What the 2017 Data Breaches Tell Us About Today’s Cybersecurity Landscape
Each year, I am privileged to bring you a synopsis of key data breaches of the previous year. A brief look back provides us with context for the year that’s unfolding, and for this year’s BC AWARE CAMPAIGN in particular.
As always, when writing this a kind of article I rely mostly on a website called Privacyrights.org which has been around, like a BFF, since the early 1990’s, but especially since 2005, when it began kindly amassing a wonderfully detailed and useful database of data breaches. In contrast to Wikipedia.org which listed 4 data breaches in 2017, our good friend privacyrights.org lists over 500! Categorized by year, and breach type, and industry sector, this is one source of data breach details which you can use to spot real trends, build a business case for new cybersecurity spend, or do a background check on a new third-party vendor.
Right off the bat, the following 2017 breaches will ring a bell: Equifax, Deloitte, Uber, and Paradise Papers – each have something to say about where we are today in cybersecurity. But in this article, I also want to finish off with the forgotten type of data breaches – accidental/ human error. It’s amazing how often this type of data security incident shows up in this wonderful treasure trove of a database.
Equifax – Cybersecurity - a Business Risk, A Business Process - Right where it hurts
This breach really, really hurt, for a couple of reasons. First of all, imagine we gathered up all of the information about you that you disseminated to all of the trusted companies and businesses and other entities that you have ever come into contact. And then imagine all of the affiliated companies that received that data second-hand, legitimately, thanks to fine print in privacy policies, etc. Among all of these, a credit reporting agency is most likely to end up with the most potently sensitive ‘crown jewels’ – like birthdate, driver’s license number, employment history, SSN/SIN numbers, financial borrowing history, and credit score – you know, the data that leaves you susceptible to identity theft and your underwear somewhere near your ankles. Equifax in the US had over 145 million records breached, of mostly US residents, but also of tens of thousands of Canadian and UK residents too.
Beyond the unprecedented enormity and potency of this breach, was the incredulous attitude of the sacked CEO, who blamed it entirely on one of his 225 cybersecurity specialists who did not notify the organization of an available software patch. This situation underscores two things in particular: (1) CEOs continue to be responsible for mitigating all risks, including cyber risks, and hence why the Equifax CEO lost his job over this, and (2) a cybersecurity program should be made up control processes that involve multiple employees, e.g. supervision, managerial approval, clear chain of command, incident response plan, etc. You can never blame a catastrophic data breach on a single individual unless there was nefarious intent, which did not apply in this case at all.
Uber – Tone at the Top hits Rock Bottom
Another breach…another 57 million breached records…big tech company focussing on cutting edge…not on security. Wait. Not so fast. This breach is noteworthy for demonstrating how ‘tone at the top’ can trickle down so pervasively as to define how almost everything gets done within an organization. First, there was the widely reported sexual harassment cases that led to the departure of the CEO and at least 20 other employees. But Uber topped their cake with the way they dealt with a late 2016 data breach that came to light in 2017. Rather than notifying their 57,000,000 customers and drivers and the Federal Trade Commission (FTC) of a breach of Uber data discovered on a third-party site, they spent their energy on paying a ransom of $100,000 to the cyber hackers and then further engaging them into forcing them to sign a non-disclosure agreement to stay quiet about the whole incident. Backfire. This approach is not only illegal and unethical, it’s dumb and makes it more difficult for law enforcement authorities to bring the criminals to justice. When it comes to data breaches – remember, the truth will set you free, and maybe jail the perpetrators too.
A massive email server including correspondence between Deloitte and clients across all sectors was breached. This breach serves as a reminder that, even a ‘Big Four’ firm with a global cybersecurity practice, is susceptible to unmanaged cybersecurity threats. Cyber risk as a business risk is personified in this breach, and at the heart of it, is erosion of trust in the reputation of the victim firm. When all is said and done, Deloitte will be have done all of the right things to minimize this kind of breach cost, but it is difficult to quantify, and only time will tell what the real impact will be on its brand.
Thanks to Appleby, we had another year, and another breach that highlighted the growing divide between the rich and the poor, and how the rich avoid paying their fair share of taxes. Along with the Mossack Fonseca breach in 2016, this breach highlights that the importance of the legal sector, as perhaps the economy’s most important intermediary, rightfully requires it to amass one of the most sensitive data treasure troves of all.
The legal industry in general, has been behind the eight ball for years when it comes to cybersecurity. How can this statement be backed up? Try the first 2018 data breach bombshell. On January 24, 2018, a list of over 1.1 million law firm credential email addresses and many corresponding passwords were found on the Dark Web, implicating no less than the top 500 law firms in the UK. Researchers indicated that many of these credentials were collected as a result of prior breaches of third party SAAS firms that facilitate the transfer of data between law firms and their clients via a browser and email. What was noteworthy was that many of the passwords were researched by hackers by cross-referencing the breached email addresses to other breached databases of social networking sites such as LinkedIn, MySpace, Tumblr, etc. This kind of issue calls for more education about not using corporate credentials on any other web-sites on the Internet.
Whether it be foreign company actors looking for pre-acquisition advantage in negotiations, or organized crime looking for data to use in an extortion, or divorcing partners looking to lower alimony payments, or a host of any other actors and their motives, law firms often host the most sensitive data. Therefore, in 2017 and prior, they have become a significant target of sophisticated cyber actors and amateurs alike.
Other Quakes not termed Data Breaches
Another key characteristic of 2017 is how eventful a year it was. The cyber arena is getting more action-packed and mesmerizing every year. Look no further than the WannaCry ransomware attack which the US blame North Korea for, and which hit UK healthcare, and Maersk Shipping, among others, particularly hard. NotPetya demonstrated that state-sponsored adversaries can create and distribute ‘wiperware’ which can delete data permanently and is the ultimate damage-maker if the victim’s backup and restore process is not rock solid. And of earth-trembling magnitude, NSA hacking tools were hacked and disseminated on the Internet for hackers of all stripes to begin using – one of those demoralizing cyber events that was helping to quietly define a new world order, while the rest of us are tracking the new US President’s Twitter feed. Finally, an early 2018 headline tremblor originated with the Spectre and Meltdown micro-chip vulnerabilities that will figure into cyber news headlines for years to come.
Human Errors and Accidental Disclosures
Aside from the Yahoo breaches of recent years which amounted to some 3 billion records, few cyber events will have been as large as the River City Media breach of March 2017 which involved 1.357 BILLION records that linked email addresses to physical addresses and IP addresses – a stalker’s dream jackpot. It was only a disclosure of data discovered without evidence of unauthorized access – but what potential for harm!
In summary, of approximately 500+ breaches reported to have occurred in 2017 according to Privacyrights.org, some 150 were of the Disclosure variety, meaning that data was accidentally disclosed to unauthorized parties, usually the whole Internet. That’s 30% of all data breaches in 2017. How could they have been prevented? In general, only process can prevent accidental disclosure. Often we talk about people and technology when we talk about cybersecurity. What’s less talked about are the manual security processes which catch mistakes by those who are undertrained or simply make a human error.
written by Edward Pereira, Principal Consultant, Carmel Info-Risk Consulting Group