Scammers, particularly cyber thieves, make their living by finding the easiest ways to separate marks from their money. That is, this type of criminal doesn’t want to work too hard. Breaking into the information systems of some of the world’s largest (and deep pocketed) organizations is a huge job using conventional methods. Brute force attacks on encryption protocols can take a great deal of time and technology to succeed. Physically infiltrating data centers, office buildings and other physical locations is supremely risky and very difficult to do. All these things are too much work anyway for the typical crook. Instead, these miscreants look for the easy way to gain access to protected systems. Like any con man, they leverage human foibles to trick their way into the vault.
After your organization has been the victim of a data breach is the worst possible time to begin looking at how the scammers were able to defeat your best security efforts. Closing the proverbial barn door after the horses have been stolen is no way to run a rodeo. The best time to examine the vulnerabilities in your information security is before you become a target of some slick talking slacker who wants all the benefits of your hard work for himself.
This paper aims to illustrate what a target organization looks like through the eyes of a hacker or cybercriminal. As noted, these perpetrators are opportunistic and are constantly looking for weaknesses to exploit. For this reason, it truly doesn’t matter what industry or industries represent the juiciest targets – though there are definitely some that make for greater conquest than others. But the common thread woven through all stories of data breaches and the woe that follows is external data privacy (or lack thereof).
After exploring the most notorious examples from the last year and the last decade, this document will also underscore the specific external data privacy vulnerabilities that made each breach successful for the criminal. It will also examine how Privacy Bee for Business identifies and eliminates those same attack vectors. The resulting perspective will help inform a strategy for strengthening defenses against cyber-attack and data breach.
Where the Hackers are Hunting
As of the writing of this paper in late summer 2023, there have already been thousands of organizations breached this year alone. Let’s examine a handful of 2023’s most high-profile, US-based breaches and determine if there is a pattern that might suggest a preference among hackers for any particular industry.
This well-known wireless telecommunications company was breached not once, but twice so far in 2023. While the second breach of this year (in May) only resulted in the theft of personally identifiable information (PII) of over 800 customers, it was the January breach that really stung! It was in January when T-Mobile determined a malicious actor had gained unauthorized access to internal information systems and exfiltrated the PII of more than 37 million customers! The telecom company expects this large breach will cost the company many millions more than the $350 million they were compelled to pay to customers in a settlement stemming from a 2021 breach. Between the ’21 debacle, this year’s breach effecting 37 million customers and then the May breach – small as it may be comparatively – T-Mobile is likely to lose much more in future opportunities as public trust in the organization has taken a beating.
Using a Smishing attack – where SMS text messages are used to deliver phishing schemes – hackers fooled an HR employee at this leading publisher of video games like Call of Duty, Tony Hawk’s Pro Skater, Crash Bandicoot and others. The HR employee tricked by the Smishing scam delivered access to extensive employee data including emails, cell phone numbers, work locations, salaries and other sensitive information. All this private information is as good as gold for hackers who leverage this sensitive knowledge to effectuate other social engineering scams – phishing, whaling, email spoofing, ransomware and others – to defraud the company further.
Proper External Data Privacy would keep employee mobile numbers private, preventing this type of breach.
Using a social engineering attack, cybercriminals breached the data systems of the popular email marketing platform in January of 2023. While the breach delivered access to employee information and credentials (and not necessarily customer PII), there were two other breaches of Mailchimp information systems within the last 12 months including episodes in April and August of 2022.
Target: Norton Life Lock
Illustrating the long-tail effects of prior data breaches, even after corrective measures have been taken to protect against subsequent attacks, online identity protection firm Norton Life Lock was breached in January of 2023. Six thousand customer accounts exposed in this breach which was accomplished using the “stuffing” technique wherein previously compromised passwords are leveraged to breach accounts where a password is shared. Stuffing can be defeated using two-factor authentication. However, when user passwords are exposed in unrelated breaches, hackers can (and often do) create and maintain databases of user PII and cross reference individuals across different online sites where they then attempt to use compromised passwords – counting on the fact that many people use the same password in many different locations.
In January 2023, exploiting an API built in 2021 (and supposedly patched soon after, when the vulnerability was discovered), hackers breached the social media behemoth’s information systems. One hacker claimed to have listed more than 400 million users’ PII for sale on the dark web. It was also soon confirmed that another hacker had released 235 million Twitter users’ account details and email addresses for free! This kind of data release makes it easier for cyber criminals to derive context clues and develop purpose-built social engineering campaigns they can deploy against countless other organizations and individuals. In this particular case, the compromised API was one used by a third-party service working for Twitter. APIs, according to Gartner research are becoming a favored vector for this kind of attack.
