Data Breaches: Beyond Exposing Identities

Exploring the implications of adversaries or competitors using compromised networks to gain a business advantage under the guise of a data breach

By Kem Gay, Intelligence Analyst, 4iQ

Exposed data breaches are costly and taxing for companies and customers alike. More importantly, breaches are likely to lead to economic espionage as exposed networks may reveal a company’s trade secrets, pending mergers and acquisitions, and other proprietary information (PI), threatening a business’s overall competitive advantage. This trend isn’t unique, and it has become an increasingly common occurrence.

“Studies have calculated that the U.S. loses about 200,000 jobs a year, and Europe loses as many as 150,000 due to cyber theft, including digital theft, piracy, and espionage.”

                                                – The Dawn of the Code War, John P. Carlin with Garrett M. Graff

In the past two years, the U.S. Department of Justice has indicted several individuals for cybercrimes related to espionage and stolen personally identifiable information (PII). In December 2018, two Chinese nationals were indicted for conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft. The pair, members of a known advanced persistent threat (APT) group colluding with China’s intelligence services, stole sensitive technology-related business information from companies and government agencies across 12 different countries. In addition, more than 40 computers were compromised in order to steal PII belonging to over 100,000 U.S. Navy personnel.

In late 2017, three Chinese hackers were also indicted for similar offenses. In March of the same year, cybercriminals colluding with two Russian intelligence agents were indicted for unauthorized access to a U.S. email service provider resulting in computer hacking, economic espionage, and conspiracy. The perpetrators stole at least 500 million email accounts and trade secrets related to the company. Although we cannot determine, ‘Which came first: the chicken or the egg?’ for the aforementioned computer intrusions and theft of PII and PI, we can confidently assert that both were targets for cybercriminals and nation-state actors. According to a recent report from the National Counterintelligence and Security Center, “Cyberspace remains a preferred operational domain for a wide range of industrial espionage threat actors, from adversarial nation-states, to commercial enterprises operating under state influence, to sponsored activities conducted by proxy hacker groups.”

At 4iQ, we’ve continued to observe the flourishing trade of PII in underground communities and the dark web, despite efforts by companies to secure their networks with security protocols and employee cybersecurity training. In 2018, 4iQ curated 13,000 data breaches, while in 2017, an average of 245 breaches was discovered on a monthly basis.

Compromised networks can be difficult to detect, and some take years to mitigate. Maintaining the integrity or availability of networks is a difficult task for the Chief Information Security Officer or others with that responsibility, as risk mitigation can be difficult to manage. There is no universal remedy to avoid being compromised, but that doesn’t mean you should feel powerless. Take, for instance, the infamous 2017 Equifax breach that affected some 148 million consumers worldwide. In the aftermath of the breach, a House Oversight Committee report concluded that the breach was entirely preventable given Equifax’s poor and dated cybersecurity practices. This problem isn’t unique to Equifax, and therein lies the problem. As a consumer, you expect companies holding your sensitive information to practice proper cyber hygiene, but that just isn’t always the case.

A company-wide approach needs to be taken in order to safeguard personal data. Minute details, such as using unique passwords for all your accounts, often get overlooked, leading to detrimental outcomes. If an employee was affected by a third-party breach, and they happened to be using the same password for their work email as they were using for their outside account which was compromised, your company could indirectly be impacted. It’s cliché, but your organization is truly only as strong as its weakest link. Sitting through mandatory cybersecurity training might be a pain, but it serves a purpose. Additionally, keeping security software up to date and using a breach watch service can help mitigate your organization’s vulnerability, in turn reducing the vulnerability of all its stakeholders. Data breaches are an all too common occurrence for businesses in today’s global cyber-culture. Why risk adversaries and competitors using compromised networks to gain a business advantage under the guise of a breach?

About the Author

Kem Gay is an Intelligence Analyst for 4iQ, a cyber intelligence company that operationalizes the intelligence cycle from open source collection and data fusion to secure collaboration on complex ongoing investigations. Kem brings deep knowledge and expertise as a cyber intelligence analyst, working on investigations and training Intel units on tools and best practices that effectively and efficiently expedite missions. Kem was previously an intelligence analyst for the Federal Bureau of Investigation with over 12 years of dedicated service. She has worked both in strategic and operational capacities supporting various mission priorities to include, cyber, criminal, and counterterrorism. Kem has conducted briefings to diverse audiences who used her assessments to inform cyber operations and policy. She has also worked to identify emerging threats supporting cybersecurity-related matters.