Less than 10% of data breaches are made public
In 2020, ransomware groups ramped up their attacks against corporate networks to steal hundreds of gigabytes of confidential information from each of their victims. The stolen data is either released online, if a ransom is not paid, or auctioned off to the highest bidder. Ransomware extortion attacks against your company are unlikely to go unnoticed. Your employees will quickly enough report business interruption because their workstations have been infected and files encrypted.
On the other hand, it might be tougher to detect breaches in partners, because they may be more hesitant to publicly share the news about a successful attack. This is often the case when businesses fear they could lose customers and partners or draw the attention of regulators. Significant fines have been imposed on companies that have failed to protect their customers’ and partners’ confidential information.
By analyzing over 1,000 companies that fell victim to ransomware extortion groups in the past six months, our threat intelligence team found that less than 10% of breaches are made public in news stories, press releases, and blog posts. While some of these companies are located in Canada, many of them are from the United States, Europe, and Australia. Generally, we found that companies which make their data breach public – or are outed by news stories – are larger, worldwide known companies such as Marriott hotels or public entities. Unfortunately, many data breaches that affect law firms and accounting companies go unreported.
Ransomware extortion attacks are rarely disclosed
Ransomware variants are among the top three most common types of malware. This has created news fatigue surrounding companies that get attacked by ransomware extortion groups. With so many successful attacks, news stories would be redundant if they had to report each new company that was successfully breached. That is the case even when the victim is well-known, or connected to a reputable public company.
The PIPEDA law in Canada, for instance, imposes strict guidelines for companies that are victims of data breaches. The Privacy Commissioner of Canada instructs companies to:
- Report to the Privacy Commissioner of Canada the breaches of security safeguards that involve personal information which pose a real risk of significant harm to individuals;
- Notify affected individuals, and;
- Keep records of all breaches.
Because these reports and notifications are private, it is more likely that data breaches will remain secret, or at the very least, not common knowledge.
Third-party breach detection
A previous investigation conducted on the dark web has revealed that smaller, more vulnerable companies are a preferred target for ransomware groups, due to their business partnerships with companies of more notoriety. These targets are chosen for their access to confidential data such as customer information, intellectual property, sensitive communication, and audit reports.
Based on our data, some 300 companies fell victim to ransomware extortion groups this summer. In the meantime, however, thousands of companies have been hit by over 15 ransomware groups. Each group has claimed more than 200 victims. According to our research, cybersecurity consulting firms, law offices, and accountants were among top targets for ransomware extortion groups. Malicious actors are actively using clear web services such as Drop Me Files to distribute corporate files.
The data leaked from their servers include:
- Recordings of confidential conversations between executives;
- Contracts containing commercial secrets;
- Written C-level communication;
- Audits of security vulnerabilities and emergency plans;
- Business partners’ passwords and access tokens.
Not only do these documents have significant value, but they could seriously damage brand image and reputation, and may lead to fines and service interruption.
Protecting your company from third-party data breaches
The best strategy to protect your company against data breaches caused by third-parties is to limit the quantity and the level of confidentiality of documents that leave your network. A third-party cannot disclose critical information if they do not have access to.
Another important strategy is to be aware what type of information your partners could be collecting without your knowledge. For example, ransomware extortion leaks include audio recordings of phone calls that may have been recorded without your direct consent. Under the Criminal Code of Canada, phone calls can be recorded, as long as one party on the call is aware that a recording is being made. Exceptions apply for specific cases. Your company should ask business partners what confidential information they are storing and how they are securing it.
Another method is to compile a list of all third-parties you have shared confidential information with, at any given point in history. Add these names as identifiers in the Firework dashboard to alert you whenever the companies are mentioned in a ransomware leak. Our service indexes ransomware extortion group websites for mentions of your company’s name. Your digital footprint coverage could be extended by creating specific identifiers for each of your partners.
Judging by industry forecasts, the number of victims will continue to grow as we move to 2021. Take note of the above strategies to reduce your attack surface, and prevent damaging data leaks that affect your brand.