CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
Since 2005, data breaches have been on the rise, with millions of records exposed in each breach. While data breaches are not new, the proliferation of electronic data has made us more susceptible to such breaches. Data such as credit card information, passwords, personal contact details may be compromised whenever a data breach occurs. In this issue of CyberSense, we look at the types of data breaches, their common causes, examples of such breaches and how they can be prevented.
WHAT IS A DATA BREACH?
There is no universal definition of what constitutes a data breach, but a widely accepted one is an incident where information is stolen or taken from a system without the knowledge or authorisation of the system’s owner.
A data breach can happen to anyone, be it an individual, a small company or global multinational corporations. The data taken may include sensitive or confidential personal information such as customer data, credit card numbers, email addresses, trade secrets or even information relating to national security.
History of Data Breaches
Data breaches are not new. They have existed since individual and organisations/companies kept records and stored private information. In the pre-digital age, threat actors had to infiltrate the premises where such records were held and access them physically. However, with the digitisation of records, the advancement of technology and proliferation of electronic data, data breaches can now occur remotely, resulting in increased vectors of exposure. Since 2005, data breaches have been on the rise, and have resulted in millions of records exposed in each breach.
Data breaches are usually classified into the following:
Physical Breach: This involves the physical theft of documents and equipment containing data. Physical assets such as laptops, desktop computers and external hard drives are at risk of a physical breach, while threat actors can also go hunting for documents that are not disposed of properly, a practice termed “dumpster diving”.
Electronic Breach: This involves the unauthorised access or a deliberate attack on a system or network where data is stored. This can be due to acquiring access via web servers or websites due to a system’s vulnerabilities. Phishing, malware and distributed denial-of-service are common techniques employed in an electronic breach.
Data Breaches – Who, how, what and why
Cybercrime: Cybercrime is a malicious activity that either targets or uses a computer, a computer network or a networked device. This includes gaining unauthorised access to a computer to view, modify or destroy its data, by using viruses and other types of malware; and criminal activities committed using computers or other electronic means. Other than profiting from the breach outright, cyber criminals may use the pilfered data for further malicious activities, such as identity theft e.g. to secure fraudulent loans, create fake accounts on platforms, etc.
Ransomware: An extension of cybercrime, this involves encrypting the victim’s files and systems after the breach and demanding a ransom in return for the decrypting them. Ransomware gangs have continued to evolve their tactics in recent years, and many now also threaten to leak stolen data unless a second ransom is paid (“double-extortion”).
Cyber Espionage: A key method used to obtain confidential data, trade secrets or other forms of intellectual property to obtain a commercial advantage, or for national security. For instance, a company might infiltrate a competitor’s network to search for trade secrets to gain a market edge against the latter, while a country might carry out cyber espionage to steal its adversary’s military or financial secrets. While large businesses, government agencies, academic institutions and think tanks are commonly targeted, any entity that possess valuable intellectual property and data – even individuals – can be potential victims.
Information/ Influence Operations: Stolen data can be used in operations designed to influence or sway public opinion in a manner favorable to the perpetuator over a rival. Essentially, it is a campaign that is dedicated to obtaining a decisive advantage in the information environment. Information operations are a threat as it enables threat actors to manipulate target audiences to influence real world decisions. For instance, the US has claimed that the outcome of the 2016 US Presidential Election was influenced by Russian threat actors through strategic use of disinformation and release of privileged data (such as, private emails), to damage Democratic presidential candidate Hillary Clinton’s campaign, and prevent her from getting elected.
WHAT ARE THE COMMON CAUSES OF DATA BREACH?
Common Causes of Data Breaches
Weak/Stolen Passwords: A weak password allows threat actors to gain access into a system easily. Passwords that comprise personal information (e.g. date of birth) or are easy-to-guess (e.g. 123456, qwerty, password1) can be easily cracked. Leaked passwords can be used for (a) credential stuffing, whereby threat actors attempt to use credentials obtained from a data breach on one service to log in to the same victim’s account in another unrelated service; and (b) password spraying, which involves a threat actor using a single common password against multiple accounts on the same application.
Unpatched vulnerabilities: An unpatched vulnerability could be exploited by threat actors to gain access into networks or systems to perform various malicious actions, such as modification of files, data exfiltration, and installation of malware or ransomware.
Phishing: Phishing is a common technique used to obtain sensitive information such as login credentials or credit card details. Victims are usually tricked into clicking on a phishing link embedded within an email which appears to be sent from a legitimate entity. Clicking the link will lead to a phishing page which would request for the victims’ confidential details or cause the victim’s computer to be infected with malware. Phishing may be conducted through emails, SMS or social media.
Insider Threats and Initial Access Brokers: Insider threats refer to employees who knowingly leak data to outsiders (including threat actors and competitors) or sell them for financial gain, as well as employees who lose or send confidential data to wrong recipients by accident. The growth of the ransomware ecosystem has also seen the growth of “initial access brokers”, i.e., individuals that sell privy network information, such as vulnerabilities or login credentials, to other threat actors.
