All Your Data Are Valuable (and May Now Belong to Hackers)
Every company is comprised of a variety of sensitive data - from HR and payroll handling medical, financial and personally identifiable employee data to your precious intellectual property, which might include proprietary source code. And each of those data types go for a price on the black market, making them valuable to attackers financially as well as for blackmail purposes.
In a breach notification letter (PDF) made public by the state of California (the first state to mandate data breach reporting since 2003), Sony informed employees of the type of data stolen by intruders in what may go down in history as one of the messiest, most public data breaches. The data stolen included the following personally identifiable information:
- Names and addresses
- Social security numbers, drivers’ license numbers and passport numbers/other government identifiers
- Bank account information and credit card numbers
- Usernames and passwords
- Compensation and other related employment information (including benefits, retirement and termination plans and previous work history)
But it doesn’t stop there - even employee medical records were compromised, making Sony a surprising HIPAA offender. The stolen health information also included:
- Name, date of birth, home address and Social Security number
- Claims appeals information submitted to Sony Pictures Entertainment (SPE)
- Diagnosis, disability code and member ID numbers of employees/dependents
- Health/medical information provided outside of SPE health plans
Warning: Phishing May Lie Ahead
The breach letter also urges employees to be cautious when it comes to email, telephone and postal mail scams asking for personal information. They also recommend that employees review account statements, monitor credit reports and change passwords. It’s fairly common in the event of a high-profile breach that scammers and phishing attempts pop up as criminals try to leverage the increasingly detailed coverage of the investigation as it unfolds.
A 2014 Internet Threat Trends Report by CYREN (PDF) found a 73 percent increase in PayPal-related URLs and website phishing attacks seen in the first quarter of this year after eBay’s breach (eBay owns PayPal and uses their services for their online store). The report also found that over 18k PayPal-related phishing websites were found within a two-week span, outranking the 2k Apple-related phishing sites in the same timeframe, paling in comparison. Find more information and infographics about recent breaches like this in our Modern Guide to Retail Data Risks.
California: Site of Major Data Breaches; Retail, Tech & Now Entertainment
Sony’s data breach contributes to the 18.5 million residents of California that had their data breached in 2013, resulting in a 640 percent increase from the previous year (2.5 million). California’s State Attorney General released one of the more comprehensive state data breach reports I’ve seen thus far, revealing 53 percent of breaches were the the result of malware and hacking, accounting for 93 percent of total records breached.
According to the report, the numbers were skewed by two companies with large numbers of users and customers that were responsible for 7.5 million of those breached records, including Target and Livingsocial. Find out more about the report in California Breaches Increase 30 Percent in 2014; 84 Percent Retail.
Data breaches may be considered major on a qualitative, rather than quantitative level. Rather than measuring the extent and scope of a breach based on number of individuals affected, the Sony breach exemplifies a case in which the sheer diversity of information renders this breach a particularly momentous one.
The data leaked encompasses not only nearly every facet of employee personal data, but also valuable company data and files, including movies that haven’t yet been released. Imagine if your tech software company’s source code for a not-yet finished or released product was leaked - it could affect your company on many different levels, including an impact on competitors and market value.
Other leaked data includes credentials to servers, FTPs and YouTube accounts. Two-factor authentication can help protect against the success of unauthorized access by requiring more than just ‘something you know’ to log into server accounts.
Protecting SSH (Secure Shell) sessions and access to servers with two-factor authentication is an effective way to stop remote attacks, as exemplified in this Yelp case study. Yelp protects their SSH and VPN connections with Duo Security’s two-factor authentication for employees in over 24 countries worldwide.
Economics of the Stolen Data Market
As Symantec found through research, prices have dropped for some types of data including email accounts, but they hold steady for data like bank account data. They suggest that the aforementioned price drop is due to an oversupply of data, resulting in an adjusted lower market price.
They also found that credit card data has not changed in value although the price of cards offered in bulk has decreased slightly. The price depends on a number of factors, including the card’s brand, country, metadata, volume discounts and how recently the data was stolen.
Other types of data up for sale on the black market include scans of real passports, stolen gaming accounts, custom malware (like Bitcoin-payment diversions), number of followers on social networks (really), stolen cloud accounts used for hosting command & control servers, a list of verified email addresses for spam purposes, and more.
Reuters published an article in September stating that "your medical information is worth 10 times more than your credit card number on the black market." According to PhishLabs research, stolen health credentials can sell for $10 each - 10 or 20 times the value of a stolen credit card number. With some of the biggest healthcare data breaches reaching millions of stolen medical records, criminals can walk away with a fairly decent amount of cash.
Access security is more important than ever as all types of stolen data can be worth something to criminals on the black market - find out how two-factor authentication can help protect against threats in our Two-Factor Authentication Evaluation Guide.