Information leakage. Or how a company can fall from inside
According to ENISA Threat Landscape Report 2018, information leakage continues to be one of the growing cyber risks, covering a wide range of compromised information - from personal data collected by Internet companies and online service providers, up to date businesses stored in IT infrastructures.
When security breaches become the subject of intense media debate, the focus is on potential attacks from "competition" or on the failure of cyber defense processes and techniques.
However, the undeniable truth is that - despite the impact or target - information leaks are usually caused by individuals' actions or as a result of a mistake in the company's internal processes. Occasionally, a technical error or misconfiguration can also cause an information leakage. European Union Agency for Network and Information Security (ENISA), however, highlights the fact that, according to a recent report, unintended disclosure was the basis for most leaks in 2018.
Trends and general statistics
· In March 2018, approximately 500,000 password passwords were put up for sale on Dark Web for $ 90;
· In the third quarter of 2018, there was a 20% increase in loss of confidential data compared to the third quarter of 2017;
· If data disclosures would continue at the 2015 level, the fines applied under GDPR could increase 90 times, from £ 1.4 billion in 2015 to £ 122 billion;
· Internal actors account for 29% of those involved in data disclosure - 26% of them are system administrators, 22% are end-users, 12% are doctors or nurses, and 22% are representatives of others.
Cases of leaks in 2018
· In January, the information collected through the Strava fitness application led to the discovery of locations of Russian, British and American military bases in Syria and Afghanistan. The information was revealed through Fitbit devices connected to the users' accounts;
· Exactis marketing company has left about 340 million publicly exposed records on an accessible server. Although these did not include social security numbers or credit card numbers, it was still 2 TB of very personal information about hundreds of millions of adults;
· At the end of the summer, a Chinese hotel chain exhibited data of approx. 130 million customers, including name, phone numbers, email addresses, bank account numbers and booking details;
· Sungy Mobile Ltd., one of the world's leading mobile application developers, has revealed the information of about 50 million consumers due to a poor database backup.
How do we reduce the leakage of information?
· Anonymize, pseudonymize, minimize and encrypt data in accordance with the GDPR Regulation;
· Store data using only secure computer systems;
· Limit user access privileges by following the "need to know" principle (access to classified information is granted individually only to persons who, for the performance of their duties, have to work with or access such information) ;
· Train staff on cyber security regularly;
· Revoke access privileges for people who are not employed;
· Use technology tools to avoid potential data leaks - vulnerabilities scanning, malware, DLP (data loss prevention) tools.