Stored Data is a Double-edged Sword

Image by Myntex

Cybercrime exploded during the pandemic and continues to rise. Enterprise organizations reporting huge data breaches this year include Apple (18MM users), Microsoft (65K companies in 111 countries), and Twitter (5.4MM account profiles). While American companies are targeted more than most, the problem is global in scope.

“2022 has been littered with thefts of sensitive information. This year, they’ve affected companies and organizations of all shapes, sizes, and sectors.”

You Don’t Have To Be Rich or Famous

Personal Identifiable Information is considered the top category sought in breaches because customer data typically includes financial records. On the dark web, customer PII – representing 80% of breaches reported in 2020 by IBM & Ponemom. It adds up fast when stolen data can be sold by criminals online to fraudsters for US$175 per record.

The ID Theft Center notes in its’ 2022 Business Impact Report that 57% of US small businesses have had a security or data breach, or both. This proves all businesses are at risk of exposure and economic loss despite headlines highlighting the major violations.

Five of the Worst Recent Cyberattacks

Australia has been hard hit with hacks this year, including the latest cyberattack which targeted the Department of Justice. Two of the biggest breaches jeopardized the privacy of millions of its’ citizens.

A massive data breach at Australian telecom, Optus, in September may have been the worst incident there ever. The company has close to 10 million subscribers (about 40% of the country’s population).

The hack was either a State-Sponsored attack (SSA) or conducted by a crime organization, penetrating the company’s firewall to find sensitive info. Physical addresses, driver’s licenses and passport numbers were amongst the intel obtained. No ransom was paid despite the hacker’s demand for US $1.5MM. However, the cost for Optus to settle the resulting class action lawsuit could be between $5B and $20B, with payments per individual of between $5,000 to $20,000.

In October, Australia’s largest health insurance provider was hacked. Medibank holds the private records of every client, past and present, affecting 10 million victims. All were visible to the assailants – including those belonging to foreign students.

Reports show, beyond the personal data obtained, “Significant amounts of customers’ health data was compromised as well.” This includes health claims data, Medicare card numbers, and policy numbers. Following these infringements, Australia’s government moved to make companies more accountable. The Attorney-General wants penalties “three times the value of the benefit obtained through misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period” – whichever is higher, up to the maximum fines of $50MM against repeatedly breached companies.

Medibank’s stock price plummeted 14%, which was the sharpest drop for the company in a single day since it started trading shares. The company is still investigating; however, it believes a criminal organization compromised user credentials. It then started payment negotiations after stealing data. Police warned Medibank not to pay the cyber extortionist. In November, the hackers followed through on a threat to pay the ransom within 24-hours or they would publicly release the stolen data. Millions of health records were posted on the dark web. The cost to remediate the damage caused by the breach is expected to be $150MM.

As for repeat breaches, the Costa Rican Government declared a state of emergency in May after its second cyberattack in as many months by the ransomware gangs, Conti. In its first assault, Conti demanded $10MM from the Ministry of Finance, which declined to pay. The second attack saw a single threat actor from the Ransomware-as-a-Service (RaaS) organization claiming responsibility.

One report noted, “In the first two days of the attack alone, the Costa Rican Chamber of Foreign Commerce estimated losses of over $125 million.” To try pressure the newly elected President to pay, the attackers sent an intimidating message saying it would be able to overthrow Costa Rica’s government if ransom wasn’t paid, raising the amount to $20MM.

The Conti attack prompted the US government to offer rewards of up to $10MM for identifying information on the location of Conti leadership and a further $5MM if the intelligence leads to arrest of any conspirators in a Conti ransomware incident in any country.

“This type of attack is designed to be controlled remotely. Malware operators hack into a network and gain domain and administrator credentials, locking and encrypting the entire hard drive.” Conti leaked more than 670 gigabytes of data on May 20th from Costa Rican government servers.”

An American student loan servicing company, Nelnet, is facing a class action over a data breach affecting the Oklahoma Student Loan Authority and Edfinancial. “Nelnet failed to uphold its data security obligations to Plaintiff and Class Members,” the suit alleges. “As a result, Plaintiff and Class Members are significantly harmed and will be at a high risk of identity theft and fraud for many years to come.”

