Case Study: Virtual Companies and Identity Theft JetBlue was compromised by hackers for three years from 2008 to 2011 and lost over 160 million credit card numbers, which in itself is not unusual. However, due to the unique structure of the company and seemingly casual corporate response, the attack highlights a major breakdown of accountability between the client and JetBlue. The attack started with malware being placed on legacy computer systems which were to be replaced in future upgrades. The thieves appeared to be working out of Russia or Ukraine as server interconnections led back into this region, and while two of the defendants were caught three more are still at large. The goal of the attack was clear from testimony: to obtain credit cards, passwords, names, and personal information. Once the malware was found the efforts by the company were subdued and amounted to notifying their staff after a two-month investigation as well as reporting to authorities in the form of notifications to state attorneys general in Maryland and New Hampshire that the breach had occurred. Passengers and the public on the other hand were not notified of any issues and only a limited communication was eventually provided to the public in which it was reiterated that JetBlue staff had been provided with credit monitoring for one year at no cost.

Why is this attack and fallout any different from others around the world? One hint is the way JetBlue is structuredthey are a virtual company, which has become a growing trend in the hyper-competitive global economy. The airline business has many overheads which are not limited only to fuel prices, unionized labor, expensive fixed assets, and the need for highly trained staff. Likewise, while many nations subsidize or own their countrys airline, in the United States airlines are private for-profit enterprises competing for the same domestic and international customers who may also be serviced by companies located outside of the States. To cut costs while at the same time providing a high-quality customer experience with fast bookings, ease of access, and low price, JetBlue aggressively removed fixed costs, such as centralized call centers, which are not directly related to servicing the airplanes. Therefore, in place of call centers the agents work from home, and administration tasks are automated, or provided remotely from computer centers. Since the goal is 100% up time this means not only spreading out the work force geographically but interconnecting them as well with robust telecommunications and services. This may explain why older systems were in production and therefore vulnerable to be breached as they were in constant use.

Corporate culture now comes into play with a virtual companys design. The logic used here is as follows: if a company has little or no physical contact between employee and employer, as is the case with the agents in JetBlue, then the staff and customer base become an abstraction to management, removing the employees and clients welfare as a tangible reality to management. The analogy is that of a fighter pilot dropping bombs on a city in contrast to a foot soldier coming face to face with an enemy. The pilot has limited feedback from the horror he commits on the ground, while the soldier has immediate and sensory information of fear, anger, and despair.

The foot soldier lives the outcome of the effect he has caused while the pilot is insulated and does not. When such insulation is extended to the customer and worker relation with management then poor choices and behaviors by management can occur.

The question then is whether a virtual company can provide real care and concern for its staff and clients. From the actions of JetBlue in this case one would have to say no since JetBlues reaction was not to immediately inform the customer base and only later to provide rudimentary credit checks for the affected staff. How then to counteract such a situation since virtual companies, due to their flexibility and cost savings, will continue to grow and shape the future business world? The solution proposed is not to return to 19th- or 20th-century corporate structures but rather to look at the loss of customer or staff information through error, neglect, or poor design as a natural aspect of business. The example used will be for the loss of personal information but it could also be expanded into other areas such as credit and medical information.

The proposed solution is that of a self-healing system which is hidden in the actions taken to rectify the breach but visible in the communication to the public, authorities, and personnel affected by the breach. Returning to the case of JetBlue, and using the same compromise as an example, the malware is placed on older information systems and then is discovered three years later. At the point of discovery and confirmation that a breach has occurred automated procedures and systems would go into action. Credit checks would be done automatically for each affected employee on the backend; new passwords and digital certificates would be issued for all users and clients sites; public notification and government involvement would be instigated via predefined memorandums of understanding to bring full awareness of the breach. At the same time backend systems would be automatically scanned and reviewed with a short list of end-of-life equipment to be replaced on an accelerated schedule. Budgetary funds which had been automatically accumulating for just such an event would be freed to provide for the above corrections with predefined authority for expenditures on the various projects needed to rectify the vulnerabilities. Finally, personal information gathered on the clients would be reviewed for tampering, or potential identity theft, and anomalies would trigger automatic notification to those customers who may have been attacked. At this point one could envision a further stage of automation in which bank records, credit history, and medical records are readjusted to ensure that any criminal identity misuse is removed, thus allowing for a better credit score or refund of fees garnered during the period of theft.

1. What is the goal of such self-healing systems? 2. What steps can be taken to ensure security and integrity of virtual companies?