Welcome to our monthly Cybersecurity Newsletter! Throughout the year, we’ll keep you updated on the latest threats with a review of high-profile breaches and security news across the sector. Click here to read our September edition.
Three security incidents over the last couple of months have caught my attention, each highlighting the importance of operations in maintaining information security.
PSNI – sensitive information leak
WHAT HAPPENED?
The first incident was the leak of highly sensitive information by the Police Service of Northern Ireland (PSNI) in August, following a request made under the Freedom of Information (FOI) Act by a member of the public: “Could you provide the number of officers each rank and number of staff at each grade?”
The banal nature of this request and the subsequent action taken – posting a spreadsheet online – doesn’t measure up to the seriousness of the leak. Highly sensitive Personally Identifiable Information (PII) – the names, addresses, rank and location of police officers and civilians employed in the PSNI, inadvertently published online on the web site ‘What Do They Know’. The significance of this cannot be underestimated: 10,000 people’s lives are affected, and some now fear for their safety.
While the mistake was quickly recognised, and the document taken down from the website, the damage was done. The data cannot be unseen – countless copies will have been made with some now in the hands of terrorist organisations.
It’s important to recognise that this was not a data breach. No hacker infiltrated the digital defences of the PSNI. Rather, an employee posted a simple spreadsheet, providing the requested information. The tragedy was that the spreadsheet also contained incredibly sensitive additional information, resulting in a data leak on an industrial scale.
what’s the impact?
While the exact details of what happened are not available, it’s easy to understand how data was overlooked. Hidden worksheets within a spreadsheet (or hidden rows and columns) can hide massive amounts of additional information if someone isn’t familiar with the document.
The reality of our online world today is that data has become be a highly dangerous substance, requiring specialised treatment by people who understand how to handle it: in many ways no different than handing dangerous chemicals. As if to reinforce the point, Norfolk and Suffolk Police have also admitted that PII has been leaked in response to FOI requests over an eleven-month period from April 2021 to March 2022, describing the cause as a “technical issue”.
DOWNLOAD OUR CYBERSECURITY GUIDE
As our technologies and ways of working continue to evolve at a rapid pace, organisations must adapt alongside the newest advancements and place security at the top of their agenda to avoid falling victim to cybercrime.
Explore common security threats and discover handy ways to improve your organisation’s security posture in our consolidated guide to all things cybersecurity.
HOW CAN WE HELP
attacks on MGM STUDIOS AND CAESARS ENTERTAINMENT
WHAT HAPPENED?
The other two incidents that grabbed the headlines are the recent attacks on Caesars Entertainment and MGM studios.
The Caesars attack resulted from a hack of one of its IT support vendors. The hackers conducting a social engineering attack, which requires convincing someone to provide account details either via email (phishing), or on a telephone (vishing). As a result of the attack, Caesars is reported to have paid $15M to the attackers for a commitment that the stolen data will not be leaked, hoping to guarantee the confidentiality of their clients’ data.
A cyber-criminal gang known as Scattered Spider has claimed responsibility for the MGM attack, utilising a ransomware-as-a-service malware package, available through the dark web for a fee. What makes Scattered Spider infamous is that they’re a UK/US based cyber-criminal gang, with many of their members being in their teens or early twenties.
Scattered Spider also utilised a social engineering attack, gaining access to the MGM IT systems through a call to an employee whom they had researched through social media feeds, and then to the IT support team, convincing them to hand over login credentials (presumably for the employee). As a result, MGM’s operations came to a near standstill and the company had to implement manual processes at its resorts and hotels.
LEARNINGS
A colleague of mine describes cybersecurity as the technical arm of Information Security: the protection of all information in an organisation, whether it be stored digitally or on paper.
While cybersecurity is the protection of digital information (and the protection of the computer systems that transmit, process, and store it), information security extends that definition to how we handle that information, whether it be digital or on paper. To be effective, this needs to include rules and procedures for what we do with the information: where we store it, and how we communicate it to the wider world, or provide guard rails to ensure that we don’t.
The PSNI case illustrates how easy it can be to leak data. Addressing this requires well understood and repeatable processes, which can help to eliminate careless mistakes. For example, the airline industry has developed detailed checklists that minimise the risk of accidents – on the ground and in the air, over many years. Complex manufacturing processes do the same.
Yet for many organisations, the handling of data is an almost ad-hoc process. One organisation I worked with used online templates to communicate with clients. However, with no defined process, rather than downloading a unique copy of the template for use with a client, some employees would fill in the template with the client’s data, and then send that out. The next time someone used the template it would be sent out containing PII information from the previous client. While this had not led to a major breach, it was a continual source of minor information security incidents.
The MGM attack appears to have started with someone in IT being conned into providing login details by someone able to impersonate an employee. Again, operational procedures should make it clear that login details cannot be handed out like this. But the amount of information that many of us post online explains how easy it might be for an attacker to convince the IT team that they work for the company.
CONCLUSION
Cybersecurity is a technically complex subject. However, the above examples illustrate the much more general information security related risks companies take when handling sensitive data. Data leaks and attacks such as these reinforce the need for organisations to understand what it is they need to protect, how and where it is stored, and most importantly how it should be handled: whether it’s Personally Identifiable Information (PII) or login and password IDs.
It may be a tired trope, but the reality is that employees do represent the weakest link, highlighting the need for continual discussion and training about Information Security. It needs to become part of the daily lexicon of the business at all levels.