When the Equifax breach—one of the largest of all time—went public nearly a year and a half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.
The data had up and vanished.
This was surprising because, if the data had in fact been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they expected to see a wave of fraudulent credit transactions. Nada.
CNBC recently published an article taking an in-depth look at what exactly happened to the credit, social security, and other sensitive data of 143 million people after it was stolen. The deeper threat hunters have gone down the rabbit hole of this story, the more convinced they have become that the motive was actually even more sinister than pure financial gain. It appears the thieves’ likely goal is to identify and/or recruit spies.
In essence, the security experts most familiar with this breach are convinced that a nation-state—likely China or Russia—stole the data in order to suss out current spies and pick out potential targets they could recruit as spies.
It’s the latter part that should concern organizations, including businesses, in the U.S. and beyond. While the complex spy scheme sounds like something out of a movie, it actually has serious real-world implications for many businesses.
Here is part of the article businesses should pay close attention to:
“Credit reporting data provides compromising information that can be used to turn valuable people into agents of a foreign government, influencers or, for lower-level employees, data thieves or informants. In particular, the credit information can be used to identify people in key positions who have significant financial problems and could be compromised by bribes or high-paying jobs, the former official said. Financial distress is one of the most common reasons people commit espionage.
The Equifax data provides information that could identify people who aren’t even in these positions of influence yet, he said, and could be valuable for years to come.“
The reality is that most organizations today do not have much visibility into what their employees and other insiders are doing with valuable company data. One study found that 42% of organizations rely on server logs to detect insider threats. As you may know, these are very difficult to parse and rarely provide sufficient context to indicate an insider threat. Only about a quarter of organizations are using keylogging or session recording, and 8% of organizations admit they have zero visibility whatsoever into insiders’ activity.
These gaps can leave organizations open to some major risks. Criminal insider incidents can have repercussions that go well beyond the financial, but in pure dollar value, a Ponemon report recently found that these represent an average annualized cost is $2.99 million. Many organizations simply can’t recover from that.
The lack of visibility many security teams have into insiders’ actions poses a massive security risk to organizations. With the Equifax breach’s true implications becoming increasingly clear, it’s never been more important to understand what actions users are taking related to sensitive corporate data and systems.
In particular, organizations should aim to gain visibility into user activities related to:
- Unauthorized cloud storage or large file-sending sites
- Disposable or temporary email clients
- USB storage devices and other removable media
- Copy/pasting, cut/copying, and large print jobs
These are just a few examples of user activities that, when put into context with the specific types of data in play and other factors, can shed valuable light on an insider threat in progress.
Given the likelihood that we will see some major spy-recruitment efforts take place over the coming years, any business that stores or handles sensitive data (which is many, many businesses) should have a comprehensive insider threat program in place to gain full visibility into exactly how their insiders are using that data. This is the best way to be prepared if a trusted insider falls victim to a recruitment scheme and attempts to steal data from the organization. It might sound like a good movie on paper, but when it’s valuable company or customer data on the line, the ending could be very unpleasant.