“The dichotomy of our need vis-a-vis the perception of security poses a critical risk to organisation/brand and to end-users who rely on a product”
Believe it or not, cyber-security remains underestimated despite several CISOs claiming the need for it. For instance, a global survey by Trend Micro indicated 64% of business decision-makers are still evaluating the relationship of cybersecurity with their enterprise. Worse, 51% found cyber-security not a revenue generator while 38% viewed security as a barrier.
The dichotomy of our need vis-a-vis the perception of security poses a critical risk to not just the organisation or brand but to end-users who rely on a product or service.
Here’s a quick look at three established brands and the impact from a data security perspective.
THE BIG HEIST ON DUOLINGO
Duolingo, the popular language learning application saw a massive data-breach at the start of August 2023. Nearly two and half million email ids were leaked online after an API was exposed.
To a common netizen, it is easy to assume security or underplay. After all, what damage could reveal email id do? Some of the data points leaked in the massive leak were language, profile picture, username, country and biography. For some users, all details were leaked. According to reports, the email ids could be used for phishing, spear attacks, and customised email scams.
Surprisingly the trick/abuse method was informed to Duolingo as early as January. More surprisingly, the hacked data was initially made available for $1,500 and then subsequently for a paltry $2.13.
INDONESIAN IMMIGRATION GENERAL
Over 34 million Indonesian citizens have fallen victim to a security breach involving their passport data. The breach occurred when an unauthorised individual gained access to the Immigration Directorate General at Indonesia’s Ministry of Law and Human Rights. This unsettling incident was first brought to light by cybersecurity researcher Taguh Aprianto, the founder of Ethical Hacker Indonesia. Aprianto attributed the attack to a hacktivist operating under the alias “Bjorka.”
The classification of this breach as hacktivism raises questions, as hacktivism typically involves unauthorised access to systems to promote a political or social agenda. It is usually aimed at disrupting organisational operations while minimising harm to users. However, in this case, the purported hacktivist stole extensive amounts of personal data, which is currently listed on the dark web for sale at a price of $10,000.
The stolen data includes comprehensive information about Indonesian residents, encompassing their full names, genders, passport numbers, dates of issue and expiration, as well as dates of birth. Law enforcement agencies are actively investigating this incident, which bears close resemblance to a conventional cyberattack rather than one motivated by political or social objectives.
CATCHING BIG SHARKS OFF-GUARD
When managed file transfer software MoveIt reported a data breach, it was not just the software alone but countless government and private entities that got hauled up on the wrong side. US life insurance services firm Genworth Financial saw 2.5 million records exposed in the attack. A second organisation compromised was CalPERS (California Public Employees’ Retirement System), in which 769,000 of its members were affected. Wilton Reassurance, a New York-based insurance provider was informed that nearly 1.5 million members’ data was affected.
The US states of Oregon and Louisiana said their departments of motor vehicles were compromised as part of the MOVEit software vulnerability that has been wreaking havoc in recent weeks. Louisiana’s OMV (Office of Motor Vehicles) said that at least six million records, including driver’s licence information, were stolen. Systems of the Pension Benefit Information (PBI) were compromised in the MoveIT transfer which may have left data of 16 million individuals at risk. According to a TechCrunch article, the hack was estimated to have affected some 160 departments. In an official statement, the Teachers Insurance and Annuity Association of America, a client of PBI, clarified that despite the hack to its vendor, there was no risk to its own systems.
TIP OF ICEBERG
A look at data statistics (SurfShark, a VPN service provider) reveals that 73% of email addresses are breached and that a single email id may be sabotaged more than three times. Although India has had fewer emails breached per person than Canada, Russia, or China, the overall data-breaches remains as high as 292 million. This number is only a tip of the iceberg since the US alone reported nearly 2,000 data-leakages last year resulting in the loss of 4.2 billion private records.
To make matters worse, the advent of AI has brought about a paradigm shift in the hacking landscape. AI-powered tools and techniques are becoming increasingly accessible to cybercriminals, even those with limited technical expertise. AI enables hackers to automate various stages of the attack process, from scanning for vulnerabilities to exploiting them. This automation allows cybercriminals to launch large-scale attacks with minimal manual intervention.
As AI-driven cyberattacks become increasingly sophisticated and widespread, the cybersecurity community must adapt by developing advanced AI-powered defences, promoting awareness, and fostering collaboration to safeguard digital assets and personal information in an AI-driven world. The battle between cybersecurity and cyber threats is evolving, and the role of AI in this struggle is undeniably pivotal.
What looks more worrying is how leaders have insisted on more technology. According to a Security magazine survey, to enhance protection, 83% leaders have expressed that they would choose new technology over adding more team members.
Although it may seem like a tall task to compete against AI tools, there are some mitigation strategies. Experts have signalled the need for better organisational culture, sensitising employees, and restricting usage of third-party apps to prevent data leaks. Organisations also monitor data closely and proactively scan their systems for any loopholes. An IBM report finds the average cost of a data breach at $4.24 million, however the damage to the business could exceed far beyond that report.