Data leaks evolving into weapons of business destruction

Most of the recent data breaches involve customer information such as user names and passwords, credit card numbers, and medical histories. The companies hacked are hurt — they have to contact victims, pay for credit monitoring services and fines, and may lose customers, brand reputation, and market value — but that is collateral damage.

Or it has been.

Increasingly, attackers are using data leaks to target the companies themselves, going after proprietary or embarrassing information and releasing it in such a way as to do the most harm.

That’s a change that companies need to be aware of, said Andrew Serwin, co-chair of the global privacy and data security group at San Francisco-based law firm Morrison & Foerster.

“I believe that we are moving into a space where the attacks will be less B-to-C centric, in terms of the data targeted, and be both B-to-B and B-to-C focused,” he said.

Data-loss prevention strategies that just focus on the personally identifiable data are no longer enough, he said.

“Companies need to view this issue as a governance issue and make sure they take a holistic view of the issue,” he said.

And the need for action is urgent, as both the hacking tools and the leak channels increase in sophistication.

“It’s a combination of a lot of things that we’ve seen for a lot of years coming together,” said Ric Messier, head of the cybersecurity program at Burlington, Vt.,-based Champlain College. “The fact that it’s so easy to do this leaking and be able to manipulate people in this way certainly suggests that we’re probably just starting to see the beginning of these sorts of activities or attacks.”

Businesses have been slow to pick up on this, he added.

“The monetary motivation across the world of attack space has changed,” he said. “It used to be kids on Internet Relay Chat channels outing someone else that they didn’t like — that’s been around for ages. But we’ve taken it to a different level, leaking information to potentially manipulate stock prices, or for blackmail or extortion.

As long as there’s money to be made in leaking information, we’re absolutely going to see it continue to increase.”

And the potential for damages is much larger than in leaks of personally identifiable information such as credit card numbers.

“There are mechanisms in our existing financial infrastructure that help companies recover from the losses that sometimes occur,” said Ray Rothrock, chairman and CEO at security firm RedSeal. “But you can’t recover from the trust factor.”

Just ask Ashley Madison, HBGary, or Mossack Fonseca, the lawfirm at the heart of the Panama Papers leak.

Or ask St. Jude. This summer, the medical device maker saw its stock price drop when a security report was released claiming vulnerabilities in the company’s pacemakers — while the company that released the report made money short-selling the stock.

“When this report hit the wire, St. Jude’s stock went down 5 percent in the same day,” Rothrock said.

“And there are rumors that sometimes companies are attacked by nation states that are playing a financial game,” he added. “Or what if oil companies got after each other and started putting out bad cyberrumors as a competitive weapon n a contract negotiation or a supply chain negotiation — that would be huge.”

There’s a lot of money that could potentially be made here.

“It’s probably going to get worse before it gets better,” he said.

Another recent example is that of the Dark Overlord hackers, who used the threat of disclosing private information to try to extort money from companies.

They made the threats in connection with a ransomware attack, said Sean Mason, director of threat management and incident response at Cisco Systems.

“They went through and locked up all of the critical assets and data — after ensuring that they copied everything,” he said.

When one of the victims, investment firm WestPark Capital, refused to pay, the hackers released non-disclosure agreements, contracts and other documents.

The hackers also published a note claiming that the firm’s CEO “spat in our face after making our signature and quite frankly, handsome, business proposal.”

“It is becoming a growth industry on the criminal side of things,” said Mason. And while some companies take a hard-line stance and will not be blackmailed, others will consider the price a drop in the bucket and pay up.

The current season of USA Network’s Mr. Robot had it as a plot device, he added. “It’s become mainstream enough that it’s in TV shows.”

But paying the ransom is no guarantee that the data won’t come out.

Sure, releasing the data right away will harm their reputations and make other victims less likely to comply. But there’s also no reason for them to delete something that they might use at some point down the line.”

[ RELATED: The history of ransomware ]

“Data can have a long half-life depending on whom it affects,” said Wendy Nather, advisory board member to RSA Conference and research director at the Washington, DC-based Retail Cyber Intelligence Sharing Center.

A wider view of risk

Public leaks of proprietary information is changing the way that some companies look at core data protection.

“Most enterprises have focused their efforts on PII,” said Kennet Westby, president at security firm Coalfire Systems. “Executive emails, human resources, communications about deal structures — that kind of information has not traditionally been incorporated into the risk assessment for most enterprises.”

But that has “changed tremendously,” he said, and now the enterprises that his company works with are looking beyond data that can be easily sold on the black market, to data that can damage corporate reputations, trade negotiations, and market value.

“That could be a much more significant impact to the enterprise than a PII data breach, which can be managed trough a financial program and a good incident response plan,” he said.

The nature of the attackers has changed as well. The threats are coming from ordinary criminals, as well as from market manipulators, hacktivists, disgruntled employees or customers with a vendetta, business rivals, and even nation-states.

“If you’re not doing the data discovery, somebody else is going to be doing it for you,” he added.

But not in a good way.

It doesn’t help that more and more communications are going digital, he added, and are vulnerable to discovery.

