Gather around the campfire, everyone! Just in time for Halloween, we're going to tell scary stories about data breaches. Beware! These three cautionary tales about devastating data breaches are more horrifying than fright-night classics like “I Showed Up to a Halloween Party Dressed as Hulk, but No One Else Was in Costume!” or “The Old Couple that Gives Out Toothbrushes to Trick-or-Treaters!”
Google learned the hard way that an insider breach can trigger a worst-case scenario. An engineer in their self-driving car project left the company and created his own competing startup, which was subsequently bought out by Uber. He departed Google with 14,000+ confidential files and 50,000+ work emails, all downloaded onto a company-issued laptop.
Google had ample warning of the employee's intent to leave, but it did not take extra actions during his departure window. A security review of a departing individual's activities before and after termination, resignation notice, or other substantial employment change events could have made the difference.
Departing employees can walk out the door with tens of thousands of privileged files and emails and this action can be easily concealed by erasing evidence after the fact. Does your organization have sufficient access and monitoring controls to prevent unauthorized data exfiltration?
The employee was disgruntled at Google for several months and openly discussed with colleagues his intention to leave. Developing a formalized insider threat program that raises awareness and anticipates negative workplace issues can help you better identify and evaluate potential insider risks.
On a more positive note, Google prevailed in court and won a large settlement, but situations like these can be mitigated with appropriate controls and processes.
This year, another one of the world's biggest technology companies fell victim to a hack and data breach. Twitter revealed several dozen high-profile “blue check” accounts had been compromised including that of Joe Biden, Barack Obama, Elon Musk, and Bill Gates. These Twitter verified accounts were used to promote a Bitcoin scam.
A teenager(!) used a social engineering attack to gain access to a high-level Twitter employee account, which allowed him to change the passwords and contact information of other accounts. The implementation of stringent access controls and monitoring policies on privileged users can prevent this.
There were a lot of potential ways in because too many people at Twitter had too many privileges, including some that were completely unnecessary to their job. Enforcing separation of duties and least privilege is one way to limit damage from attacks that attempt to escalate privileges.
It took more than a month for everything to return to normal, which can seem like an eternity when you're confronted by insidious invaders.
Sony thought they had a comedy hit on their hands with The Interview, a film that poked fun at the North Korean regime. Unfortunately for Sony, the North Korean regime preemptively poked back: by FBI accounts, they were the sponsors of an attack that breached millions of records from Sony's database, with substantial fallout:
A subsequent security review revealed that Sony's system lacked multi-layers of prevention that might have frustrated the attackers' ability to move laterally and compromise areas beyond the initial point of penetration. (Spoiler alert: defense in depth is GOOD!)
Bottom line: nowhere near the expected theatrical audience for The Interview got to look at it.
Since threats emanate from a confluence of behavioral, organizational, and technical issues, they must be addressed by relevant policies, procedures, and technology solutions. Avertium can partner with you to evaluate your risk environment and recommend solutions. We can also help simplify your compliance processes by mapping solutions to relevant standards, including NIST, ISO, CERT-RMM, and others.
Contact us to learn more about how you can better detect and prevent attacks, so that next Halloween people aren't telling scary stories around the campfire about your organization.