What leaking data can cost your business!

Do you believe your company has nothing to hide?

Author: F-Secure Business Security Insider
Date: 18.03.2015
Read Time: 4 Minutes

Do you believe that your company has nothing to hide? Think again. Every company and its employees have things to hide that no one has to know. Personal information about a single employee can and will, in many cases, threaten your overall security as a whole. While we have repeatedly countered the arguments that people don’t have anything to hide, and can comfortably ignore the privacy threats on the Internet, we feel it is important to give some real-life examples to show why this attitude is unwise and can cost companies money.

Online scams have been used for years to funnel money to third parties. A key challenge for any scammer in gaining access to a person and then to a company is to be trustworthy in the eyes of the victim. And this is where your data enters the picture. I have written a story about how a scammer can be more convincing if he knows your travel plans. For the present, however, let’s cover a more business-oriented case.

A controller at a firm in Omaha, Nebraska, received emails from the CEO asking him to make a series of money transfers to China, and he transferred a total of $17.2 million. Yes, you guessed it. The sender of those emails was not the CEO, and a scammer made a nice profit by gaining trust and access to this employee.

Naturally, the obvious lesson we learn in both these cases is that email isn’t trustworthy. Email in itself does not provide any kind of sender authentication. The sender’s address and contact details are easily faked. Authentication of the other part must rely on the mail contents, a cryptographic signature or information that only the perceived sender can know. And this leads us to the less obvious lesson we can learn here.

It looks like the Omaha-scammer had information about the victim and, in this way, was able to find his way behind the walls of the company. A lot of this information is freely available on the net and social media.

He knew who could handle money transfers. He also knew that the CEO had some business in China, which made the transfers sound legit. He probably also knew that this person didn’t meet the CEO face to face on a daily basis as that would have ruined the scam. Part of this info is publicly available, like the name of the CEO. We don’t know how he got hold of the rest, but it is obvious that it helped the scammer.

So, here we have an excellent example of how criminals can utilise tiny grains of info to scam huge piles of money. But what should this Omaha company have done differently? The controller should have called the CEO to verify the transactions. It is mandatory to be able to reach out to key people in a company to verify information when it comes to any kind of sensitive data. The company should analyse what info the scammer had, and renovate their security policies.

These measures are the same ones that private individuals should perform. Learn to think critically when someone approaches you by email and verify the sender, if in doubt. Also guard all your data to make this kind of targeted attack as difficult as possible. This goes for private data (which could expose information to the scammer that makes him appear trustworthy) and, of course, the same goes for company data. Close all of the security gaps and make sure that transactions are checked before they are sent, and make sure that data about key employees is not available for outsiders.

The company mentioned in this example responded by firing the controller. While that is one option for handling a security breach, ensure that such a leak cannot happen to you and your company. Make sure to check everything before taking orders for granted. If you don’t, any leaked data can cost your company money. Also be wary of what data you share on the web, because this information could also be very revealing and make your privacy vulnerable and attackable.

Was it right to fire the controller? Hard to say. Part of the responsibility naturally lies with the one who was gullible enough to trust an email. However, it also depends on whether the company had proper rules in place for validating transfer requests. Did he break any concrete rules when sending the money? If he didn’t, then the company is responsible, too.

Safe surfing,
Micke

Anatomy of a Cybercrime – real cases from 2014

3 real-life examples of cybercrime incidents from 2014.

anatomy-of-cybercrime-1  antomy-of-cybercrime-3

Download the full cyber crime incident case study by filling the form:


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s