Email Data Breaches: The Threat Keeps Giving

 

By most accounts, 2015 was a year of unprecedented data breaches. Several major government agencies, enterprises and consumer sites were hacked - leaking the personal information of millions onto the web.

But an initial security breach doesn’t end the vulnerability. For example, according to the data cultivated by email security firm MailChannels, spam and phishing emails to addresses stored in the Ashley Madison database - compared with the volume sent to a random sample of addresses - have increased exponentially since the hack.

“The data offers some insights into what consumers can expect: a steadily growing amount of scams and spam - both targeted and general - will hit inboxes in 2016,” according to Ken Simpson, CEO at MailChannels. “Anyone whose email has been exposed is a prime target for cybercriminals looking to profit from extortion, identity theft and data exploitation. The increased volume in email attacks won’t come right away, but evidence from the Ashley Madison data leak shows that the growth in volume of will be sustained throughout 2016; it isn’t going to tail off with time.”

Simpson spoke with Information Management about what he expects organizations will experience on the IT security front in 2016, and how those trends may impact customers.

Information Management: What does your data reveal that CIOs should know in terms of corporate email security issues?
Ken Simpson: CIOs should create a process for retrieving leak data when large leaks happen, because our analysis shows that the very appearance of someone's email address in a leak exposes them to more abuse after the leak occurs. Attackers use leaks to build their database of targets for all sorts of fraud - not just fraud related to the leak itself. For instance, with the Ashley Madison's breach, we saw users receiving regular spam and phishing attacks in addition to targeted attacks such as scams promising to remove users' personal information from the Internet.

Information Management: What types of data are most at risk?
Simpson: It's not so much the types of data that are at risk, it's the potential for social engineering that's the real risk. When an attacker knows something about your user because he or she was included in a breach, they can leverage that information to tailor an attack.

For example, let's say your HR SaaS provider experienced a breach, allowing an attacker to know not only that your employee "Sandra" in marketing makes $55,000/year, but also that she lives in London, England. You can now hit Sandra with a customized email claiming to be someone from the London office who needs some money because their passport was absconded during a trip to Egypt.

Information Management: Are organizations giving IT security enough attention, budget, and staffing?
Simpson: Security is never given enough attention until there is a major problem - this has always been true and probably always will be. Enlightened organizations invest more in security because they know that the cost of doing nothing is to guarantee - at some unknown time in the future - an incident that is very costly.

Ashley Madison's parent company nearly ceased operations after their disastrous breach. Were they doing enough on security? Not for a firm that deals in information that can destroy marriages. And we're only beginning to see the legal fallout that could hobble them for years to come.

Information Management: How does the CIO or the CISO best go about creating a culture of security awareness?
Simpson: I think it pays to keep on top of security events that receive widespread press, and to remind management and staff that they too are vulnerable. Part of the CIO's job is to provide information about the general threat landscape so that the organization starts to take security seriously. The CIO alone can't pull enough budget; but the collective concern of every department will start to make a difference.

Information Management: What do you predict will be the top IT security issues, challenges, and threats in 2016?
Simpson: In 2016, the threat for tailored attacks at the individual level will become commonplace. With this previous year having been one riddled with information breaches, our data shows cybercriminals have an increased repository of personal information pieces that will look to build out into comprehensive profiles that can be used for identity theft, extortion and hacking. The more built out a profile, the more possibilities for illicit activity and cybercriminals will be on the hunt to collect the missing information they need to exploit an individual or business through targeted emails and spam campaigns.

I also believe we'll see more nation state hacking and espionage causing real economic damage. For example, could a powerful Chinese SOE with influence in the Communist Party prod the red army's electronic division into hobbling a major US industrial company for competitive reasons? Say, through a major breach that was made to look like it came from Anonymous? Yes, that could happen in 2016. But this time, the linkage with the nation state will become clear.

Inormation-Management: http://bit.ly/1PrfIjw

« What Does a Cyber Security Strategy Look Like?
Third of UK Finance Logins Risk Client Data »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Sparta Consulting

Sparta Consulting

Sparta Consulting is an information management and business development full service provider.

Lanner Electronics

Lanner Electronics

Lanner Electronics is a leading hardware provider for advanced network appliances and industrial automation solutions including cyber security.

Focal Point Data Risk

Focal Point Data Risk

Focal Point is a pure-play data risk management provider capable of offering end-to-end consulting, implementation, and training services.

Intensity Analytics

Intensity Analytics

Intensity Analytics is a software firm that develops next-generation, physical user and entity behavioral authentication ("physical UEBA") security software technology.

miniOrange

miniOrange

miniOrange is a cloud and on-premise based identity and access management (IAM) solution provider.

Cyber Security Raad (CSR) - Netherlands

Cyber Security Raad (CSR) - Netherlands

The Cyber Security Council (CSR) is a national, independent advisory body of the Dutch government undertaking efforts at strategic level to bolster cyber security in the Netherlands.

Cyber Struggle

Cyber Struggle

At Cyber Struggle, our aim is training and certifying the special forces of the cyber world.

Netsecurity AS

Netsecurity AS

Netsecurity is a Norwegian owned company focused and specialised within IT security and cybersecurity-as-a service.

CICRA Consultancies

CICRA Consultancies

Cicra Consultancies is a company that specializes in cyber security. Our major activities are guided by three main principles: Prevent, Investigate, Prosecute.

ZARIOT

ZARIOT

ZARIOT's mission is to restore order to what is becoming connected chaos in IoT by bringing unrivalled security, control and quality of service.

Abu Dhabi Gov Digital

Abu Dhabi Gov Digital

Gov Digital (formerly Abu Dhabi Digital Authority - ADDA) enable, support and deliver a digital government that is proactive, personalised, collaborative and secure.

American Technology Services (ATS)

American Technology Services (ATS)

American Technology Services provides unparalleled services in information technology to support small and mid-sized business. From top-level strategy, to managed services and infrastructure support.

QEDIT

QEDIT

QEDIT is leading the standardization of Zero-Knowledge Proofs through the ZKProof.org Workshops, and builds production-grade ZKP systems for blockchain.

Robosoft Technologies

Robosoft Technologies

Robosoft Technologies is a full-service digital transformation partner. We provide end-to-end digital transformation services in areas including cybersecurity.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.

Kaavalan

Kaavalan

Kaavalan was founded with a mission and a vision to protect you against cyber threats in the connected world.