Confidential data theft becoming a major threat

In one of the biggest exposures of data breaches, over 700 million email addresses and nearly 22 million passwords were reportedly compromised last month

While many of us are aware of, or have even fallen prey to, cybercrimes such as data and identity theft, very few actually know the significance of the stolen information and its repercussions for companies’ operations.

Industry experts say while our identity may not be worth a lot in terms of dollars, it is a significant asset for criminals in multiple ways. Recent research by Moscow-based Kaspersky revealed that the bad boys can sell someone’s complete digital life for less than $50 - including data stolen from compromised social media accounts, bank inventories through remote access to servers or desktops and even from popular consumer services like Uber and Netflix.

“It is clear that data hacking is a major threat and this applies at both an individual and societal level,” said David Jacoby, senior security researcher at Kaspersky.

In one of the biggest exposures of credential stuffing incidents in history, more than 700 million email addresses and nearly 22 million passwords were reportedly compromised last month. Credential stuffing is a type of data breach where stolen account credentials, usually consisting of lists of usernames, email addresses and passwords are used to gain unlawful access to users' accounts. Data breach notification portal Have I Been Pwned (HIBP) - which allows users to ascertain if their personal information has been abused or not - exposed the huge breach, named Collection #1.

“Collection #1 is a set of email addresses and passwords totalling over 2 billion rows. It's made up of many different individual data breaches from literally thousands of different sources,” said Brisbane-based security researcher Troy Hunt, who runs HIBP.

The cache of emails and passwords in Collection #1 have been built up from numerous data breaches, across various countries, over a decade.

"There appears to be a disconcerting trend developing of combining historic data breaches and packaging them up for sale on the 'dark web', as was evidenced in Collection #1,” said Gavin Millard, vice-president of intelligence at US-based cybersecurity firm Tenable. The dark web is part of the internet that isn't visible to search engines and requires the use of an anonymising browser to be accessed.

As credential stuffing attacks are becoming increasingly more common, repositories like Collection #1 will be invaluable to criminals, said Mr Millard.

However, some companies have taken novel steps to try to thwart credential stuffing attacks against their users by obtaining the breached data themselves and cross referencing it against their own database.

“They [companies] can then warn users of password reuse or issue a password reset to ensure their accounts are protected from credential stuffing,” said Mr Millard.

For example, the California-headquartered Reddit - a social news aggregator, web content rating and discussion website - restricted some users from accessing their accounts and asked them to change their password after it detected unusual activity on the site last month.

The average cost globally of identifying and stopping a data breach is $2.1 million (Dh7.7m), compared to $3.5m in the Gulf Cooperation Council region, according to US researcher Gartner.

More than 300 cyber attacks were reported in 2017 in the GCC region, at least half a dozen resulting in data breaches. Cyber attacks can include system slowdowns and operational issues, while a data breach results in stolen information.

“Attacks like Collection #1 are increasing in sophistication, scope and magnitude … attracting talented and innovative hackers,” said Sam Blatteis, chief executive of The Mena Catalysts, which advises technology companies on policy and government affairs in the region.

Such attacks are fundamentally fostered by "policy problems" and these matter because there is a dirham-value assigned to them, stated Mr Blatteis, who is the former head of Gulf government relations and public policy at Google.

“Recent data breach attacks prove there needs to be a long overdue, understated wider conversation with platforms and governments about privacy and security in our region.”

Data theft was also among the top five global risks alongside natural disasters, cybercrime and climate change in the World Economic Forum’s Global Risks Report 2019.

The average cost of data breaches in the Arabian Gulf region’s two biggest economies – the UAE and Saudi Arabia – was $5.31m in 2018, a 7.1 per cent year-on-year increase, according to a study conducted by tech giant IBM Security and Michigan-based Ponemon Institute. This was second only to the US, which saw the highest total average cost of data breach at $7.91m.

IBM and Ponemon interviewed more than 2,200 IT, data protection and compliance professionals from 477 companies that have experienced a data breach over the past 12 months, before releasing this report in July last year.

The report also revealed that the UAE and Saudi Arabia collectively spent $1.47m on post data breach response - the second-highest after the US that spent $1.76m. Post data breach responses include help-desk activities, inbound communications, special investigative activities, legal expenditures, identity protection services and regulatory interventions.

The UAE’s digital footprint continues to be an attractive target for cyber attacks, said Rabih Dabboussi, senior vice-president at UAE-based cybersecurity firm DarkMatter. Its research has revealed that nearly 40 per cent of vulnerabilities identified were ranked "high" or "critical" in severity, indicating that many organisations face a significant risk.

“Of particular concern is the fact that a third of the 136,000 websites and systems linked to organisations in the UAE were hosted outside the country. This raises the question around data sovereignty and data protection,” said Mr Dabboussi.

DarkMatter’s report sheds light on the key steps that can make a big difference - for example, 93 per cent of those assessed operated systems with outdated software.

“We recommend that organisations promptly update and patch software, identify and remove non-standard software,” said Mr Dabboussi.

In the first half of 2018, the UAE witnessed one of the biggest data breaches of the decade when ride-hailing firm Careem admitted the theft of personal data of up to 14 million of its customers.

According to IBM’s report, organisations in Saudi Arabia and the UAE are most likely to experience a malicious or criminal attack globally (61 per cent). They are followed by France (55 per cent), US (52 per cent), Germany (51 per cent) and UK (50 per cent).

“Companies operating in this part of the world have fewer regulations, which may influence their security posture,” said the report, adding: “Criminals perceive these companies to have high-value information assets and IT infrastructures that are more vulnerable to attacks.”

Cyber experts say it is also important to stay vigilant of any phishing attempt where criminals try to extract confidential details such as usernames, passwords and bank information by masquerading as a legal entity in an electronic exchange of communication.

“Be very wary of any email purporting to relate to the breach - there is often a surge in phishing attempts related to high-profile breaches,” said Nick Shaw, vice president and general manager of Norton in Europe, Middle East and Africa.

“This cannot be emphasised enough - use strong and unique passwords for your accounts and devices, and update them on a regular basis - ideally every three months. Never use the same password for multiple accounts.”

Companies and individuals should also familiarise themselves with policies from retailers and online services that may request their banking or personal information and ensure they understand how to use sensitive data.

“As a best practice, visit the company's official website directly [as opposed to clicking on an emailed link] if you must share sensitive information,” advised Mr Shaw.

There is a direct correlation between how quickly an organisation identifies and contains data breach incidents and the financial consequences.

According to reports, the mean time to identify (MTTI) a data breach globally was 197 days in 2018, while the mean time to contain (MTTC) was 69 days. Companies that identified a breach in less than 100 days saved more than $1m as compared to those that took more than that.

“Data breaches can be motivated by money, 'hactivism' [using technology to promote a political agenda] and cyber espionage,” said Kalle Bjorn, director of systems engineering at Fortinet, a California-based developer of cybersecurity software.

The Middle East has been a front-runner in some of the new technologies that have been introduced in recent years, potentially making it more vulnerable.

“With these new technologies there are always risks associated if the security implications are not fully considered,” said Mr Bjorn.

Despite recent global data breaches, 78 per cent of UAE consumers have no qualms about sharing their data with retailers and other institutions, according to a report by professional services firm KPMG.

However, more than 50 per cent of global consumers expressed anxiety about identity theft, including hacking of financial, medical or other personal information.