In the modern digital landscape, the risk of a data breach is alarming. New threats are emerging every day while organisations continue to fall victim to old tactics. There were over 4,100 publicly disclosed breaches in 2021 — and it is reasonable to assume that a great number more went unreported or undetected.
Worryingly, no individual or organisation is safe. Even technology leaders and security specialists have been exposed as vulnerable, while few targets — even charities — are beyond the moral limit for malicious hackers. As a result, every business should expect to come under attack.
In this era, where breaches are more a matter of ‘when’ not ‘if’, organisations need to understand how breaches commonly occur. By understanding these mechanisms, they can build their defences accordingly and develop strategies to mitigate the damage in case of a breach.
What is a data breach?
Firstly, let’s begin with a quick definition. A data breach is an incident where confidential or sensitive information is disclosed or accessed by unauthorised individuals or entities.
‘An incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen, or used by an individual unauthorised to do so’ - NIST
Breaches are typically discussed in the context of intentional hacking by malicious actors, but they are also often the result of accidental exposure of private information.
This accidental exposure can occur in many ways, including; cloud misconfigurations; leaving documents unsecured without passwords; emailing sensitive data to the wrong recipients; and even leaving physical copies of information in public places.
According to the Office of the Australian Commissioner (OIAC), in the most recent reporting period (Jul — Dec, ‘22), about 70% of breaches were a direct consequence of malicious attacks, 25% were due to human error, and the remaining 5% were due to system errors.
Many malicious attacks are also facilitated by human error at some point within the attack chain — such as weak password security or falling victim to phishing attempts. When accounting for this, human error is a factor in up to ~85% of breaches, according to research from Stanford University and Tessian.
What are the common causes of data breaches?
There are numerous potential root causes of a data breach. In many high-profile cases, companies are victims of a series of incidents with threat actors leveraging multiple attack vectors.
1. Stolen or compromised credentials
Attackers often gain entry through stolen username and password combinations for real users with permitted access. Using valid credentials poses a material challenge for organisations to identify when an intruder is inside the network.
Stolen or compromised credentials were involved in 19% of breaches in 2022, representing the most common attack vector - IBM
Passwords are a vital form of defence but often a weak link. Strong security relies on good practices. Instead, people commonly use duplicate passwords, many of which are embarrassingly weak, or too often, they rely on the default password.
There are ~24 billion password combinations in circulation on the dark web. That’s almost four for every person on the planet - Digital Shadows
Billions of password combinations are available to criminals on the dark web. Although breaches are often portrayed as ‘sophisticated attacks’, many originate with the simple use of leaked credentials, with attackers knowing that passwords are reused and rarely changed.
2. Phishing and social engineering attacks (inc. BEC)
Phishing is a common social engineering attack where criminals attempt to manipulate individual victims into revealing sensitive information, such as login details or credit card information, often while posing as a trusted individual or establishing a relationship. Email is the most frequent channel, but attackers also use phone calls, text, slack, etc.
Phishing attacks were responsible for over 15% of attacks in 2022, while business email compromise accounted for a further 6% and social engineering 3% - IBM
Again, once breached, an organisation faces the challenge of identifying an intruder inside the network as they utilise the credentials of a permitted user.
3. Cloud misconfigurations
Misconfigurations occur when cloud resources, such as databases and servers, are incorrectly set up. This leaves them and any data they contain vulnerable to unauthorised access. With cloud services hosted on the internet, the ramifications can be severe, as sensitive data may be exposed to the entire public.
Cloud misconfigurations were responsible for ~15% of data breaches in 2022 - IBM
4. Insider threats (malicious)
Insider threats arise from individuals who have legitimate access to an organisation’s internal systems and data. Malicious insiders abuse their access to inflict harm, usually through data theft or sabotage. They can be challenging to identify due to the legitimate possession of access permissions.
