Does Your Valuable Data Belong to Hackers?

Monday, January 05, 2015

Thu Pham


Every organization, regardless of size, is comprised of a variety of sensitive data - from HR and payroll handling medical, financial and personally identifiable employee data to your precious intellectual property. And each of these data types can be sold for a price on the black market, making them valuable to attackers financially as well as for blackmail purposes.

In a breach notification letter (PDF) made public by the state of California (the first state to mandate data breach reporting since 2003), Sony informed employees of the type of data stolen by intruders in what may go down in history as one of the messiest, most public data breaches.

The data stolen included the following personally identifiable information:

  • Names and addresses
  • Social security numbers, drivers’ license numbers and passport numbers/other government identifiers
  • Bank account information and credit card numbers
  • Usernames and passwords
  • Compensation and other related employment information including benefits, retirement and termination plans and previous work history

But it doesn’t stop there - even employee medical records were compromised, making Sony a surprising HIPAA offender. The stolen health information also included:

  • Name, date of birth, home address and Social Security number
  • Claims appeals information submitted to Sony Pictures Entertainment (SPE)
  • Diagnosis, disability code and member ID numbers of employees/dependents
  • Health/medical information provided outside of SPE health plans

Warning: Phishing May Lie Ahead

The breach letter also urges employees to be cautious when it comes to email, telephone and postal mail scams asking for personal information. They also recommend that employees review account statements, monitor credit reports and change passwords. It’s fairly common in the event of a high-profile breach that scammers and phishing attempts pop up as criminals try to leverage the increasingly detailed coverage of the investigation as it unfolds.

2014 Internet Threat Trends Report by CYREN found a 73 percent increase in PayPal-related URLs and website phishing attacks seen in the first quarter of this year after eBay’s breach (eBay owns PayPal and uses their services for their online store). The report also found that more than 18,000 PayPal-related phishing websites were found within a two-week span, outranking the 2,000 Apple-related phishing sites in the same timeframe, paling in comparison. 

You can find out more about the new risks in the retail industry in this free guide that provides a detailed overview of the retail industry's current state of security and recommendations on safeguarding customer financial information.

California: Site of Major Data Breaches; Retail, Tech & Now Entertainment

Sony’s data breach contributes to the 18.5 million residents of California that had their data breached in 2013, resulting in a 640 percent increase from the previous year (2.5 million). California’s State Attorney General released one of the more comprehensive state data breach reports I’ve seen thus far, revealing 53 percent of breaches were the result of malware and hacking, accounting for 93 percent of total records breached.

According to the report, the numbers were skewed by two companies with large numbers of users and customers that were responsible for 7.5 million of those breached records, including Target and Livingsocial. Find out more about the report in California Breaches Increase 30 Percent in 2014; 84 Percent Retail.

Data breaches may be considered major on a qualitative, rather than quantitative level. Rather than measuring the extent and scope of a breach based on number of individuals affected, the Sony breach exemplifies a case in which the sheer diversity of information renders this breach a particularly momentous one.

The data leaked encompasses not only nearly every facet of employee personal data, but also valuable company data and files, including movies that haven’t yet been released. Imagine if your tech software company’s source code for a not-yet finished or released product was leaked - it could affect your company on many different levels, including an impact on competitors and market value. Other leaked data includes credentials to servers, FTPs and YouTube accounts. Two-factor authentication can help protect against the success of unauthorized access by requiring more than just ‘something you know’ to log into server accounts.

Economics of the Stolen Data Market

As Symantec found through research, prices have dropped for some types of data including email accounts, but they hold steady for data like bank account data. They suggest that the aforementioned price drop is due to an oversupply of data, resulting in an adjusted lower market price.

They also found that credit card data has not changed in value although the price of cards offered in bulk has decreased slightly. The price depends on a number of factors, including the card’s brand, country, metadata, volume discounts and how recently the data was stolen.

Other types of data up for sale on the black market include scans of real passports, stolen gaming accounts, custom malware (such as Bitcoin-payment diversions), number of followers on social networks, stolen cloud accounts used for hosting command & control servers, a list of verified email addresses for spam purposes and more.

Obviously, access security is more important than ever as all types of stolen data can be worth something to criminals on the black market. You can find out how two-factor authentication can help protect against threats in our Two-Factor Authentication Evaluation Guide.

Cloud Security General HIPAA PCI DSS General General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT General PDAs/Smart Phones
Post Rating I Like this!
preston brady Your post is all about on saving our valuable date from hackers nice.
preston brady Your post is all about on saving our valuable date from hackers nice.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.