Email Data Breaches: The Threat Keeps Giving

 

By most accounts, 2015 was a year of unprecedented data breaches. Several major government agencies, enterprises and consumer sites were hacked - leaking the personal information of millions onto the web.

But an initial security breach doesn’t end the vulnerability. For example, according to the data cultivated by email security firm MailChannels, spam and phishing emails to addresses stored in the Ashley Madison database - compared with the volume sent to a random sample of addresses - have increased exponentially since the hack.

“The data offers some insights into what consumers can expect: a steadily growing amount of scams and spam - both targeted and general - will hit inboxes in 2016,” according to Ken Simpson, CEO at MailChannels. “Anyone whose email has been exposed is a prime target for cybercriminals looking to profit from extortion, identity theft and data exploitation. The increased volume in email attacks won’t come right away, but evidence from the Ashley Madison data leak shows that the growth in volume of will be sustained throughout 2016; it isn’t going to tail off with time.”

Simpson spoke with Information Management about what he expects organizations will experience on the IT security front in 2016, and how those trends may impact customers.

Information Management: What does your data reveal that CIOs should know in terms of corporate email security issues?
Ken Simpson: CIOs should create a process for retrieving leak data when large leaks happen, because our analysis shows that the very appearance of someone's email address in a leak exposes them to more abuse after the leak occurs. Attackers use leaks to build their database of targets for all sorts of fraud - not just fraud related to the leak itself. For instance, with the Ashley Madison's breach, we saw users receiving regular spam and phishing attacks in addition to targeted attacks such as scams promising to remove users' personal information from the Internet.

Information Management: What types of data are most at risk?
Simpson: It's not so much the types of data that are at risk, it's the potential for social engineering that's the real risk. When an attacker knows something about your user because he or she was included in a breach, they can leverage that information to tailor an attack.

For example, let's say your HR SaaS provider experienced a breach, allowing an attacker to know not only that your employee "Sandra" in marketing makes $55,000/year, but also that she lives in London, England. You can now hit Sandra with a customized email claiming to be someone from the London office who needs some money because their passport was absconded during a trip to Egypt.

Information Management: Are organizations giving IT security enough attention, budget, and staffing?
Simpson: Security is never given enough attention until there is a major problem - this has always been true and probably always will be. Enlightened organizations invest more in security because they know that the cost of doing nothing is to guarantee - at some unknown time in the future - an incident that is very costly.

Ashley Madison's parent company nearly ceased operations after their disastrous breach. Were they doing enough on security? Not for a firm that deals in information that can destroy marriages. And we're only beginning to see the legal fallout that could hobble them for years to come.

Information Management: How does the CIO or the CISO best go about creating a culture of security awareness?
Simpson: I think it pays to keep on top of security events that receive widespread press, and to remind management and staff that they too are vulnerable. Part of the CIO's job is to provide information about the general threat landscape so that the organization starts to take security seriously. The CIO alone can't pull enough budget; but the collective concern of every department will start to make a difference.

Information Management: What do you predict will be the top IT security issues, challenges, and threats in 2016?
Simpson: In 2016, the threat for tailored attacks at the individual level will become commonplace. With this previous year having been one riddled with information breaches, our data shows cybercriminals have an increased repository of personal information pieces that will look to build out into comprehensive profiles that can be used for identity theft, extortion and hacking. The more built out a profile, the more possibilities for illicit activity and cybercriminals will be on the hunt to collect the missing information they need to exploit an individual or business through targeted emails and spam campaigns.

I also believe we'll see more nation state hacking and espionage causing real economic damage. For example, could a powerful Chinese SOE with influence in the Communist Party prod the red army's electronic division into hobbling a major US industrial company for competitive reasons? Say, through a major breach that was made to look like it came from Anonymous? Yes, that could happen in 2016. But this time, the linkage with the nation state will become clear.

Inormation-Management: http://bit.ly/1PrfIjw

« What Does a Cyber Security Strategy Look Like?
Third of UK Finance Logins Risk Client Data »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Center for a New American Security (CNAS)

Center for a New American Security (CNAS)

CNAS is the nation's leading research institution focused on defense and national security policy. Cyber security issues are an intrinsic element of the national security debate.

NextLabs

NextLabs

NextLabs provides data-centric security software to protect business-critical data and applications.

IntSights

IntSights

IntSights is an intelligence driven security provider offering rapid, accurate cyberthreat intelligence and incident mitigation in real time

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

NESEC

NESEC

NESEC is a specialist in information security consulting services and solutions.

SySS

SySS

SySS is a market leader in penetration testing in Germany and Europe.

LIFARS

LIFARS

LIFARS is a global leader in Digital Forensics and Cyber Resiliency Services.

Virtue Security

Virtue Security

Virtue Security are specialists in web application penetration testing.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

RealTyme

RealTyme

RealTyme is a secure communication and collaboration platform with privacy and human experience at its core.

White Tuque

White Tuque

A new way to protect your organization. White Tuque is your partner in identifying threats, understanding your risk, and ensuring your business remains resilient.

Xceptional

Xceptional

Xceptional is a multi-award-winning technology services firm that celebrates the unique strengths of people with autism.

AKS iQ

AKS iQ

AKS iQ leads the RegTech sector with AI, automating regulatory compliance in the banking industry and ensuring paperless TBML and CFT adherence in finance.

eGeneration

eGeneration

eGeneration is one of the leading technology solutions and system integration companies in Bangladesh.

Fusion5

Fusion5

Fusion5 is a leading ANZ Business Services and IT Solutions provider. Our customers trust us to make their potential reality by providing advisory, IT project deployment, and managed services.

Hopper Security

Hopper Security

The Future of Open-Source Risk Management Starts Here. We built Hopper to make sure you can harness the power of Open-Source safely and effectively.