There is no better resource for understanding trends in data security than Verizon’s annual Data Breach Investigations Report, so it must have been especially galling for the US telco’s employees to learn a database of their personal details has been stolen by a hacker, as reported by Vice. The hacker contacted the magazine and was able to share the full names, email addresses, corporate ID numbers, and phone numbers of Verizon employees, though it is not known how comprehensive the data is or whether it is up to date. Verizon admitted they also had been contacted by the hacker, who is said to want a USD250,000 ransom in exchange for not sharing the data with others.
Verizon played down the seriousness of the breach by telling Vice the employee directory which had been compromised was ‘readily available’. They also said they take data security ‘very seriously’ which begs a question of how the hacker obtained such useful information. Whilst the data apparently does not include social security numbers or bank details, it can still be used to cause a lot of mischief. According to the hacker, he obtained access to Verizon’s systems by exploiting the gullibility of somebody who worked for the telco.
These employees are idiots and will allow you to connect to their PC under the guise that you are from internal support
I do hope that Verizon’s nonchalant response is their way of lowering the expectations of the hacker, or of appeasing the concerns of employees and investors, rather than a genuine reflection of how they perceive the value of data like this. Whilst this particular hacker sounds like a goof with little idea of how to monetize his criminal endeavor, there will be others who better understand the ramifications. Of all the lessons to be learned, the most important is to recognize that people, rather than computerized systems, represent the greatest security weakness for any large employer.
Consider the method this hacker boasted about using: he socially engineered a Verizon employee into giving him access to Verizon’s systems by pretending to be another Verizon employee. Perhaps the access rights granted to his victim were only modest, with the result that the most valuable data compromised was an employee directory that is equally available to every other employee. There is only so much training you can give employees to help them recognize when they are being hustled. A recent study into how employees respond to apparent email phishing messages showed some people are much more gullible than others, and will consequently be lured into making all sorts of mistakes despite being instructed not to. Persistent hackers just need to find one victim who is overly trusting and has been given excessive permission to access secure systems, whilst security teams have the converse problem of trying to ensure every employee can be trusted to behave responsibly when contacted by a hacker.
The significance of the breach should not be understand solely in terms of what has gone wrong already, but also by estimating what harm might occur in future. This hacker was able to contact an insider who represented a weak link in the Verizon’s data chain of responsibility. Now the hacker has the contact details of many more Verizon employees. Those details can be used to identify targets within Verizon, or they might be used to impersonate Verizon employees. A hacker with such information could pretend to be a Verizon employee whilst talking to another Verizon employee, or might turn the attack in a different direction, and pretend to represent Verizon whilst speaking to another business or to a customer.
There has been a philosophy of how to address security threats that focuses on scale and assumes a great deal of automation. This is appropriate when thinking of the threat posed by a phishing campaign emailed to thousands of people at the same time, or a denial of service attack executed after installing malware on thousands of devices connected to the internet. But not all threats require scale to be serious. It can also be lucrative to impersonate the CEO just to persuade a single individual in the finance team to approve a bank payment they should not have. If you believe you can identify phishing threats by simply looking for recurring patterns in emails then you may leave yourself vulnerable to spearphishing attacks which are only sent to a single individual. There are now numerous accounts of comms providers being hit by highly targeted attacks where specific workers unwittingly gave access to internal systems to hackers; a few examples are given here, here, and here.
It took most businesses too long to appreciate the following fact, but one thing we have learned from prolonged research like that performed for the Verizon Data Breach Investigations Report is that every new breach will likely contribute to a slush pile of data that is made widely available amongst the criminal fraternity, and which is then used to facilitate further crimes including yet more breaches. This data might be used for SIM swaps, it might be used to hijack a social media account, or it might be used by a stalker. Once the data genie escapes it can never be bottled up again. So whilst it is understandable that Verizon wants to make public assurances that no sensitive data was stolen, I hope their cybersecurity leaders have already grasped the most important lesson about protecting data: any personal data can be used for bad purposes if it falls into the possession of bad people.