Malicious insiders were involved in over 10% of data breaches in 2022 - IBM
5. Malware and ransomware attacks
Malware and ransomware attacks involve malicious software designed to infect a computer, server or network within the victim’s organisation. This could include worms, trojans and spyware.
Ransomware was a factor in ~24% of breaches in 2022 - Verizon
Ransomware is a specific form of malware that encrypts data held by the victim, after which point the attacker typically demands a ransom payment to release keys used to decrypt the data and often prevent the release of sensitive personal data online.
6. Third-party software vulnerabilities
Third-party software vulnerabilities are weaknesses in external software used by your organisation. These weaknesses can be exploited to gain access to your systems and perform unauthorised actions while remaining very difficult to monitor.
Incidents can result in many victims and widespread damage — as seen with the SolarWinds incident (2020), which impacted thousands of customers.
7. Human errors (negligent insider)
Not all insider threats are malicious. Many are simply due to negligence. This includes when an employee sends information to the wrong recipient or accidentally publishes confidential information.
These errors typically occur due to a lack of proper training, failure to follow established procedures, or simple carelessness. Human error also plays a crucial role in many other breaches, such as leaking confidential credentials or details later leveraged in a phishing campaign.
8. Physical theft (or accidental loss of property)
Theft or accidental loss of equipment containing sensitive information — such as laptops, external hard drives or even printouts of data — can lead to a breach if the information is not protected (e.g. via encryption) and reaches unauthorised hands.
Data breaches often last for months (not days), which gives attackers ample time for harm
Data breaches are typically drawn-out affairs. Attackers often lurk invisibly for months, even approaching a year, within the victim’s network.
According to IBM, a breach takes 207 days to identify and an additional 70 days to contain, reaching 277 days on average. These figures vary according to the type of breach, ranging from misconfigurations at ~200 days to stolen or compromised credentials, which are the longest, lasting almost a year (327 days).
Many breaches last so long because of the difficulty of identifying attackers’ malicious use of legitimate credentials. During this time, they can identify vulnerabilities, steal additional credentials, move laterally and penetrate deeper into a network to inflict maximum damage. This often leads to extracting sensitive data to leverage for a ransom.
Amazon style stores on the dark web are making it easier and cheaper for cyber attackers
Dark web marketplaces have been growing in size and sophistication. The available tools and services escalate the likelihood of an incident and facilitate deeper attacks that inflict damage over the ensuing months of a data breach.
Features we associate with legitimate stores, like Amazon and eBay, are becoming commonplace — such as reviews, dispute resolution, and vendor deposits — as operators look to build trust and honour amongst the community of thieves.
The vast majority of exploits (91%) and malware (76%) are sold on the dark web for less than $10 (USD) - HP Wolf Security: The Evolution of Cyber Crime
These marketplaces have a vast range of products, lowering the cost and technical expertise for entry. Items including stolen credentials, hacked credit card data, and malware can be bought for less than $10, while ransomware-as-a-service kits — even including after-sales support — start at $40 per month.
The result is a growing, interconnected supply chain of cybercriminals. Attackers can increasingly collaborate, but each specialises according to their expertise and needs. Once entry is established, the access is sold on to other vultures who look to feed off the organisation — inflicting as much damage as possible with the ultimate ambition of financial returns.
There have been numerous large-scale breaches in the last 12 months
Unfortunately, we have various recent examples to study and understand how breaches occur. The details highlight the breadth of attack routes used, sometimes even within the same incident, as well as the depth of damage.
Medibank
The Australian healthcare provider Medibank suffered a cyber attack in September 2022. The result was widespread damage, harming individual customers (the data subjects) and the organisation’s financial and reputational health.
The incident started with the theft of privileged credentials from a third-party IT service provider. These were then sold online and bought by criminals at the REVil ransomware gang, who gained access to the internal network.
Once inside, the gang used a script to extract data automatically, resulting in a haul of ~200gb of sensitive information. This data covered nearly 10 million customers and included personal details such as Medicare claims.
