Most of the recent data breaches involve customer information such as user names and passwords, credit card numbers, and medical histories. The companies hacked are hurt — they have to contact victims, pay for credit monitoring services and fines, and may lose customers, brand reputation, and market value — but that is collateral damage.
Or it has been.
Increasingly, attackers are using data leaks to target the companies themselves, going after proprietary or embarrassing information and releasing it in such a way as to do the most harm.
That’s a change that companies need to be aware of, said Andrew Serwin, co-chair of the global privacy and data security group at San Francisco-based law firm Morrison & Foerster.
“I believe that we are moving into a space where the attacks will be less B-to-C centric, in terms of the data targeted, and be both B-to-B and B-to-C focused,” he said.
Data-loss prevention strategies that just focus on the personally identifiable data are no longer enough, he said.
“Companies need to view this issue as a governance issue and make sure they take a holistic view of the issue,” he said.
And the need for action is urgent, as both the hacking tools and the leak channels increase in sophistication.
“It’s a combination of a lot of things that we’ve seen for a lot of years coming together,” said Ric Messier, head of the cybersecurity program at Burlington, Vt.,-based Champlain College. “The fact that it’s so easy to do this leaking and be able to manipulate people in this way certainly suggests that we’re probably just starting to see the beginning of these sorts of activities or attacks.”
Businesses have been slow to pick up on this, he added.
“The monetary motivation across the world of attack space has changed,” he said. “It used to be kids on Internet Relay Chat channels outing someone else that they didn’t like — that’s been around for ages. But we’ve taken it to a different level, leaking information to potentially manipulate stock prices, or for blackmail or extortion.
As long as there’s money to be made in leaking information, we’re absolutely going to see it continue to increase.”
And the potential for damages is much larger than in leaks of personally identifiable information such as credit card numbers.
“There are mechanisms in our existing financial infrastructure that help companies recover from the losses that sometimes occur,” said Ray Rothrock, chairman and CEO at security firm RedSeal. “But you can’t recover from the trust factor.”
Just ask Ashley Madison, HBGary, or Mossack Fonseca, the lawfirm at the heart of the Panama Papers leak.
Or ask St. Jude. This summer, the medical device maker saw its stock price drop when a security report was released claiming vulnerabilities in the company’s pacemakers — while the company that released the report made money short-selling the stock.
“When this report hit the wire, St. Jude’s stock went down 5 percent in the same day,” Rothrock said.