May 1, 2020

CSG Law Alert: The Life of a Data Breach: The "Gift" That Keeps on Giving

You are in a fantasy football league registered under your email and your password. Unbeknownst to you, however, the league’s site has been breached, and access credentials have been stolen.  The site discovers the breach, investigates the breach, and gives notice to impacted individuals.

If you are lucky, the time frame from when the original breach occurred and when you receive notice is 60 days;  more likely it will be a longer time frame – potentially 18 months or longer.  In the meantime, because you reuse your password for multiple accounts, the bad actor that compromised the fantasy league site has already used your password to access your Gmail or AOL account, reset your password, and has logged into your bank account and drained your funds.

Sound like a bad made-for-TV movie or detective show episode?

Sadly, the scenario outlined above is true and happened to a gentleman in Texas, and was shared during a recent InfraGard ¹ webinar.

Recent studies have shown that more than 59% of people use the same password for multiple accounts.  So, consider our fantasy league player.  If he was one of those people, he could have had many accounts compromised.  And if that player works for your company, and the player’s business email is posted on your website, now that bad actor has the ability to compromise YOUR work environment even though your systems were not otherwise breached.

And bad actors often work with each other.  So the actor that compromised the fantasy league likely shared the stolen credentials on the dark web.  Then, if another bad actor wanted to acquire those credentials and repurpose them to compromise others, consider this: another bad actor could use this data to compromise the player’s social media accounts.  Contacts could be acquired and the conversations with those contacts could be monitored.

Now, I know the player’s friends, his favorite teams, and his manner of “speech”.  I can now contact his contacts, invite them to a game, and have them Venmo funds for tickets to a game we will never go to together.

Sound far-fetched?  There are instructional YouTube videos and other resources to teach a would-be bad actor how to repurpose and exploit credentials purchased on the dark web.

In the meantime, back to your work environment.  Your player is in fact part of your R&D department, and one of the bad actors that has purchased his credentials is now exploiting your new, yet to be applied for patent formulations and selling them to your competitor.

All this is happening while your player still has not been notified of the original breach of the fantasy site, because the site is still undertaking its investigation. And even if the player did receive notice, it may not have occurred to him that his work account credentials could be at risk. After all, his Gmail account is not the same as his work email….

Of course, if your player shares his computer with his spouse or children, their contacts and accounts can now be compromised and exploited, too.

500 days later, the number of people compromised because of the compromise of only one person’s credentials has grown exponentially; and the number of bad actors exploiting these people and their accounts has similarly grown exponentially.

So…. with all these potential exploits and compromises arising from just one breach, what can you, your employees and contacts do?

There are several basic, layered defensive measures which can be implemented cost effectively.

• Do not use passwords for multiple accounts
• Do not recycle passwords
  • Some people use the same 5 passwords in rotation
• Do not store passwords on your computer (especially in a file called “Passwords”!)
• If you get notice of a breach, IMMEDIATELY change ALL of your passwords for all your accounts (not just the account that was breached) AND alert the owners of accounts on which you used those credentials so that they can determine whether those credentials have been used to compromise their environments
• Implement multifactor authentication
  • NOTE!  For our player, email notification² of a token would not have prevented his financial breach, as his email account was already compromised
• Implement monitoring of use of credentials
  • An employee who works 9am to 5pm should not have activity on your systems with those credentials at 2am on Saturday
• Ask your third party account relationships (banking and other) what measures they have available to prevent bad actors from exploiting compromised credentials
• Check your credit report and register to receive alerts

While compromises may still happen, implementing both manual and automated defensive measures and educating yourself, your personnel and your contacts will make you, your accounts and your systems a less desirable target.  Remember, the burglar standing in front of your house and your neighbor’s house will choose to rob the house without the barking dog. 

Be proactive, educate personnel and be secure.

¹ InfraGard is a public-private partnership between the FBI and the US business community.

² Tokens received by text, while harder to compromise, could be compromised if a sim card had been swapped out.  That said, unless you are a high level target, it is unlikely a bad actor would go to such lengths to compromise your accounts.