Data breaches are at an all-time high, with the number of breaches almost doubling from 2022 to 2023. Most recently, CBS reported on a massive data breach that could likely contain the social security numbers (SSNs) of every US citizen. It’s a major leak of personally identifiable information (PII) and only adds to the amount of sensitive data, such as passwords and addresses, that has been leaked over the last decade.
Although it’s easy to think that leaked PII in data breaches might only put individuals at risk, organizations may not be aware that they’re also at risk. Hackers can leverage PII in multiple ways to infiltrate and harm your organization.
Ignoring data leaks containing PII can lead to your organization being blindsided by an attack. In this article, we’ll not only discuss the ways hackers can do this but also delineate the actionable steps you can take to protect your business.
The overwhelming quantity of data breaches that occur on a semi-regular basis means the only safe assumption is that your personal data is likely out there. As a result, people should act and take precautions as if their data has leaked.
The type of PII we can “safely” (no pun intended) assume is out there includes:
Savvy hackers can leverage any of this data to compromise organizations. For high-profile targets, they can even resort to direct extortion and threats of personal harm, as when hackers contacted the 5-year-old son of a security firm’s CEO to get him to pay them a ransom related to the firm itself.
Let’s look at three major areas of organizational risk resulting from PII.
Password reuse is rampant. A study conducted by Forbes Advisor discovered that 78% of Americans reuse their passwords for at least one account, and 29% of people use the same password for 5 or more accounts.
According to the same study, the most common type of breach is people having their passwords stolen from their social media accounts. Hackers will hunt data dump sites or purchase lists of stolen data on the dark web and immediately start trying these leaked passwords against online accounts.
To execute a more targeted attack, the threat actor needs only to do some minor research to discover to whom those credentials belong and where that person is employed. Instead of the “spray and pray” approach, where the hacker uses tools that automatically attempt log ins to various services, the hacker can try to log in directly to that person’s work email or other work-related resources.
Spear phishing can be far more effective using leaked information because it relies heavily on believability to be successful. Hackers can use leaked information to add credibility to their emails, whether those emails are directed at your organization itself or at your suppliers and customers.
Leaked information can also lead to various flavors of insider attacks. For example, a hacker might use PII to blackmail an employee into providing access to company data. Another example is when a hacker gains access to an employee’s account and then uses that to dive deeper into the network, possibly gaining access to privileged information. Although the employee is not malicious, such an attack is also considered an insider threat.
Leaked personal info can also be used for identity theft attacks. A hacker might use someone’s personal identity and SSN to run up massive credit bills, then blackmail the employee into divulging company secrets—for example, the hacker might promise to pay the debts if the employee exfiltrates company data.
CEO fraud occurs when a threat actor impersonates a CEO to extort funds from a business. Having the CEO’s email address makes this type of attack far more convincing.
BEC attacks refer to a similar attempt to extort funds but aren’t limited to only impersonating CEOs. Similarly, these attacks can be far more effective when the hacker has access to someone’s real email account.
The reverse can also be true. In this instance, a hacker uses an employee’s email address to convince a CEO to take action. Regardless of the attack type, leaked information is often a key element in facilitating these kinds of attacks.
Organizations can fortunately take several proactive steps to reduce their risk of falling prey organizationally to leaked PII.
Raising awareness is the first vital step to take, both at the executive and general staff level. Knowing what the risks are is the first step to defending against those risks. Awareness also plays a role in terms of being on top of recent data breaches and understanding how that may impact your company.
Support employee protection
To prevent insider attacks—not to mention saving your employees’ finances from ruin— it may be worth recommending to staff and executives that they proactively implement a credit or security freeze on their credit reports just to be safe. A credit freeze prevents a would-be hacker from running up massive debts in an employee’s name, which can then be used as leverage for an insider attack.
The barest minimum security precaution is to ensure your company follows authentication best practices, which include:
These protect against credential theft, brute force, and credential stuffing attacks, even if email and password combinations are known.
Policies should be implemented that make it extremely difficult to carry out CEO fraud or BEC attacks. For example, you can require multiple signatories for releasing funds. If such a policy would cause too much friction for day-to-day transfers, consider setting it up for transfers above a certain dollar value.
You should additionally enforce these policies using software so that it’s actually impossible to release funds without the necessary verification by all signatories.
Another software-enforced policy could be email security policies that flag suspicious emails.
You should proactively monitor data breaches and pay attention to any that might impact your employees. This would minimally be any large breach of a major organization, such as a social media company, massive telecommunications company, or a mobile service provider.
For smaller breaches, you could implement a reporting system that asks employees to disclose if their accounts have been hacked. You might consider offering incentives for such disclosure, such as free dark web monitoring. If any employee discloses a breach, you should, at the least, recommend they change their work passwords if they were reused.
Considering that CEOs and executives are high-value targets, it’s vital to work more closely and proactively with these to prevent CEO fraud, BEC attacks, and even direct blackmail and subsequent threats.
In addition to general awareness training, you should make executives aware of the specific risks related to them. These executives might need closer and more advanced security awareness training than the company-wide program.
You might also consider offering executives permanent dark web monitoring to immediately discover if their data has been leaked anywhere and have a response plan set up for them if/when their information is leaked.
The basics of protecting against PII-related cyberattacks are the same as protecting against any cyberattack—a robust, comprehensive cybersecurity program.
PII-related attacks highlight one of the most significant changes in modern approaches to cybersecurity—that malware and ransomware aren’t the beginning and end of current threats. These days, behavioral analysis, log analysis, and proactive monitoring are table stakes to help prevent security incidents.
A comprehensive cybersecurity solution would include:
Investing in such sophisticated cybersecurity in-house might be out of reach for many businesses, even some large enterprises. Threats are becoming more advanced each day, making it challenging for businesses to invest in sufficient resources to combat them.
Managed security services provide both a solution to the problem as well as some distinct advantages. A managed service provider is far more affordable, due to the economies of scale, and they’re more likely to invest in the latest tech and human resources and then divide those costs among their clients.
A managed security provider also has access to far more data than an in-house security solution, like which attacks might be on the rise within your industry, or even outside your industry. In this respect, the service provider can bring insight into potential risks sooner, giving you an advantage over threat actors.
In SolCyber’s case, we additionally offer strategic assistance in response and remediation, and extensive awareness training for employees and executives.
Considering the onslaught of attacks against businesses, including some even by foreign adversaries, it’s unfair to expect organizations to handle all their cybersecurity needs by themselves. As we move into this new era of increased cyber vigilance, the use of managed services that specialize in cybersecurity will become more prevalent, even by companies that already have in-house resources.
SolCyber is a managed security provider with a team of security professionals on hand to manage all aspects of cybersecurity, from detection to triage and response. We utilize cutting-edge technology but also ensure that humans are involved at every key step. SolCyber works with businesses of all sizes and has multiple security solutions to suit every business’s needs.
To learn more about SolCyber’s comprehensive security solutions, check out our website here.