Massive API Breach Claims New Victim: The CEO

ProgrammableWeb recently reported on a security breach that LandMark White (LMW), Australia's largest independent property valuation and property consultancy firm, had blamed on an insecure API. The aftermath of this incident, which exposed the loan details of over 100,000 customers, has led several key executives, including the CEO, to step down from their positions. As organizations rush to keep their footing in the digital economy, this fallout shines new light on the incredibly active roll that today's CEOs must play in the security conversation if they want to keep their jobs.

The headline resignation is former CEO Chris Coonan, who had been with the company for 15 years and held the position of CEO since 2016. The company released a statement confirming his resignation:

“Chris Coonan, supported by the board, agrees that the changing nature of our business and market conditions – combined with major reputational challenges caused by the recent cyber-attack – has changed the requirements for this role and the executive leadership of LMW.”

In addition, former CFO Frank Hardiman, and LMW co-founder Glen White stepped down as well. LandMark White has since announced that Timothy Rabbitt, the former managing director of Taylor Byrne (which was acquired by LMW in October of 2018), has been appointed acting CEO while the company searches for a permanent replacement.

Plausible Deniability No Longer the Status Quo

As API security issues, and by extension the data leaks that they allow, become increasingly common, it is growing more difficult for executives to claim plausible deniability. Thanks in large part to the Cambridge Analytica scandal that rocked Facebook, the general public now has the expectation that data security is not only taken seriously, but that there is adequate transparency into how data is shared. The time when CEOs can claim a lack of awareness into these issues and skirt responsibility seems to be gone.

What Can Be Expected from CEOs

It is possible that LandMark White’s CEO resigned because he realized that he didn’t have the technical prowess to steer the company away from situations such as this. It is also possible that the company’s “major reputational challenges” seemed too great to be overcome with him at the helm, we will never know which was the case, maybe both. What we do know is that technical prowess is already perceived as a highly valuable trait for a CEO to possess. A LinkedIn study from 2018 noted that the most common degree for a CEO to hold is in Computer Science, and this won by a wide margin. However, as we highlighted before, even super tech savvy CEOs like Mark Zuckerberg have proved vulnerable to these kinds of problems. Zuckerberg has faced an increasing number of calls for his resignation over the past year, including from a group of investors following the Cambridge Analytica scandal.

So what does all of this tell us? That API security is hard, REALLY hard. Even the companies with the most resources to throw at API security (the ones who hire the very best talent in the world) -- Google, Facebook, Apple, etc -- have had API security problems. ProgrammableWeb published a story several years ago titled "The Naked Truth About Internet Security", which discussed a major breach of Apple's security, a situation that rattled many users who had felt secure in trusting the company's products.

In the future it is all but certain that a solid commitment to API security will need to become a core business value. Rather than building products with security as an afterthought, organizations will need to embrace a secure-by-design approach that is baked into the organizations culture, right up to the CEO. For anyone looking to brush up on their API prowess, ProgrammableWeb has spent the past several years creating API University; a great Resource for best practices, tips, and tutorials for API providers and developers. The content extends from "Understanding The Realities of API Security", to "Is the API in Your App a Trojan Horse?

Be sure to read the next API Design article: Google Announces Apigee Extensions