In a new hacking crime wave, much more personal data is being held hostage

Hackers are stealing customer and employee data and threatening to leak it publicly in a data extortion shift from ransomware attacks.

In a new hacking crime wave, much more personal data is being held hostage

Gorodenkoff | iStock | Getty Images

The cybersecurity world faces new threats beyond targeted ransomware attacks, according to experts at the recent RSA cybersecurity industry conference in San Francisco.

Joe McMann, head of cybersecurity services at Binary Defense, a cybersecurity solutions provider, said the new battleground is data extortion and companies need to shift gears to face the threat.

Traditionally, ransomware attackers encrypt or delete proprietary data of organizations and ask for ransom before reverting the attack. McMann said hackers are now focusing on stealing customer or employee data and then threatening to leak it publicly.

"By naming, shaming, threatening reputational impact, they force the hands of their targets," McMann said.

The International Data Corporation predicts firms will spend over $219 billion on cybersecurity this year, and McMann said cybercriminals constantly evolve their exploitations.

Hackers shifted tactics after ransomware attacks brought an unwelcome level of visibility by law enforcement and governments, and cybersecurity professionals became adept at solving decryption. Instead of paralyzing hospitals and pipelines, he said criminals changed gears to collect data and threaten companies with customer dissatisfaction and public outcry.

At the end of March, OpenAI documented a data leak in an open-source data provider that made it possible to see personal AI chat histories, payment information, and addresses. The team patched the leak in hours, but McMann said once data is out there, hackers can use it.

Hackers looking beyond corporate devices

Chris Pierson, founder and CEO of Black Cloak, a digital executive protection company, said companies understand the growing threat of data extortion after public breaches. In the past year alone, he said Twilio, LastPass, and Uber all faced attacks that saw hackers targeting employees outside corporate security protection.

"For example, the LastPass breach saw one of four key individuals targeted on their personal computer, through a personal public IP address getting in through an unpatched solution," he said.

The hackers stole credentials "outside the castle wall environment, on personal devices," he said, using that data months later as a way into the corporate environment.

He said the advent of home offices accelerated employee targeting. As every company transformed into a digital-first world, employees naturally started working on personal devices.

Before the pandemic, Fortune 500 companies spent millions to secure corporate devices and buildings, but employees are not as well protected at home. "The moment an executive walks out of the building, uses their personal device or home network that they share with corporate devices, the attack surface changes," Pierson said. What's more, digital footprints are easy to find online, he said. "40% of our corporate executives' home IP addresses are public on data broker websites."

Pierson said it only takes one vulnerable device on a home network to open up the entire network.

Looking across the street at the RSA convention building filled with more than 45,000 industry attendants, Pierson said criminals always choose the path of least resistance.

"You don't have to go in through all the gear that's out here at RSA protecting the actual company; you go through the $5 of cybersecurity at home and get everything else," Pierson said. "Cybercriminals are targeting at a personal level because they know they can get the data, and there are no controls out there," he added.

New cybersecurity regulations

There is higher visibility for cybersecurity this year with an increased number of phishing attempts and scam messages a daily occurrence for most people. And companies know that new SEC proposed guidelines will add another layer of accountability.

When finalized, the rules would require public firms to disclose data breaches to investors within four days, and have at least one cybersecurity-experienced board member. Though a Wall Street Journal survey found three-fourths of respondents had a cybersecurity director, Pierson said companies were at RSA looking for advice.

McMann said companies should focus on the simple fixes first and not worry about AI chat breaches if they aren't using two-factor authentication on personal accounts. Criminals will first try older methods like ransomware before moving on to new ones.

He said practicing for cyberattacks has become as important as any other emergency drill. On a positive note, McMann said the success of cybersecurity professionals is why criminals are looking for new modes of attack.

"If you don't have your operations streamlined and effective, if you don't have good people and processes in place, don't worry about the other stuff," he said. "There's a lot of fundamentals that get skipped."

Cyber security education needs to be increased to ward off threats, Principal Deputy National Cyber Director says