One DOOZY of a data breach: the passwords and details of 5 million Fortune 50 company employees leaked
Eric De Grasse
Chief Technology Officer
21 September 2016 – As has been reported by multiple media sources this morning, personal details of 5.5 million employees from the world’s 1,000 biggest public companies have been discovered online by a British cyber security firm that searched through data compromised by recent breaches of popular websites. Digital Shadows found details including corporate email addresses and passwords from 97 per cent of the 1,000 companies, including Apple, JPMorgan Chase, Bank of China, Daimler and Google.
The UK firm trolled through data leaked from popular services such as LinkedIn, Dropbox and MySpace, looking for users who had signed up using their work email accounts. Many of them had simply reused their work passwords. Nearly 300,000 people’s details had been stolen from dating websites, including Ashley Madison and Adult Friend Finder; Ashley Madison alone yielded corporate emails and passwords of more than 200,000 people working for big companies.
Having just returned from a cyber security conference in Munich it was … well … interesting timing. The cost of a single data breach can be enormous — an IBM study found that the average total cost to a company is $4 million. High-profile victim TalkTalk lost 101,000 customers, spent £60 million and faced a parliamentary inquiry. Last year, data breaches cost British businesses about £34 billion.
Much of the data uncovered by Digital Shadows had not been previously leaked — 90 per cent of the 5.5m usernames and passwords were newly available online. And THAT is a big, big issue. Said Rick Holland, vice-president for strategy at Digital Shadows:
“We were analysing leaks going back to 2012, so I thought we would see a lot of duplicates, but only 10 per cent of credentials had been in previous leaks. Whenever a breach becomes public, the first thing our clients ask is: ‘Are these details new or repackaged?’ So this is bad news.”
As online threats race up national security agendas and governments look at ways of protecting their national infrastructures a cyber arms race is causing concern to the developed world. Studies have found that more than 60 per cent of people reuse passwords and compromised credentials can also be used for phishing attacks and extortion attempts. Combining stolen information can allow cyber criminals to piece together comprehensive user identities, cyber security experts said. Robert Capps, vice-president of business development at NuData Security:
“One frightening example is the ‘Facebook of Everything’ that China’s intelligence service is compiling from the personal data stolen over several high-profile US cyber breaches. Their stated goal is to compile it into a massive Facebook-like network to build a profile of everyone, with more details than Facebook.”
I have written about this before. The Chinese are the masters of Remote Access Tools (RATs) that attackers use to gain control of compromised machines. One of the scenarios used at prior cyber conferences (and updated at the Munich conference) runs like this:
1. The Chinese navy is known to be interested in expanding its capabilities from green-water activities-near to shore-and building up a blue-water, or deep-sea, presence. To do that, it needs to advance its satellite communications, boat building, robotics, and other technologies.
2. So the naval officer says to his intelligence forces “here’s the five-year plan”. He does not use the military’s elite hacking crews, because he doesn’t want this traced back to the military. But there are plenty of crews for hire that are only loosely affiliated with the government, so he uses one of those. He says, ‘Get me everything you can on these technologies.’
3. That starts with open-source intelligence collection. They find out who the key people are at the tech companies they’re interested in, and do a Google search. They get people, facilities, potentially who the company’s software vendors are, and what kind of security software they run. They get the jargon they can use to start crafting an attack. And if they can get access to you they will find out who your partners are and get access to them. It is all about exploiting a trust relationship. They can run all the names through social media — Facebook Twitter, LinkedIn — and map your personal relationships. They will get the information they need.
4. Best time to attack? Attacks follow marketing guidelines on what day and time is best to send out e-mails that people will open. Like Tuesday, late morning. Or they’ll send something on a day before a three-day weekend, because they know all Americans are going away. Best weekend attack windows? Memorial Day weekend and Fourth of July weekend.
NOTE TO OUR E-DISCOVERY INDUSTRY AND LAW FIRM READERS: Logikcull is running a webinar tomorrow, 22 September, entitled “Preventing the next Panama Papers: Tips for protecting client data in the age of cybercrime” which looks to be an excellent event on law firm data security. For more details click here.
