Score one for the hacktivists: PayPal (EBAY) has caved to cyberattackers who support WikiLeaks. The online payment company released funds it had held back since last Friday. The lesson? When you find the right point of pain, intimidation can go a long way. The question is who else will crack? And is this just a sign of things to come?
Right now, activist hackers are using their Operation Payback infowar to attack institutions and people they saw as hostile to WikiLeaks and its founder, Julian Assange. They brought down the site of MasterCard (MC) and Visa (V) as well. for restricting accounts and affecting the organization's ability to raise and collect funds. Amazon (AMZN) is a likely target, as payback for kicking WikiLeaks off its cloud hosting service.
Now that the hacktivists have scored a first victory, the question is: how many, if any, of the other targets will fold? PayPal likely used the money as a peace offering, but even it hasn't returned the account to normal status. This amount of direct pressure from the federal government is difficult for a corporation to ignore. However, seldom do things reach such a state. Could it be that, going forward, hacktivists taking action on far less high-profile cases will find companies far more receptive to give in and get back to work? After all, this type of cyber arm twisting has been around for years, only out of the public eye.
Government pressures PayPalEver since WikiLeaks began to release the 250,000 classified diplomatic cables it had received from an anonymous source, the , with elements of both the Obama administration and Congress putting pressure on companies to stop doing business with WikiLeaks.
PayPal was one of several channels that WikiLeaks used to gather funds. On December 3, PayPal issued a brief statement that it had locked out WikiLeaks:
PayPal has permanently restricted the account used by WikiLeaks due to a violation of the PayPal Acceptable Use Policy, which states that our payment service cannot be used for any activities that encourage, promote, facilitate or instruct others to engage in illegal activity. We've notified the account holder of this action.Restriction, in this case, included freezing funds that people had already donated.
Although PayPal tried to portray the action as simply following its usual policies, there was additional impetus: quiet pressure from the U.S. State Department, which had alleged that WikiLeaks was breaking the law, even though it has not publicly made clear which U.S. laws the whistleblowing site was breaking.
Cyberattack worriesAt a conference in Paris, PayPal Vice President of Platform Osama Bedier seemed to shrug off the issue of online retaliation by hactivists:
One of the signs that you're a successful payments company is that hackers start to target you, this case isn't anything different.Targeted they were. Initially, the attack wasn't successful, but an additional attack brought the site down from late Wednesday afternoon, Pacific time, into early Thursday morning.
Sometime Thursday, PayPal had changed its mind and released the WikiLeaks funds, although it did not reinstate the account. And the company took pains to try and create a nuanced statement by General Counsel John Muller to show that it wasn't giving in to hackers:
We understand that PayPal's decision has become part of a broader story involving political, legal and free speech debates surrounding WikiLeaks' activities. None of these concerns factored into our decision. Our only consideration was whether or not the account associated with WikiLeaks violated our Acceptable Use Policy and regulations required of us as a global payment company. Our actions in this matter are consistent with any account found to be in violation of our policies.
Online protection racketsNotice that there is no direct mention of the attacks, though, obviously, that was as precipitating a factor as any communication from the State Department. However, there's nothing new in the concept. For years, security experts I've spoken with have mentioned online versions of protections rackets. Criminal groups threaten corporations with attacks unless paid. And some companies do.
The lesson? Organized groups really can interrupt your operations. In August 2009, a series of attacks affected Facebook, Twitter, and Google. Spending adequate money on computer security isn't a black hole when you consider the financial implications of hours of outage.
- WikiLeaks Cyberwar! Business Is a Target -- and Also Collateral Damage
- Twitter vs. WikiLeaks: Algorithms Are Uncontrolled Corporate Spokespeople
- WikiLeaks Puts Corporations on Red Alert. First Responders: The Lawyers
- The Wrong WikiLeaks Lesson: Clamp Down on Info Sharing
- WikiLeak vs Bank of America: How to Maintain Morale Amid A PR Crisis
- Bank of America is Not the Only Company that Should Fear WikiLeaks