Category: data breach

By Dimitri Shelest, Founder and CEO of OneRep

Companies go to great lengths to protect their top executives. Keeping them safe, healthy and happy so they can perform their duties without unnecessary distractions is critical for the productivity of the company. At one time, executive protection meant providing bodyguards and secure transit, and fortifying executive offices against external threats. As more executives work from home, efforts have extended to bolstering home defense systems.

Still, there’s a missing element. In today’s digital world, it’s also necessary to protect executives online. That should include protecting their personal data.

Executives have access to some of the company’s most sensitive information, and they’re increasingly being targeted by hackers looking to steal company secrets or to perpetrate cybercrimes.

Personal data provides fuel for these crimes. Digital data warehouses store all kinds of details about all of us. It used to be just addresses, phone numbers, aliases, and relatives. Now, it’s far more detailed information such as political affiliation, names of neighbors, resting heart rate, and even Amazon wishlists.

All this data is collected legally by companies. Every time you interact with a computer–be that via a smart device, a bar code at checkout or on a website, data about you is being collected. In the U.S. there is essentially no limit to the amount of data companies can collect, and few limits on how they can use it.

Cyber Attacks Against Executives: Phishing, Whaling, and More

Most data can be sold to anyone who will pay for it–including bad actors. They can use it to personalize their workplace phishing attacks and business email compromise schemes to make them more effective. Executives are particularly at risk for “whaling” attacks, where a criminal impersonates an executive via email or another means of communication and asks the target for money and/or information.

A successful whaling attack can be quite lucrative, since executives have a lot of credibility and power. In one such attack, a Mattel finance executive sent $3 million to a fraudster impersonating the company’s CEO. With the possibility of such large payouts, criminals will go to considerable effort to use personal details that make their requests compelling and believable.

Executives also face risks from social media, where they are more visible and accessible than ever before. This can be great for brand-building and engagement. Unfortunately, it also puts them at risk of harassment or worse from a variety of bad actors, both online and in real life.

This can come from dedicated customers or fans who are unsatisfied with a product or service. For example, in 2022, Strauss Zelnick, the CEO of Nasdaq-listed video game developer Take Two Interactive, was forced to lock his Twitter account after being bombarded by a wave of harassment from customers dissatisfied with the latest Grand Theft Auto game.

It can also come as a result of taking a stand–or not taking a stand–on social issues. Gone are the days when staying neutral was the preferred corporate strategy. According to research from Accenture, customers are increasingly aligning their spending with their values. They demand to know where companies stand on issues that matter to them. Executives are expected to “walk the walk” and stand for the company’s values. But one false move can place them in the crosshairs of cancel culture and harassers can quickly descend.

This kind of harassment, while still very upsetting for the individuals involved, can at least be somewhat anticipated and crisis communications strategies can be at the ready. But threats to executives can also arise unexpectedly when a company is caught in the cross currents of the news cycle.

For example, after the contentious 2020 election, figures ranging from the head of strategy and security at Dominion Voting systems to the CEO of social media app Parler were forced to go into hiding with their families after receiving death threats when their personal information as well as that of their family members was leaked by hackers.

These scenarios don’t even include the possibility of threatening behavior from a disgruntled or terminated employee. In a turbulent economic environment like the one we are navigating now, this issue may come into the foreground as executives grapple with layoffs and cost-cutting measures.

This doesn’t just happen to executives at big companies or celebrity CEOs. Anyone who is involved in making decisions that can impact other people’s lives, contradict their political views or offend their values can become a target.

The effects are devastating. Researchers are just beginning to understand the impact of online harassment, but it appears to be very similar to other types of trauma. Victims might have difficulty concentrating and making decisions. They might experience increased levels of anxiety and even paranoia. They might come to fear opening messages or looking at their devices. Many individuals have even had to change jobs or alter their daily routines because of cyberstalking and harassment.

How to Protect Executive Data Privacy

Clearly, none of this is optimal to executive productivity. But it not only affects their own well-being. It can deplete morale of the company as a whole, and ultimately affect a company’s bottom line.

The good news is that there are steps that companies can take to protect their executives, their families and their organizations. It starts with educating them about the threats, and the fact that they are possible targets. Like the general public, executives can avoid oversharing personal information on social media.

They can protect their web browsing by using browser extensions to block trackers. They can maintain strong passwords, use a separate email address for sensitive activities, and be on high alert for any suspicious sounding communications.

They can also remove their data from people search sites that publish it. There are currently over 190 of these sites. Data from my company, OneRep, shows that the average person has data records on 46 of them.

People search sites are legally required to remove your information on request, but they aren’t legally required to make it easy for you to submit that request. Few people, least of all executives, have the time to approach 46 sites and request their data be removed. Even if they could, it’s a Sisyphean task. Our data shows that much of this information resurfaces within four months–when they get their next data dump from their data broker.

Fortunately, there are technology companies that can comb all the people search sites, locate your records, and automate the removal process. They also provide continued monitoring and removal of your data should it reappear.

The proliferation and widespread availability of personal data is dangerous for public-facing executives, their families and their companies. Companies understandably prioritize protecting the physical safety of top executives, but in today’s polarized, always-on world, keeping executives safe online is also imperative. It’s a small investment that pays dividends in peace of mind.

Author Bio:

Dimitri Shelest is a tech entrepreneur and the CEO at OneRep, a privacy protection company that removes public records from the Internet. Dimitri is an avid proponent of privacy regulation framework and likes to explore cybersecurity and privacy issues as a writer and reader on various platforms.

The post One Overlooked Element of Executive Safety: Data Privacy appeared first on Cybersecurity Insiders.

Nowadays, those interested can sieve some of the sensitive to very sensitive information from the dark web and that includes banking and email credentials of individuals and businesses. And according to a report compiled and released by Crossword Cybersecurity, information related to over 2.2 million students and staff from UK’s 100 top universities is now available on the dark web. And concernedly about 54% of the information belongs to 24 leading UK Universities representing Russell Group.

If the figures are dissected further, most of the info belongs to over 2.2 million students studying in UK of which 680,000 belongs to international students and the rest belongs to natives, apart from an additional 234,000 staff members.

When a representative from the company contacted a source on the dark web, the data of 1000 students was available for a purchase just for a meager £30 and sometimes the price might go as low as £6 and might to a high of £80. The price volatility depends on the type of information and the data timeliness.

So, educational institutions should start monitoring their data storage practices and watch for any leaks. Also implementing multi-factor authentication makes sense as protecting PII of staff and students from prying eyes makes complete sense.

Security analysts suggest that hackers are always behind information that can fetch them great monetary benefits and so it cannot be restricted to a specific sector, and can spread to other sec-tors such as manufacturing, automotive, finance and such.

The post Breached credentials of UK top universities available on dark web appeared first on Cybersecurity Insiders.

There are shocking revelations about a US Government data suck-up, historic security breaches at Windsor Castle, and the MOVEit hack causes consternation. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.

For the past few hours, there are N number of reports in Indian and International media that da-ta related to vaccinated Indian populace was accessed by hackers and was leaked on a social media platform Telegram, which is owned by a Russian entity.

It is unclear who is behind the attack. However, the BJP led government has announced that the breach news broadcasted on certain private news channels was not true and the data of all the vaccinated populace was totally secure from the access of threat actors.

For those uninitiated, Cowin.gov.in is a platform that was launched in the year 2020 and was a centralized repository serving the citizens for Covid vaccinations and related assistance. It was probably the first in the world to achieve the benchmark of vaccinating the populace of 160 crores or 1.6 billion-appx.

The Health Ministry of India issued a statement that some misinformation was being planted in the media about the CoWIN portal and it could be the mischief of the opposition Congress Par-ty led by Mrs. Sonia Gandhi and her son Rahul Gandhi and daughter Priyanka Gandhi Vadra.

On the other hand, a few of the noted congress politicians such as the party chief Mallikarjun Kharge posted a few screenshots scrapped from Telegram on Twitter to authenticate the data leak on Cowin portal as true.

Cybersecurity Insiders has learnt that the leaked info includes sensitive details of citizens of the subcontinent and that includes Aadhaar Data, Vote ID, PAN Card Info, Vaccination info of the individuals who took the vaccine shots between September 2020 to November 2021, their booster dose info, if any; and their contact details along with their physical address. As the website doesn’t keep a record of date of birth’s, the DoB breach, as reported by certain section of media is false. But of course, all such info is available in Aadhaar though!

The telegram channel that led to the information leak was officially disable and government is facing pressure from the opposition political party to allow citizens to delete their data saved on the servers by logging in with their credentials, respectively.