Just among these five recent breaches alone, a stark pattern emerges and it illustrates precisely what hackers look for in a juicy target. There are numerous reasons why a hacker might have chosen any of the above five organizations to attack. And not all hackers have the same immediate objective. Some may wish to extort a cash bounty from a deep pocketed company via ransomware attacks or phishing schemes that direct false payments into the hacker’s bank account. Others may seek access to sensitive systems for purposes of industrial espionage or IP theft. Others still may have a political or ideological axe to grind and want to shame, embarrass, or discredit an organization to further their ideological viewpoint. Whatever the motivation though, the one common thread that attracts a threat actor is the availability of huge pools of PII data. The kinds one would most assuredly find in the databases of a leading telecom service utility, a wildly popular video gaming company, a digital mass email marketing service provider, an identity theft-defense company or a global social media giant.
Famous bank robber Willie Sutton was once asked why he robbed banks, to which he replied, “because that’s where the money is.” Similarly, with private data having become a currency unto itself, the bad guys go after the large companies, “because that’s where the PII and other private data is.”
The volume of compromised data records continues to expand exponentially too as more and more cybercriminals discover the profit potential inherent in stolen data and the relative ease of stealing it as compared to other criminal strategies. The following chart from Statista illustrates the number of compromised data records in selected data breaches between 2012 and April of 2023. Remember that this is but a small selection of breaches amid a veritable torrent of instances. But it does show that the volume of individual records exposed is skyrocketing precisely because hackers recognize the exceptional value inherent in PII and the vulnerability of large pools of such data that result from today’s widespread lack of solid external data privacy practices.
Number of Compromised Data Records in Selected Data Breaches as of April 2023 (in millions)
What Other Attributes Make an Organization an Attractive Target?
Context Clues and Social Media Scraping
One breach may only capture a few basic and innocuous data points for millions of users. But fed into a sorting algorithm or using AI, threat actors can and do build dossiers or profiles on every individual who uses the internet. Each new breach can add more context to an individual’s profile and, over time and subsequent to disparate breaches, very detailed profiles are assembled on millions of internet users. These context rich profiles – particularly on higher value target individuals such as top executives, political leaders, high net worth individuals and others – can then be exploited to field very convincing social engineering attacks to separate hundreds of million of dollars from organizations and/or individuals.
It is worth noting at this juncture, that this process, of developing contextual profiles for every single internet user in the world is exactly the business model of data broker companies. To read in more detail about how data broker companies operate using this strategy, you can read Privacy Bee’s white paper titled, “Exposing the Threat to Data Privacy Posed by Data Brokers & People Search Sites”. It is also why data broker sites themselves represent a very tantalizing target to hackers due to the “Willie Sutton” maxim.
In a stunning example of the long game played by hackers and the primary/secondary nature of data breaches consider the story of the 1.2 billion user data “scrape” attack against leading professional social network, LinkedIn. In 2021, LinkedIn was made aware of the fact that hackers had exfiltrated vast volumes of personal data on more than a billion users of that site. In its defense, LinkedIn made the distinction (lacking a difference) that because the data is public on their site this event could not be characterized fairly as a “data breach”. While there is some semantic logic to this argument, the appearance of all this PII on the underground market for stolen data was as troubling to those effected regardless of how it was collected.
What’s even more illustrative is that not long after the initial bulk data was released, a highly refined database of more than 88,000 business owners on LinkedIn was posted for sale on a hacker forum. Because professionals generally tend to keep their LinkedIn profiles up to date with detailed information about their employment, employers and pursuits, this data is particularly fertile for producing very specific (and therefore more difficult to spot) social engineering attacks on these professionals.
In fact, all social media sites are highly attractive playgrounds for hackers and cyber crooks precisely because users there, by design, regularly share detailed personal information that can be used by threat actors in their planning. Individuals should be very measured and cautious about what they share on these social media platforms, though most are not. Yet, if individuals and organizations made efforts to secure the vast majority of their PII and unmanaged external data currently floating around across the internet, they’d significantly lower the probability of being the victim of social engineering attacks because they’d have removed their PII from most of the locations where it is vulnerable to being used in pursuit of highly contextualized social engineering campaigns. So, even if they wanted to share pictures of their trip to Peru, or that they’d accepted a new position as VP of Human Resources at Chickentronics, the hackers would have far less context clues (culled from elsewhere) to use in the development of convincing phishing emails and other social engineering attacks.