MAJOR DATA BREACHES
Sony Pictures: In late 2014, Sony Pictures Entertainment’s corporate network was shut down when threat actors disabled its workstations and servers. Unreleased films from Sony Pictures were leaked, as well as emails from company executives. The breach was attributed to the ‘Guardians of Peace’, a group affiliated to the North Korean government, and widely believed to be in retaliation against a Sony film lampooning Supreme Leader Kim Jong-Un.
Yahoo: In December 2016, Yahoo publicly announced a data breach that occurred in 2013. Yahoo estimated that almost all of its three billion customers’ account information had been breached by a hacking group. While several media outlets and cybersecurity researchers alleged that Russian hackers were responsible, this was never conclusively proven.
Colonial Pipeline: In May 2021, Colonial Pipeline, a major oil pipeline operator in the US, succumbed to a ransomware attack that affected IT systems overseeing administrative and corporate functions, hobbling the company’s operations. This incident affected more than a dozen states on the US East Coast and took several months to fully restore – even though the company paid the ransom to restore critical data and software that was stolen and rendered unusable. The attack was later attributed to DarkSide, a criminal hacker group based in Eastern Europe.
SolarWinds: In 2020, SolarWinds, provider of a popular network monitoring platform used by major organisations worldwide, was targeted by hackers that deployed malicious code into its Orion IT monitoring and management software. Through this initial foothold, the hackers were then able to carry out a software supply chain attack, and access the networks and data of many of SolarWinds’ clients – which included government and enterprise customers – for espionage. Cybersecurity researchers and western media attributed the attack to Russian hackers.
Northwestern Polytechnical University: In September 2022, China’s National Computer Virus Emergency Response Centre (CVERC) alleged that China’s Northwestern Polytechnical University had been attacked by US hackers. According to the CVERC, more than 140 gigabytes of data related to core equipment in China’s infrastructure and private data of teachers and students at the university were collected. The Chinese attributed the attack to the US National Security Agency.
Optus: In September 2022, Optus, Australia’s second-largest wireless telecommunications carrier, announced that it had suffered a “massive” data breach. Names, dates of birth, phone numbers and email addresses of about 10 million customers might have been exposed. It was also reported that a group of customers might have further had their physical addresses, driving licenses and passport numbers accessed. According to media reports, the data breach occurred through an unprotected and publicly exposed application programming interface (API). This meant that anyone who discovered the API could access customers’ data without authorisation or authentication. There was no consensus on the attackers’ identity, with some sources attributing it to a state-sponsored hacking group, and others to a cybercriminal organisation.
PREVENTING DATA BREACHES
As a data breach can affect anyone and/or an organisation, we should do the following:
Use strong passwords: The most common cause of a data breach is weak passwords, which enables attackers to steal user credentials and allow them access to corporate networks. In addition, users are likely to reuse or recycle passwords across multiple accounts, which means that attackers can hack into additional accounts. As such, using strong passwords will make it more difficult for cyber criminals to steal credentials.
For organisations, having a strong password policy is the first line of defence that prevent threat actors from gaining access to their data. Practices such as encouraging employees to use unique passwords, changing passwords at regular intervals (e.g. 90 days), forbidding password sharing, and requiring long and complex passwords (e.g. setting a minimum password length, using passphrases) will be useful in preventing employees’ credentials from being easily compromised.
Please refer to Cyber Tip – Use Strong Passwords and Enable 2FA on how to create strong passwords and enable 2FA for an additional layer of security to keep your online account and personal information safe.
Use multi-factor authentication: Just as passwords are important, they are only a first line of defence. Having a multi-factor authentication (MFA) allows users to prove their identity in addition to entering their username and password. This increases the likelihood of authenticating the user identity which can prevent a hacker from gaining unauthorised access to accounts and corporate systems even if they have the user’s password.
Keep software up to date: To prevent vulnerability exploits, users should always use the latest version of a software system. Users can enable automatic software updates, and always update and patch software when prompted to do so.
Use secure URLs: Users should only open secure URLs or web addresses that typically begin with ‘HTTPS’. A website with HTTPS means that the website has been encrypted through its’ Secure Sockets Layer (SSL) certificate. Essentially, a website that uses HTTPS is more secure than HTTP. In general, users should not click on embedded links within messages or emails.
Education: Organisations should educate employees/staff on the (a) risks they will face online; (b) common types of cyber-attacks; and (c) how to spot potential threats. There is a need to emphasise that cybersecurity is important and employees/staff should be aware of the latest threats. This can be done through regular training and information sessions, which is especially important for employees who have access to and manage databases.
Create a response plan: Given the prevalence of data breaches, it may be prudent to adopt a ‘not if but when’ approach, and develop detailed response plans beforehand. Employees/Staff need to know the process, i.e. responsibilities in responding to a data breach including reporting the attack, undertake remediation measures and conducting investigations.
For further details and mitigation measures, please refer to SingCERT’s advisory on further tips for cybersecurity measures to be undertaken by an individual or businesses to manage your devices and online presence.
Acronis, Center for Strategic & International Studies, Cloudflare, Crowdstrike, CSO, Forbes, Fortinet, Global Security Review, Intel 471, Kaspersky, Owasp, RAND Corporation, Tech.co, Trend Micro, Verizon, Vox, ZDNet