Three major data breaches were exposed recently. In the first, credit rating agency Equifax was hacked, and details of more than half of the US population leaked. The second involved the US SEC (Securities and Exchange Commission), whose EDGAR system was broken into in 2016, giving hackers nonpublic information that they can use for trading purposes.
And finally, most recently, it has come to light that third hack, the Big 4 auditing firm Deloitte was hacked back in March 2017, with hackers accessing the entirety of the firm’s internal email database, as well as all administrative accounts.It appears that the hackers also transferred or copied a significant amount of that confidential data.
So three unrelated incidents surfaced at the same time, and while there is seemingly no connection between them, there are very strong similarities that should concern us all:
- Powerful adversaries: The identity of the hackers remains unknown at this point. It is possible we will never really know who was behind these hacks. However, it’s pretty clear that the perpetrators had financial motives, so it’s likely a very capable cybercrime group (or groups).
- MTTD (Mean Time to Detect): In each case, the time that passed between the data breach and its detection was fairly long. The Equifax hackers likely hacked into the network in March — 141 days before discovery. This is nearly 50% more than the average dwell time for financial services firms, which in 2016 stood at 98 days. The SEC and Deloitte hacks are also believed to have taken a very long time to detect.
- Goal of the attackers: DDoS and ransomware attacks were all the rage during most of 2017, grabbing the headlines. But in reality, the goal of most hackers is not to disrupt operations nor to extort money; it is to steal information. In all three incidents, the hackers covertly exfiltrated large quantities of data in order to sell it on the dark web, leverage it in stock trading, or gain financial insights on companies. The potential impact of data breach far exceeds those of other forms of cyber crime.
- Potential collateral damage: The Equifax hackers stole names, Social Security numbers, birthdates, addresses and, in some cases, driver’s license numbers. Credit card numbers for approximately 209,000 people, and personally identifiable information (PII) for approximately 182,000 people were also accessed. The Deloitte hack revealed email correspondence with some prominent customers, as well as Deloitte employees’ email credentials. And the SEC hack exposed secret information about publicly traded companies. In addition to the direct damage caused to these companies’ reputations and their associated business costs (incident response, downtime, cleanup, legal and free credit monitoring), many customers are expected to suffer from identity theft, credit card theft, and extortion. Enterprises will face an onslaught of spear phishing attacks as hackers attempt to leverage the stolen data to gain entry to additional organizations.
Even if we ignore the obvious accusation about the perceived negligence of these companies, it is important to note that the hackers were again successful and all of us will pay the price.
The consequences of such hacks are always shocking at first, and the full extent of the damage takes many days to unveil. And yes, it seems that breaches are a now a reality of doing business in the digital world. But companies can do themselves and their customers a great service by utilizing better detection mechanisms that can shorten the detection time from months to days. This will surely have some limiting effect on the magnitude and impact of such hacks.