The names, addresses, email addresses, phone numbers, and Social Security numbers of those impacted were exposed. Further information on the how the breach happened was not shared by Nelnet.

More than 2.5 million borrowers had their private information stolen when an unauthorized actor gained access to the company’s network from June 1st through to July 22nd. It wasn’t identified until August 17th. The breach could result in those affected being targeted by bad actors for subsequent attacks such as, impersonation, social engineering, phishing, and various scamming schemes from the PII being sold on the deep web.

One of the largest verified breaches to date this year targeted the fantasy digital pet company, Neopets. According to the rogue hacker, interviewed by BleepingComputer, the account data of over 69 million members had been stolen, but did not reveal how they gained access. The database contained source code for the website owned by Jumpstart; a subsidiary of China based NetDragon. Instead of extorting the company, interested buyers were being courted in online forums.

It’s surprising the attacker didn’t demand ransom, considering NetDragon group currently holds over US$40MM worth of cryptocurrencies. (Perhaps this attack aimed to raise the hackers’ status?) Instead, the source code and database for the popular website is up for sale on an online forum. The hacker is only asking four bitcoins, valued at US $90,500. Last November, NetDragon sold ~4,200 non-fungible tokens over four days. The NFTs are known as the Neopets Metaverse Collection.

How Criminals Obtain Private Data

Most data breaches are due to cyberattacks, with phishing and ransomware continuing to be the root causes again this year. Security Magazine found the largest attack vector was “unknown” in Q1 2022, which was a 40% increase in the total number of unknown breaches for all of 2021. “While data breach notice updates may include more attack information, the increasing lack of transparency in the notices is a risk to organizations and consumers.”

Hacking was the primary cause of data breaches in companies with 500 or less employees. However, remote workers were responsible in 35% of reported incidents and third-party vendors in another 29% of cases. More than half of the companies though their accounts were compromised by responding to a direct message and 45% say a phishing link or shared account credentials with an impersonator was to blame. One-third said the malicious actor claimed to be a customer, prospect, or vendor.

About half of the impacted companies spent between a quarter and a half million dollars to cover the cost of these breaches and almost 20% spent from $500k to $1MM USD. Coming back from a breach can take one to two years for most companies. In addition to the financial burden, a third of those surveyed experienced loss of customer trust.

Perception vs Reality

Questions are being raised as to whom or what is to blame for the proliferation of major data center breaches around the world. With governments, service providers, retailers, insurers, and health care agencies amongst some of the biggest hacks this year—cybersecurity experts point to apathy.

Fittingly, the responsibility lies with CEOs, CISOs, boards, and corporate policy. There is a focus in business today that prioritizes data intelligence over data security.

According to Harvard Business Review, most companies either don’t have any cyber insurance or not enough. Furthermore, with the increase in ransomware attacks and payouts, the industry itself is at risk. Ransomware attacks have skyrocketed, and payouts have grown exponentially. This is a worrisome trend for insurers.

For example, “With around 250 companies buying at least $200 million in protection, it would only take five insured losses of a bit more than that amount to wipe out an entire year’s premium. That’s only 2% of the companies in the market buying that much coverage. That kind of loss would likely take decades for insurers to earn back such losses.”

Clearly, the focus needs to be on prevention instead of damage recovery.

A Better Way To Block Attacks

Considering the main gateway to ransomware attacks and breaches is phishing, you have to look at your mobile device management. BYOD policies put businesses at risk. You need to mitigate the element of human error. Perhaps the most important practice you can instill in your workforce is password hygiene. But even the best cybersecurity training can’t stop employees from inadvertently making a mistake. Unless you remove unnecessary apps, internet browsing, and other activities not essential to business communications, you will never be truly protected. Don’t settle for a free app that is only focused on privacy and not on network security. Ensure your teams’ messages and calls are secured by a service provider that uses end-to-end encryption and doesn’t store any of your PII in its data center.