When we think of data breaches, we picture instances where a large amount of customer data has been stolen from a business or organisation, such as the recently disclosed Yahoo hack.
Whilst much of the IT security industry is focussed on preventing data theft, there's another element that needs to be considered: data manipulation. The risks data theft poses to businesses are well understood. However, the dangers of data manipulation, where hackers damage the integrity of the data, are only just beginning to become clear, as it is harder to detect and prevent, because nothing is stolen.
There are two major ways that a hacker can manipulate data to cause a business to suffer legal, financial and reputational damages:
1. Hacking and leaving altered data
The first, and most common, form of data manipulation is the hardest to detect. In the event that an organisation's security is breached, a hacker may, instead of stealing data, decide to alter the information and leave it there. Depending on the importance of this information, a business may make vital decisions based on incorrect or exaggerated data. This can happen in a number of ways, ranging from altering stored data, to taking over the connected and IoT devices producing the data and manipulating them into sending incorrect information.
The repercussions of this sort of hack can be devastating for a business. If future planning, investments or purchases are made based on incorrect information, then not only could those decisions be wrong for the business, but there may be legal and financial consequences if it appeared that fraudulent behaviour had taken place. An example of this would be if the data that farmers use to determine soil pH levels, and therefore which crops to plant, were to be manipulated. Investors and businesses spend considerable amounts of money supporting the forecasted crop yields and, should that be based on altered data, then it could be financially crippling for the farmer and local businesses – while hackers could use this to purchase stocks and make a profit.
When a hacker releases breached data from a business to the public, that organisation will become aware that it needs to improve their security. However, the difficulty with detecting manipulated data is that it could be years before it is noticed.
If a business remains unaware that internal data has been altered by a hacker, it has no incentive to update its digital security and can remain vulnerable to future breaches. This leads us to the next use of data manipulation.
2. Altering stolen data to damage reputations
Instead of stealing the data or manipulating and leaving it, a hacker could choose to steal the data, and then alter it.
As we have seen with the recent World Anti-Doping Agency hack, by manipulating data that has been stolen, a hacker can aim to damage the reputations of both organisations and individuals, making information appear incriminating. If hackers can access the data, imagine if they could manipulate it to make it look like an athlete, in this instance, has been doping (or not) when they haven't (or have). This type of attack could potentially have career-ending implications for many public figures, including athletes, politicians and leading business figures, leaving their reputations in tatters.
The difficulty with addressing this type of data manipulation is that, if a business claims that stolen data has been manipulated, and the altered data reflects badly on them, consumers may not believe their claims that the data has been changed. When a data breach occurs, consumers lose confidence in that business, and may believe that the reports of data manipulation have been exaggerated to mitigate damage to their image, regardless of whether the data has been manipulated or not.
Preventing data manipulation, and theft
Before businesses can think of defending themselves they need to be aware of what data they have, and where it is stored, as without that knowledge they can't protect it. Businesses generate a huge volume of data, and it is key that they identify what is crucial and most sensitive for their operations. It is no longer a question of if, but when, a data breach will occur, and businesses need to begin adequately protecting themselves. Fortunately, there are a number of solutions businesses can utilise to prevent these types of intrusion occurring. The first solution to implement is two-factor authentication, which involves something you have and something you know, for example an email address being the thing you have and a one-time password the thing you know.
Once this is in place, businesses must focus on protecting their most vital asset, the data. Implementing security protocols like encryption and key management help protect the data, should the inevitable happen and a breach occurs. In the event of a data breach these protocols create what is known as a ‘secure breach'. Encryption essentially renders the data useless to anyone who is not authorised to access it and this is done through key management. These unique keys help unlock that encryption, allowing people to be the custodians of their own data, and so must be kept with the hardware to avoid them being hacked. These protocols aren't expensive or difficult to implement and are necessary to protect data from cyber-criminals.
Protecting against these attacks is vital to ensure customer trust and loyalty for an organisation. With GDPR coming into effect in the next two years, it will soon be mandatory for any business handling EU specific data, or doing business within the EU, to report any and all data breaches. While two years may seem like a long time, for some organisations the process of improving security measures must start now. We are entering the era of integrity attacks. Those businesses that are breached, whether the data is stolen or manipulated, and don't have adequate security protocols in place to protect the data face significant fines.
Contributed by Jason Hart, CTO of data protection, Gemalto