important to make their

business succeed.

Given that black hat hacking is still a large problem despite potential legal repercussions,

the promotion of white hat hacking, or ethical hacking, is an effective way to combat illegal

hacking. White hat hacking is more favorable to the other categories of hacking; a more cyber-
secure future depends on the promotion of white hat hacking and making the practice more

widespread. How can this be done? Part of the culprit might lie in how many people go into the

computer science field in the first place. STEM fields are not as frequently chosen and out of

the already-smaller pool of graduates, only 8% were computer science majors (Code.org).

Encouragement in participating in the field and early awareness of computer science might

interest some people to get involved in the first place. Additionally, more frequent exposure to

ethical hacking as opposed to illegal hacking might help people who may be tempted to the

criminal route to use their talents for righteous purposes.

In conclusion, the large field of hacking can be a more productive and reputable practice

if attention is given to the different types of hacking and how to either discourage or encourage

them. The best way to combat unethical hacking and encourage ethical hacking is through an

earlier introduction into the field to motivate prospective recruits. Additionally, the constant

negative portrayal of hacking by the media should be countered by the acknowledgement of

ethical hacking to create a more welcoming environment and discourse were people learn

more about the practice. Finally, grey hat hacking must be shown to be the slippery slope that

can cause company software, public websites, and online services from being at the whims and

opinions of the hackers who call themselves hacktivists. It is important that the public learn

that the best hacking practices are the ones that are authorized and keeping us all safe.
 Bibliography

"Statistics show 2019 may be worst year ever for data breaches." US Official News, 21 Aug.
2019, p. NA. Gale OneFile: News,
https://link.gale.com/apps/doc/A601506606/STND?u=albu78484&sid=STND&xid=1200
daa5. Accessed 17 Oct. 2019.
"THE MORRIS WORM; 30 YEARS SINCE FIRST MAJOR ATTACK ON THE INTERNET." States News
Service, 2 Nov. 2018. Gale Academic Onefile, https://link-gale-
com.libproxy.unm.edu/apps/doc/A560889522/AONE?u=albu78484&sid=AONE&xid=e36
cfcc8. Accessed 17 Oct. 2019.
“2011 New Mexico Statutes :: Chapter 30: Criminal Offenses :: Article 45: Computer Crimes, 30-
45-1 through 30-45-7.” Justia Law, law.justia.com/codes/new-
mexico/2011/chapter30/article45/.

“Equifax Data Breach Settlement.” Federal Trade Commission, 23 Oct. 2019,

www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement.

“How One Teenager Is Making Millions by Hacking Legally.” BBC News, BBC, 1 Mar. 2019,
www.bbc.com/news/av/technology-47407609/how-one-teenager-is-making-millions-by-
hacking-legally.

“Nation's Big Three Consumer Reporting Agencies Agree To Pay $2.5 Million To Settle FTC
Charges of Violating Fair Credit Reporting Act.” Federal Trade Commission, 13 Jan. 2000,
www.ftc.gov/news-events/press-releases/2000/01/nations-big-three-consumer-
reporting-agencies-agree-pay-25.

“Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal.” Data
Protection Report, 27 Apr. 2018, www.dataprotectionreport.com/2017/02/settlement-of-
target-data-breach-consumer-class-action-is-derailed-on-appeal/.

“Uganda Prime Minister Hacked 'over Gay Rights'.” BBC News, BBC, 16 Aug. 2012,
www.bbc.com/news/world-africa-19281664.

“What Is a Credit Report and What Does It Include?” Equifax,

www.equifax.com/personal/education/credit/report/what-is-a-credit-report-and-what-
does-it-include/.
“What Is the Difference Between Black, White and Grey Hat Hackers?” Official Site,
us.norton.com/internetsecurity-emerging-threats-what-is-the-difference-between-black-
white-and-grey-hat-hackers.html.

Brown, Aaron. “Britons' DIRTIEST Secrets EXPOSED: Hackers Threaten to LEAK Ashley Madison
Cheaters Online.” Express.co.uk, Express.co.uk, 21 July 2015, www.express.co.uk/life-
style/science-technology/592354/Ashley-Madison-Established-Men-Hack-Avid-Life-
Media-Sexual-Fantasy-Credit-Card-Name.

Code.org. “Computer Science Climbs to 4th Most Popular STEM Major for College-Bound
Students.” Medium, Medium, 9 Jan. 2019, medium.com/@codeorg/computer-science-
climbs-to-4th-most-popular-stem-major-for-college-bound-students-773ce681b96c.

Dunhill, Jack. “Programmer Uses His Tech Skills To Get Hilarious Revenge On Phone Scammers.”
IFLScience, IFLScience, 19 June 2019, www.iflscience.com/technology/programmer-uses-
his-tech-skills-to-get-hilarious-revenge-on-phone-scammers/.

Freeman, Jason. “The Computer Fraud and Abuse Act (CFAA).” Freeman Law, 5 Jan. 2019,
freemanlaw-pllc.com/computer-fraud-abuse-act-cfaa/.

Freeze, Di. “The Complete List of Hacker And Cybersecurity Movies, Version 2.0.” Cybercrime
Magazine, 29 Aug. 2019, cybersecurityventures.com/movies-about-cybersecurity-and-
hacking/.

Hamilton, Isobel Asher. “Here's What It's like Being a Hacker Millionaire under the Age of 25.”
Business Insider, Business Insider, 22 Sept. 2019, www.businessinsider.com/how-2-
white-hat-hackers-became-millionaires-before-the-age-of-25-2019-9.
Hurwitz, Judith, et al. Big Data For Dummies. [Electronic Resource]. For Dummies,
2013. EBSCOhost,
search.ebscohost.com/login.aspx?direct=true&db=cat06111a&AN=unm.978111864417
1&site=eds-live&scope=site.

McCoy, Kevin. “Target to Pay $18.5M for 2013 Data Breach That Affected 41 Million
Consumers.” USA Today, Gannett Satellite Information Network, 23 May 2017,
www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-
affected-consumers/102063932/.

Mills, Elinor. “FBI Arrests 16 in Anonymous Hacking Investigation.” CNET, CNET, 19 July 2011,
www.cnet.com/news/fbi-arrests-16-in-anonymous-hacking-investigation/.

O'Brien, Sara Ashley. “Equifax Data Breach: 143 Million People Could Be Affected.” CNNMoney,
Cable News Network, 8 Sept. 2017,
money.cnn.com/2017/09/07/technology/business/equifax-data-breach/index.html.
Robinson, Rick. “Two Important Lessons From the Ashley Madison Breach.” Security
Intelligence, 28 Oct. 2015, securityintelligence.com/two-important-lessons-from-the-
ashley-madison-breach/.

S. Patil, A. Jangra, M. Bhale, A. Raina and P. Kulkarni, "Ethical hacking: The need for cyber
security," 2017 IEEE International Conference on Power, Control, Signals and
Instrumentation Engineering (ICPCSI), Chennai, 2017, pp. 1602-1606.
doi: 10.1109/ICPCSI.2017.8391982