A couple of recent articles: Employee Personal Data: The Next Hacker Frontier and Hackers Are After Employee Data Now have attempted to bring to readers’ attention the fact that hackers are attempting to get at personal. However, this time, it is not the personal data of customers, but instead it is the personal data for employees at a company. In this blog we will talk about the implications of such a theft and more importantly we will follow-up with how that can pertain to you and your company.
The hackers in this case are very interested in the files of tens of thousands of employees that have applied for top-secret security clearances. To say that a smash and grab of that data would be a goldmine to entrepreneurial hackers would be an understatement. This type of data is valuable for two reasons.
First, anyone applying for top-secret security clearances has to supply personal information. A lot of personal information. Not only that, but those individuals also have to supply information regarding family and friends. A part of the top-secret clearance process is not only performing background checks on the applicant but also looking into with whom they associate.As a result, this personal information that the hackers are seeking can not only have detailed information regarding the applicants, but also of associates for those applicants. We are talking about names, addresses, phone numbers and email addresses for your family and friends, at a minimum. What can a hacker do with that information? Of course, those people can become victims themselves. But, more importantly, hackers can use social engineering to play you and your associates off of each other. Spoofed emails can be sent to you which may appear to come from an associate (or vice versa). Upon getting such an email, your guard is naturally down. You are then more likely to click on a link, open up a file and whammo, your computer is owned by someone else who intends to use your accounts as their personal ATM.
Second, it goes without saying that some of the people applying for top-secret security clearances may already have access to some confidential information. Furthermore, if they received their clearance, they may have access to some, well, top-secrets. If a hacker was successful in getting into their computer through social engineering, they would likely have access to much more information than the average person. While stealing money is a goal of hackers, information is the new currency and it can be sold for a lot of money as well.
Most of our readers are not applying for top-secret security clearances nor are they likely dealing with anyone who does. So most of you may be asking how this story pertains to you. The answer is quite simple.
With the sensitivity today to data breaches, some (but not as many as should) companies are taking proactive steps to secure their data. Whether it is driven by HIPAA, PCI, other governmental regulations or from some other desire to protect data, companies are encrypting and securing patient information, credit card data and customer data. Companies are also securing their intellectual property—be it secret formulas or confidential mechanical drawings. So what we have are companies protecting two classes of data: customers and property.
What companies might be missing, however, is securing their own employees’ data. As discussed above, not securing your own personnel data exposes your company and your employees on two fronts. It allows for hackers to steal your employees’ data and turn them into victims of identity theft. It also allows the hackers to socially engineer their way into your organization by using personal data to play one employee off of another.
Years ago we were contacted by a client. The client had an internal battle among the board of directors pitting one owner against others. This specific owner had been removed from the facilities. However, this owner was still getting information about the company and about other meetings to which he wasn’t invited. The client suspected the head of IT who was hired by this owner and was a personal friend. We were asked to investigate what information the IT person was accessing. Among other things, we found something very troubling. In the IT person’s contact list he had for each employee of the company their social security number and date of birth. Whether this information was locked down by HR was irrelevant, it was obviously now partially exposed by the IT person. Furthermore, what’s to stop the IT person (who had a colorful past to say the least) from capitalizing on that data?
You might be saying “I don’t have any sketchy IT people, they tell me my data is protected and in all honesty, I don’t have much data of interest”. Whether you are right or wrong on all of those points, if you think that equates to you not being a target, you are wrong. Companies are a target for hackers because the company exists on the internet, not because the company has highly sensitive and lucrative data. All it takes is one disgruntled employee (or the spouse of a disgruntled employee) who has access to your data.
Finally, when you submit that proposal or report, you have another set of eyes review it to catch what you didn’t catch, don’t you? Why don’t you do that with the security of your data?
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations