Data & Privacy Breaches: How to Protect Yourself

Data Breaches Stem from Privacy Breaches

Most consumers think of a data breach as something small—the password they used when they signed up for that now non-existent pet website 10 years ago has been discovered by hackers. They get a weird email asking them to click, and by now, after years of Nigerian Prince emails, they know it’s probably a scam or some kind of phishing attempt.

But in reality, data breaches are far more serious, none more so than the recent SolarWinds attack carried out by suspected Russian hackers in December 2020.

SolarWinds

This motherlode of all hacks was deceptively simple but enabled its hackers to procure far-reaching information. New reports indicate that it might have gone undetected for months.

What happened? Austin, Texas-based company SolarWinds, Inc., makes software called Orion, a network administration tool used to monitor the health of a company or organization’s network. It’s used by just about every major company you can think of, and it’s believed that 18,000 users—including Fortune 500 companies like Microsoft, Nvidia, and Cisco, as well as U.S. government agencies like the Department of Energy, Department of Homeland Security, and U.S. Postal Service—were affected. It might have even breached the servers that control the nuclear arsenal.

So far, so bad, right?

How did it happen?

Let’s start with the basics. Four of the most common types of data breaches are phishing, ransomware, malware, and DDOS (denial of service attacks).

  • Phishing is the kind of scam most consumers are used to. It begins in the form of an email or attachment that gets you to click, which then either installs malware on your computer or scrapes your information by enticing you to enter password and login info.
  • What is malware? It’s the software that is downloaded onto your computer that nabs your info.
  • Ransomware is simply malware that hijacks your system by encrypting your data then shows messages demanding to be paid to unencrypt your data. It is used primarily to hold corporations hostage.
  • A DDOS is a distributed-denial-of-service attack, in which a network or networks are taken down completely by creating a digital bottleneck of sorts. The victim’s website or network is simply overwhelmed by an overload of service requests. One such example is the 2016 attack on Dyn, an internet performance management and web application security company that was owned by Oracle. This attack shut down the internet for most of the East coast.

Unlike the Dyn attack, the SolarWinds attack used malware to reach its ends. The malware, which was appended to software updates, is able to grab a foothold inside these mega-corporations and government agencies’ networks, giving it a so-called “backdoor.”

Attacking Widely Used Apps & Services

Bob Sullivan, an independent security journalist at BobSullivan.net, and a visiting scholar at Duke University’s Sanford School of Public Policy explained why it was so seemingly easy for this cybercrime to occur.

“Imagine if someone could put an app on your phone that drained your bank account,” Sullivan explained. “It’s one thing if you put it on your phone, it’s another thing that they put it in an update for Android or for Apple. And now it’s on millions of phones. So that’s what happened with the SolarWind supply chain attack.”

Security firm FireEye, which studied the SolarWinds malware, explained that “after an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.”

The problem may be so insidious that the government’s networks may not be safe right now and it may be impossible to completely unravel the hack. It’s also still unclear what the hackers were after—information for espionage or something else. Many possibilities emerge: from stealing administrative access tokens to grabbing data.

Though it seems that just 10 or 12 agencies were actually affected, “it’s still really, really early in the forensics on what happened,” Sullivan said.

Why breaches matter?

Data breaches aren’t new, of course. Over the past decade, some major breaches have infiltrated many consumer sites.

In March 2018, MyFitnessPal was hacked and 143.6 million records were compromised. Everything from usernames to email addresses and hashed (encrypted) passwords were gathered.

Then there’s the infamous Equifax hack in September 2017, in which another 147 million consumer records were breached, ultimately affecting 56% of Americans. The Equifax hack was particularly bad—Social Security numbers, birth dates, driver’s license numbers, and credit card numbers came wrapped up in a bow for the hackers.

But the hack considered the worst before SolarWinds was the Yahoo breach of 2016, with up to 3 billion records accessed, including the telephone numbers, birthdates, and email addresses of Yahoo users.

The most nefarious of these hacks are deployed to steal sensitive government information. The hack on the U.S. Office of Personnel Management in April 2015, now believed to be carried out by Chinese hackers, sucked information of more than 20 million former and federal employees. The OPM hack was particularly troubling because it meant that security clearances, some involving fingerprints, were scooped up.

“So if you want to conduct espionage,” Sullivan said, imagine what a spying agency could do. “Hey, here are the fingerprints for the top generals in the government, for example.”

More targets, more breaches

As more of us are online, it’s not surprising that data breaches are on the rise. The Identity Theft Resource Center reported in 2019 that the United States saw a 17% increase in breaches during 2018. But the good news is that there was a decrease of 65% of sensitive records exposed.

Statista showed a 10-fold increase in breaches over the past 15 years—from 157 in 2005 to 1,506 in 2019. But, like ITRC, the number of records that have been exposed have varied—bouncing from 169 million in 2015 to 36.6 million in 2016 and up to a high of 471 million in 2018.

Everyone is fair game

No business sector is immune, but some of the key places consumers may find themselves vulnerable to cybercrime are in the areas of education, medical/insurance, and financial services.