After Medibank refused to pay a USD $10m ransom, the attackers began publishing subsets of the data online. These included ‘naughty lists’ — covering those suffering from mental health and addiction — and abortion and HIV patients.
Optus
In a terrible period for Australians, Optus experienced a breach in the same month (September 2022) as the incident at Medibank.
Again, nearly 10 million Australians had their records stolen — some of whom included copies of driver’s licences, passport details and Medicare ID numbers. After extracting the sensitive data, the 19-year-old attacker demanded AUD $1.5m as a ransom payment, although Optus refused to pay up.
Security experts were highly critical of the widespread vulnerabilities exposed in a public-facing API from which data was extracted. These issues included:
- a lack of authentication;
- no rate limiting, allowing rapid exfiltration of high volumes of data;
- no monitoring of network endpoints to identify suspicious activities;
- use of incremental identifiers, allowing an attacker to guess the next customer ID;
- no attempt to mask data, despite highly sensitive information; and
- no clear data retention policy, as both existing and former customers were impacted, stretching back at least six years.
LastPass
LastPass, the password management service provider, was the victim of multiple breaches in 2022, originating in August after a developer had their corporate laptop compromised.
The breach allowed an unauthorised user to gain entry to a cloud-based development environment. Once inside, the intruder was able to steal valuable data such as source code, technical information, and certain secrets related to LastPass’s internal systems.
Another major incident was reported in November after an attacker targeted a senior DevOps engineer. The assailant exploited vulnerabilities in third-party software to install a keylogger. The attacker then gathered credentials to bypass controls and access cloud backups, including system configuration details, API and third-party integration secrets, and both encrypted and unencrypted LastPass customer data.
The series of breaches was hugely damaging to the reputation of a company whose business is founded upon protecting the most sensitive information possible — their customers’ passwords.
Uber
Uber also experienced a breach in September 2022. On this occasion, stolen credentials for an employee were bought online from a dark web marketplace.
Multi-Factor Authentication (MFA) prevented direct use of the credentials. However, the resourceful hacker overcame the obstacle by directly contacting the driver on WhatsApp. After pretending to be a member of Uber’s security team, the hacker flooded the employee’s phone with MFA approval notifications to ensure they succumbed to the nuisance.
Once the hacker had access to Uber’s intranet, they found additional login credentials of an admin user with privileged access rights within Microsoft PowerShell scripts. Fortunately, on this occasion, the 18-year-old hacker only sought publicity rather than financial reward, thereby mostly limiting the damage to Uber’s reputation.
Latitude Financial Services
Latitude, an Australian personal loans provider, suffered a breach in March this year. An attacker breached internal systems and stole an employee’s login details. These credentials were then used to steal customer data from service providers.
The breach is estimated to have impacted over 14 million customer records, including nearly 8 million Australian and New Zealand drivers’ licences, reaching a scale well beyond the Medibank and Optus incidents. It was determined that almost 6 million licences were provided before 2013, highlighting the lack of an effective data retention policy.
With such significant breaches within the past 12 months, you may wonder who will be next. Given the regularity of data breaches, we probably won’t have to wait too long to find out.
Unfortunately, it’s likely that the victim is already breached and an attack is underway, with the malicious actor currently wreaking damage while undetected within their systems.
If you would like to learn more about what we are building at Onqlave to help protect sensitive data, visit us at www.onqlave.com to get started, follow our updates via LinkedIn or feel free to get in touch with any of our team.
Sources:
https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/
https://www.tessian.com/research/the-psychology-of-human-error/
https://www.privacyaffairs.com/dark-web-price-index-2023/
https://services.google.com/fh/files/blogs/google_security_infographic.pdf
https://www.securitymagazine.com/articles/97046-over-22-billion-records-exposed-in-2021
https://apisecurity.io/issue-203-optus-data-breach-api-security-guide-authn-authz-vulnerabilities/