Third-Party Vendors and Other Back Door Hacks
Target: Target Stores
In a 2013 incident infamous in the annals of infosec history, 60 million records were stolen in a breach of national retail outlet, Target Stores. The breach included names, phone numbers emails, credit card numbers and verification codes, and other sensitive customer information. Target was subsequently the (ahem) target of a class action lawsuit that was decided in favor of the plaintiffs and awarded $10 million in damages to thousands of customers who could prove they suffered losses as a result. On top of that, Target was compelled to pay a multi-state punitive settlement of $18.5 million. The source of the breach that led to nearly $30 million in fines and damages (to say nothing of the losses from reputational damage)? A spear-phishing attack upon a third-party vendor Target used to service their heating, air conditioning and ventilation systems yielded access to Target’s customer service database and deployed the malware hackers used to capture the sensitive PII of 60 million customers!
Privacy Bee’s Vendor Risk Management would have likely prevented this breach.
It was a third-party vendor of IT asset management services whose subpar data hygiene practices enabled hackers to gain access to their customer’s internal systems. The customer? Uber, the ride share leader whose systems were hit for 77,000 Uber employees PII in December of 2022. Analysts with VentureBeat.com suggested in the wake of the hack, “that enterprises can’t afford to rely on the security measures of third-party vendors to protect their data, and suggests that organizations need to be much more proactive in conducting due diligence on which entities they choose to partner alongside.”
What Can be Done to Make any Organization a Far Less Attractive Target?
Ultimately, lowering the profile of any organization in the eyes of threat actors requires a concerted and ongoing campaign aimed at reducing the unmanaged exposures of the organizations’ workforce everywhere on the internet. Privacy Bee for Business offers the only completely comprehensive solution platform to identify, eliminate and maintain acceptable external data privacy risks on an ongoing basis. What follows are the first or primary steps in the overall process. New customers of Privacy Bee for Business undergo the following steps which are applied to all employees with any information systems access in any quarter of the enterprise. The same processes are equally deployed for all employees of third-party vendors or contractors with any systems access or integrations.
100% Free Privacy Threat Monitoring and External Privacy Data Audits are the best place to begin to identify where unsecured data for all your employees may exist all over the internet.
For consumer customers, the Privacy Bee solution performs continuous monitoring to scan the net for any public exposures of the customer’s personal data and informs of any exposures so that mitigation steps can be quickly undertaken. For the Business customer, Privacy Bee’s External Privacy Data Audit provides in-depth reporting on external exposures and their cost on a company’s productivity. Turning those stats into figures, the financial risk assessment provides a conservative estimate of the estimated cost these external exposures have. The platform provides full employee privacy audits, covering how many employees have been exposed, what type of exposures they’ve had, and the source of the exposure. The tool sets detect recent critical vulnerabilities and target where to start cleaning up employee data.
The Privacy Risk Assessment (PRA), also 100% free, is roughly 75 questions and takes about an hour to complete. It explores how customer and employee data is managed by your organization, illuminating any unmitigated risk and opportunities for improvement. Once completed, the answers help derive your organization’s Privacy Risk Score.
Once these audits and assessments have identified where the unsecured data lives, it is time to embark on an ongoing campaign to remove it.
Data Broker Removal services from Privacy Bee mobilize an army of “worker bees” to continuously issue, manage and reissue DSARs to all identified unsecured data. Privacy Bee manages the requests, correspondence and ongoing steps needed to erase customer data from the more than 350 data broker and People Search Sites in the US. This labor-intensive process is handled by the Privacy Bee solution, so users are not burdened with the administrative burden. Privacy Bee boasts the industry’s highest removal success rating.
Marketing List Removal service is critical to businesses seeking to minimize unwanted distractions to their workforce derived from spam and targeted marketing. This is also useful in mitigating HR poaching.
Privacy Preference Management on the Privacy Bee platform provides the ability for each user to create their own “whitelist” or “privacy bubble” by cataloging the list of all sites a user visits or has visited. Then enabling the user to allow trusted sites to collect their data while barring distrusted sites from doing so. For the Business customer, this type of selectivity allows all company business machines to configure trusted sites and enforce prohibitions against any user visiting web equities deemed to be a privacy risk for the client company. The Business solution provides graphical visualizer dashboards with risk assessment scoring for every website, so that management can gauge the risk/reward profile of all sites the workforce may visit and interact with.
Vendor Risk Management is crucial to protecting the internal workforce as well because all best efforts can be defeated if the organization’s business partners are not exercising the same diligence in protecting privacy. If a vendor or other business partner has any access to information systems, then it is imperative that they be covered under the same privacy umbrella. Privacy Bee is fully extensible to provide such coverage to any organization’s external partners and business connections.
Reach out today to learn how to license Privacy Bee to protect your organization from the threats associated with unsecured external data.