1.1 Loss of data
This section is part of the amber and green pathways.
Data loss can mean several things ranging from the destruction and deletion of data, to making unauthorised copies that are no longer under your control.
Data can be stolen by people who have direct access to a computer, such as by copying data to a flash memory drive, and also by attackers gaining access over a network connection.
The hardest attack to defend against is when an attacker has direct access to a computer, especially in an organisation where many people might have access to a single computer, and one, or more, of them might not have the organisation’s best interests at heart. Security risks posed by employees (or ex-employees) of an organisation to their employers are known as insider threats.
The Ponemon Institute, in its Global Threat Report 2020, mentions that in the last two years, insider threats have increased by 47%, from 3,200 in 2018 to 4,716 in 2020. The cost of these incidents has increased by 31%, from $8.76 million in 2018 to $11.45 million in 2020. The average cost of incidents due to carelessness and negligence (62% of the total incidents) cost $307,111 per incident, the costs of an incident due to malicious insiders stealing credentials was $871,686 – almost triple. These costs are averages across the entire industry. The actual numbers depend upon the size of the organisation and the industry it belongs to.
Case study: Stealing data
In 2019, a GitHub user alerted Capital One (a credit card issuer and bank operator in the USA) that it had possibly been attacked and its data breached. Ms. Paige Thompson was arrested in connection to the breach online.
The data of 106 million individuals – 100 million in the US and 6 million in Canada – included names, addresses and phone numbers of people who applied for Capital One’s products. 140,000 social security numbers and 80,000 linked bank account numbers in the US and close to a million social insurance numbers in Canada were compromised.Individual credit scores, limits, balances, payment history and contact information were compromised.Credit card account numbers were not accessed and investigating agencies confirmed that the information from the breach was not used to commit fraud.
The attacker exploited a vulnerability on a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services (AWS). ‘Server Side Request Forgery’ (SSRF) attack is the formal term for such attacks, in which a server (the WAF at Capital One) is tricked into running commands that it should not – the commands could permit the attacker to navigate the file system and access the files and data in there.
The case of Anthony Levandowski is one of the more significant insider attacks that involved not just copying of data, but the intellectual property theft of another entity, and therefore the market standing and revenues that it would have earned.
Case study: Anthony Levandowski
Anthony Levandowski was a lead engineer at Waymo, Google’s self-driving car project. In 2016, he left Waymo at Google and founded a startup named Otto to develop self-driving trucks. Otto was acquired by Uber, and Levandowski headed Uber’s self-driving department. Google discovered in the meantime that Levandowski had accessed the server where the intellectual property documents were stored a month before he left Google, and downloaded about 14.000 files and copied them to an external drive. He had then deleted all traces of it.
The access to the intellectual property server wasn’t monitored, nor was Levandowski’s access to it. It wasn’t detected until it was investigated.
Waymo was able to prove the theft of trade secrets and get $245 million compensation from Uber, and a commitment from them that the stolen information would not be used to develop their hardware or software.
In August 2020, the courts ordered Levandowski to pay $757,000 in restitution to Google, $179 million to Waymo for illegally poaching their engineers, and a fine of $95,000. He was sentenced to 18 months in prison (to be served at a later date due to the COVID-19 pandemic).
The sitepublishes lists of the largest breaches and the most recent breaches at the bottom of its home page. The origin of the term ‘pwned’ is mentioned in the FAQ on the website.
Next, you’ll find out about the risks of data loss.