Though the complete numbers for 2020 won’t be released until the end of January, the ITRC’s 3rd quarter data shows that the number of breaches was down 30% from 2019, with 846 breaches, and the number of identities that were compromised was also down 60%. However, that data comes before SolarWinds is factored in.‍

Think globally, act locally

With consumer-related breaches, multinational companies experiencing leaks obviously are bad for customers. For example, a breach at one of your bank’s international branches may mean they also gained access to your information. Ditto for those passwords you used to sign up for Topshop and Forever 21; if they are exposed in a breach in Europe, and you used any of those passwords anywhere else, you are at risk.

And, there’s a longer tail to consider. Even something as simple as an email infiltration may turn out to be much more dangerous 20 years down the line. Sullivan posited a what-if scenario where a person whose email was hacked eventually becomes a government employee or a top-ranking official in a major organization. Now, he says, “Maybe China, maybe Russia, maybe Iran, maybe a rogue criminal outfit, has a database with all sorts of information” about that employee, he said.

“They can suddenly look up old emails that she has and say, wait a minute, ‘Hey, turns out you had an affair 20 years ago, maybe you want to share a little bit more with us or we’ll tell the world,’” he said. “This is how long-term espionage works. There’s a pretty strong belief that that’s the kind of thing that’s happening regularly.”‍

How can you protect yourself?

The more you are online, the more exposed you are. So, the more gadgets you have, the more email accounts you have, and the more cameras you have, the more targets you present to hackers.

The best thing that someone can do to protect themselves right now is to decrease what security experts sometimes call “attack surface,” or those devices that you don’t realize are all online, monitoring your activity.

So, in addition to the obvious targets—cell phones, personal computers, home assistants like Alexa—there’s the stuff you’re not thinking about: your “smart” fridge, your “smart” TV, and, yes, even your car, especially those with modern computer systems. Ultimately, they’re all vulnerable.

Shrinking your personal attack surface

Besides limiting the number of online devices (hello, spycam on your doorstep?), consumers can protect themselves by keeping an eye on their passwords and making sure they haven’t been breached. The website Have I Been Pwned is a good resource to find out if you’ve been a victim of a hack.

Enter in your email and the site will tell you if your info has been compromised in one of the many breaches. Subscribe and you’ll find out which websites or beaches you had a starring role in, giving you a guideline for which passwords need to be changed.

Choose better passwords

The days of using the same password repeatedly, or using easily discovered combinations (like birthday and place of birth), are over. Using strong passwords with capital letters, unique symbols, and numbers is key, but using a different password for every single site is also imperative.

Using password managers like 1Password or LastPass can come in handy for managing all this data. They both save a master password and then they can suggest strong passwords for you and sync between devices (on iPhone, you can enable face recognition to open the “vault” for LastPass).

Some browsers are starting to embed this information into their software—Google Chrome will now alert you whenever you log in that a password has been compromised.

Get used to 2FA

Two-factor or multi-factor authentication is another tool for the protection of information. It’s becoming nearly the default for most websites, particularly financial websites, to feature multi-factor authentication. In this method, when you sign into a website, you’ll also get a text message to your phone or your email sending a code to verify your identity.‍

What will the future hold? Predictions for 2021

Unfortunately, it’s likely that more online security breaches will occur. The coronavirus, for example, offers ample opportunities for scammers to take advantage of consumers and businesses.

“I’ve already heard about scams where people say, ‘pay this or enter this information, and you can jump the line for the vaccine,’” Sullivan said. Phishing campaigns, in general, have become more sophisticated and specific: social media assists hackers who are targeting individuals.

“It’s pretty easy for people to find out what’s going on in your life on social media, and to craft a very tailored phishing email that lures you into submitting personal information,” Sullivan said. “Most of the big hacks you hear about—by the time you drill down, you’ll find that some poor employee at the company fell for something like that.”

Ransomeware is here to stay

And ransomware is still on the rise: even though the rule of thumb in any hostage situation is to never negotiate or pay, companies and individuals who are the subject of these hacks often just pay to make the problem go away.

“Ransomware is a huge business and getting bigger all the time,” Sullivan said. “It’s worth a ton of money to the criminal gangs that do it. It’s just incredibly successful. People are paying tens of millions of dollars in ransoms.”‍

The bottom line

Cybercrime is not likely to go away anytime soon and may start to shift into different forms. But as consumers are increasingly online, protecting data before a breach happens is the best defense.

If you need help understanding how best to do that, Lokker has solutions that enable businesses to block, share, or anonymize personal data to all integrated 3rd-party apps in real-time. Lokker offers a free website scan to help companies see exactly what customer information is being shared with 3rd-parties unintentionally and putting your company at risk.

To run your free privacy scan report for free, simply visit www.lokker.com.

 

Author:
J.D., CISSP, CIPM, CIPP/E, FIP. Expertise in law, technology, information security, data privacy, healthcare analytics, and healthcare. Develops privacy and security programs; collaborates across the company to deliver creative solutions while ensuring the privacy and security of data. Passionate about creating a culture where all employees understand the importance of handling data correctly, recognize and speak up about potential issues, and are actively engaged in the process. Experience with Privacy Regulations (HIPAA, GDPR, CCPA etc.), Formal Certifications (ISO, SOC, HITECH, EHNAC), and De-Identification of Data.