NOTE 1- The information from the Cowin database is also shared with UMANG app that acts as a centralized platform to avail e-Gov services from central to state govt services.

NOTE 2- On June 12, 2023 a South Indian reputed Malayalam News source named Manorama Daily was the first to leak the news to the Indian populace.

The post Indian CoWIN data breach not true says government appeared first on Cybersecurity Insiders.

Gal Helemski, Co-Founder & CTO/CPO of PlainID

Many lessons can be learned when reflecting on 2022’s slew of data breaches. As we understand more about data security and, even more so, as data becomes more fluid, complex and dynamic, it’s critical to reevaluate what constitutes strong data protection. Up until very recently, traditional data technologies didn’t have strong security controls in place. In many cases, security controls were placed on a very course-grained level and, in other cases, left to the application to deal with. Too often, this leaves data repositories wide open. For this reason, data security professionals ought to reevaluate the role of advanced, dynamic data access controls as part of their overall data security strategy. The data security market should also embrace the notion of identity-first security and implement those types of controls in the year ahead.

Double-Edged Sword

As organizations continue their migration to the cloud and utilize cloud-related technologies, data security is increasingly at risk. Businesses are accelerating their consolidation of data—using data hubs like the cloud to improve convenience for the end user and improve productivity—but are consistently leaving security at the gate. While data access and convenience are important to productivity, it brings along a massive security risk.

Security must never be sacrificed for convenience, but at the same time, we must acknowledge the need for speedy access and simplification of security policies in the increasingly competitive and globalized business landscape. After all, in most cases, time is money, which leaves security teams grappling with the proverbial double-edged sword. In the new year, organizations will seek to invest in modern tools that meet this problem of convenience vs. security head-on.

In the future, this will lead to the acceleration of identity-first security, which uses the integrity of a user’s identity to execute an organization’s security strategy. The identity space has already experienced large growth, especially as the importance of identity as the new security perimeter sinks in. Identity solutions will most likely see even more widespread adoption in 2023, especially in the cloud, and provide deeper levels of control moving forward. An important part of this is the understanding of the role of authorizations and the link between the identity world to the security of the data and digital assets in general.

An Ever-Evolving Answer

The cost of data breaches will increase over the next year since the data access control space is still in its early stages and relies mostly on older techniques such as role-based controls and system account usage. The need to work with data and collaborate with data is increasing, and with that comes a greater, more costly impact in the event of a breach.

With this changing risk landscape in mind, more dynamic and comprehensive solutions have entered the authorization space. Using authorizations—instead of focusing on the perimeter of a digital enterprise—to protect the organization is more effective now that data has become more fluid. The main pillar of authorization is its role in managing and controlling an identity’s connection to digital assets, such as data. It starts with the authenticated identity and continues with the controlled process of what that identity can access. Authorizations are a fundamental part of identity-first security. Full implementation of identity-first security can’t be achieved without an advanced authorization solution that can address all required technology patterns of applications, APIs, microservices and data.

Another element within the realm of authorization that will see more adoption in 2023 is policy-based access control (PBAC). The main benefit of PBAC is that it makes authorization more manageable for everyone, including business owners and data analysts. PBAC is considered the most effective approach to authorization management and control by reducing the amount of authorization decisions to manage and providing both a business-oriented language in addition to a policy-code representation.

Organizations will continue to leverage the PBAC framework to support the ever-evolving demands on modern computing environments. It will bring a better answer to security teams looking to balance frictionless digital user journeys with security risk mitigation and data privacy.

From Trend to Necessity

Lastly, authorization will evolve from a trend in 2022 to a necessity in 2023. An important part of this adoption will be the understanding of authorizations and the link between the identity world to the security of the data and digital assets in general.

Access control policies will begin to take a larger portion as the preferred method of controlling access. Already we are seeing that an increasing number of technologies and cloud vendors are offering the policy option in addition to the traditional entitlement and role-based method. This is a very positive step towards simplification of this challenging space.

Identity-first security and zero trust should be a top priority for 2023. Security professionals should strongly consider developing an identity-first security plan and validate this strategy in all technology stack layers, starting from access points, networks, applications, data and infrastructure.

The post Learnings from 2022 Breaches: Reassessing Access Controls and Data Security Strategies appeared first on Cybersecurity Insiders.