There is a growing awareness of a new frontier in cyber-security. It’s no longer the corporate firewall – most people accept that the days of the ‘castle and moat’ defence are long gone - but the data itself.
To succeed in this new battle, we must deploy new tactics and strategies.
The problem is this: no matter how tightly you run your ship, and how perfect your own defences may be, from a regulatory perspective you are still responsible – and liable – for data breaches, no matter who loses that data.
Sorry, I lost your data
First party breaches – where the organisation itself loses customer data are, of course, only too common. In the case of British Airways, malicious code was added to its website, which as well as making the booking, skimmed off all the customer’s card details and contact information and sent it to the bad guys too. As the Magecart malware was skimming the data off at the point of entry – via the user’s own web browser and internet connection – the malicious payload was not passing through BA’s servers or network and so it was not detected as an anomaly, no matter how much groovy AI-network-traffic-analysis you threw at it. But if British Airways had been continuously monitoring its own website for unexpected code changes it would have discovered the issue right away.
The dog ate your data
Third party breaches are even harder to detect and control. There are many types of third party breach, but sources fall broadly into two categories: technology partners and supply chain partners.
In the case of TicketMaster – another victim of Magecart skimming – the malicious code was injected via compromised servers at its technology partner Ibenta, providers of Ticketmaster’s customer support technology.
Last year, customers of Jaded London and five other fashion retailers had their details exposed by a security breach at e-commerce platform provider, Fashion Nexus.
More than a million customers were affected in this classic example of a technology partner breach, where multiple businesses were reliant on a single platform. In the case of Fashion Nexus, at least the affected retailers were direct customers, and were therefore able to respond quickly and positively to the issue.
Someone else's dog ate your data
Fourth party breaches – suppliers to your suppliers - are way harder to detect and validate. Take the "million fingerprints leaked" example of Korean biometrics supplier Suprema. In August this year, security researchers at vpnmentor uncovered cleartext usernames, passwords, and biometric data that were publicly exposed in an ElasticSearch index associated with Suprema’s cloud-based Biostar 2 service. The headlines quickly – and erroneously - jumped on the fact that Suprema’s sensors were integrated into the AEOS building access control platform from Dutch provider Nedap, which in turn is used to secure buildings at 5,400 organisations worldwide, including governments, banks and the UK Metropolitan Police. No doubt, these organisations breathed a collective sigh of relief with the issue of Nedap‘s clarification statement the next day, confirming that their AEOS/Suprema integration was limited to on-premise deployments of Suprema’s Biostar 2, rather than the compromised cloud version.
But the news article will inevitably have triggered alarm bells at many of the organisations using AEOS software in their supply chain. "Does this breach impact us?" is one of the hardest questions to answer in that situation – in today’s digitally transformed world, it’s simply not possible to keep track of all the fourth party technology suppliers.
If your business uses 30 technology suppliers – we certainly do - and each of them in turn uses 30 different technology suppliers, that’s 900 companies you need to keep track of.
That’s why we think a different and complementary approach to data breach detection is called for, an approach which bridges the inevitable gaps and notification delays inherent in any modern digital supply chain.
It’s a simple concept: look after the data itself, wherever it’s stored or processed.
But with billions of leaked and hacked customer data records circulating online, how are you going to decide if a breach includes your customer data?
It wasn't even my data anyway
First impressions are not always reliable as any AI aficionado will tell you. In the same way a compunctious chihuahua can bare an uncanny resemblance to a muffin – a Pastebin collection of data might instantly have you running for your GDPR breach reporting play book even though it probably has nothing to do with you. So, why is this? It comes down to the fact that data breaches are nothing new and the second-hand-data industry is unusually eco-friendly; recycling data is a popular tactic for boosting sales and shares. And, just like the way a music artist might use a couple of recent top-tens to justify bringing out (yet) another greatest hits compilation, many of the data sets on offer are simply a combination of classic all-time breaches with a sprinkle of more recent and more useful data.
Deciding whether you should worry about a post which contains some of your data isn’t easy. More importantly, if you notify affected users every time their credentials have been publicly outed, you will inevitably request password changes which have already been actioned. And, you’ll also run the risk of generating breach-apathy in a user community you absolutely need to keep on side.
Tackling this issue when searching for leaks of employee data is straightforward enough, as you can simply monitor the corporate email domains. With the latest Digital Risk Protection technology, you can continuously compare breach notifications and filter out duplicate posts. You can run them by Active Directory and ITSM databases to generate user notifications if, and only if, the breach is new. And, you can record all this activity to build repeat offender league tables and gain insight.
Overcoming the barriers
Achieving the same level of certainty when monitoring for leaks of customer data is far more challenging – particularly in the case of B2C organisations, where tens or hundreds of millions of customer records are processed. There are two fundamental considerations here: scale and security.
Even for B2B SMEs, monitoring for breaches of their customer data may seem daunting, with thousands of uncorrelated records to consider. For larger B2C businesses, the sheer volume of data may prove prohibitive for many tools. Two techniques can help here.
Firstly, sampling data sets can provide a useful indicator as to whether a breach may have come from you.
Secondly, sample rotation and selection on specific criteria can also help – e.g. I know all my customer emails in this set were also included in the historic Adobe breach and so on.
Finally, watermarking data with synthetic identities can be a gamechanger. A breach of a synthetic ID provides positive proof that a breach came from your database. Adding different IDs to data shared with 3rd parties and partners can alert you to data breaches instantly, and also tell you who was responsible. What’s more, by monitoring dedicated mailboxes, synthetic IDs can be used to detect inbound phishing attempts or other misuse before the data is posted publicly. And this gives a vital head start for mitigation and compliance processes.
Further, comparing breached data sets with your own, and eliminating false positives, requires a massive back-catalogue of historical data. It’s not unusual for this cost and effort to be used as a key metric in ROI calculations and justification for using a Digital Risk Protection solution.
Searching the Dark Web and other shady parts of the internet creates additional risk for your staff and your business, with plenty of malware and illegal images waiting to trap the unwary. Unless your cyber function is very mature and comprises the kind of threat intelligence gathering expertise that comes from working in government or special forces, this really is best left to the experts.
It’s also important to ensure that any search terms that you transfer across to a Digital Risk Protection platform are kept secure, encrypted wherever they’re stored and transferred, and processed subject to a GDPR-compliant Data Processing Agreement – just like any other client data processing system.
Meeting such challenges is a cornerstone of Digital Risk Protection when monitoring for breaches of your customer data outside the castle moat. So, if this is an issue which is important to your business, ensure your solution provider has them covered so you can keep the hounds at bay.