“We’d rather text people than talk to them, or send an email on a subject that might be much more appropriate to a private conversation,” he said. “That culture has extended to executives and other key members of teams using Twitter or social media, and communicating through their own email servers or Yahoo or wherever.”

Who’s next?

“My prediction, based on the Russian playbook, is that they’ll go after media,” said Adam Meyers, vice president of intelligence at CrowdStrike.

The FBI recently investigated a hack of the New York Times that was connected back to Russia, he said.

“There was not anything disclosed at the time, but the fact of the Russian intrusion at a media organization is certainly significant,” he said.

A leak of embarrassing information, or which would potentially be seen in a negative light, could cast doubts on the legitimacy of the press.

“What they need to do, in order to really cause a mess in the U.S., is to get us to question the electoral process and the result of the election,” he said. “We’ll be paralyzed for months if that happens. We’re already doing it by ourselves, but if we’re on the edge of the cliff, they can do a lot to push us over the edge of the cliff.”

And the information doesn’t even have to be accurate, he added.

A Russian news organization aired a story that said that a hard-core, right-wing candidate had won an election in the Ukraine based on supposedly leaked information from the Ukrainian election authorities — but the hackers had not actually succeeded in breaking in, and the leaked information was completely fictitious.

The emergence of platforms like Wikileaks, which earned their reputation based on whistle-blowers like Edward Snowden, can provide a cover for these kinds of attacks.

“You can leverage dissident hacktivist groups, and if there aren’t any dissident hacktivist groups, you can make them up,” Meyers said.

“What’s most concerning is they’ve established that there’s credibility around the documents, and if they were to start putting fake stories in there, it would be very difficult to go through and validate that as not true,” he said. “Verification of these documents is very difficult and time-consuming. And it might be irrelevant if it’s true or not — the damage would have been done.”

A nation-state in particular might take a long-term view and leak real documents through a particular platform in order to establish its credibility.

“If I am a nation state, I might want to appear to be a hacktivist or freedom fighter, establish a reputation over time, and then strategically use those leaks — maybe even modify some of that data,” said Rich Barger, chief intelligence officer and director of threat intelligence at ThreatConnect. “A few sentences here or there, and I might begin to introduce some fake information. If I have enough of a following, and I do it long enough, I’ll have established trust and folks wouldn’t be as critical or look as deep into the information I put out.”

Plan for failure

Better security and employee education may reduce risk of data leaks but won’t eliminate it, and companies need to plan for the worst case scenario.

“If you’re doing things that you think would be embarrassing on the front page of the New York Times, then it’s going to get on the front page of the New York Times,” said French Caldwell, chief evangelist at governance, risk and compliance company MetricStream and former Gartner vice president specializing in risk management.

We’re now in a world without secrets, he said.

“You’re just going to have to get prepared for the fact that it’s going to happen,” he said. “You have to assume that it is going to get out there somehow, either through a hack or through a whistleblower.”

Organizations built around transparency will have an advantage on this front, he added.

And everyone needs to be prepared to respond quickly on multiple fronts.

“With social media, these crises get blown up extraordinarily quickly, and it becomes a social storm,” he said. “What is your response to a social storm? It’s not something you want to be learning about on the fly.”

He suggested that companies take a look at their business operations and identify areas where there might be an issue with public perception and be prepared to respond.

For example, he said, a company might be using hazardous chemicals — but those chemicals also offer significant advantages. “In the event of a crisis, are you prepared to make the argument about the benefits of what you’re doing, so that you’re engaging in this public policy debate?”

In fact, a company or their employees might be unintended victims in an otherwise unrelated attack.

“One of the things that is a bit concerning and the disclosures that are going through WikiLeaks now is that it’s not apparent what the actual immorality or the crime is that warrants the disclosure of every single email,” said Mark McArdle, CTO at security firm eSentire.

“There is a collateral damage aspect,” he said. “A mom talking about a doctor appointment for a child — there is no merit in having those types of disclosures.”

Elevating security

One positive benefit of all the leaks — both those aimed at personally identifiable data and at proprietary corporate documents and communications — is that it has elevated the discussion of security and risk in general.

No longer limited to the IT department, it has become a concern for finance, for sales and marketing, for investor relations, for top executives, and for corporate boards.

“As you see more and more of these types of events come up, and the entire organizations realizes that they need to plan for these types of events, you’ll definitely see more and more collaboration,” said Jesse McKenna, director of cybersecurity product management at security firm vArmour. “Not just a security response plan, but a coordinated response plan.”

And that goes for budgets, as well, he added. “How much are you willing to spend now to prevent a potential catastrophe in the future?”

A leak might cost a CEO their job, or even destroy an entire company.

But there’s another possible upside to the current climate.

“My optimistic response would be that the additional risk of exposure for CEOs or executives would make them far more cautious and would — ideally — prevent them from engaging in activities that, if exposed publicly, could cause them to lose their job,” McKenna said.

He’s not alone in thinking this.

“I think in a sense, that’s something that we can bring away from this,” said Paul Shomo, senior technical manager at security firm Guidance Software. “Organizations operating at a more acceptable and ethical level, while at the same time reducing the risk from weaponized data affecting you.”