Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Mike McKee
Mike McKee
Connect Directly
E-Mail vvv

The Case of the Missing Data

The latest twist in the Equifax breach has serious implications for organizations.

When the Equifax breach — one of the largest breaches of all time — went public nearly a year-and-a-half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.

The data had up and vanished.

This was surprising because if the data had, in fact, been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they would have expected to see a wave of fraudulent credit transactions.


CNBC recently published an article that takes an in-depth look at what exactly happened to the credit, Social Security, and other sensitive data of 143 million people after it was stolen. The deeper the threat hunters have gone down the rabbit hole of this story, the more convinced they have become that the motive was actually even more sinister than pure financial gain.

In essence, security experts most familiar with this breach believe that a nation-state — likely China or Russia — stole the data in order to suss out current spies and pick out potential targets they could recruit as spies.

It's the latter part that should concern organizations in the US and beyond. While the complex spy scheme sounds like something out of a movie, it actually has serious, real-world implications.

The Rise of State-Sponsored Threats 
State-sponsored threats are increasingly one of the biggest threats to information assets across the globe. Threat actors are increasingly targeting businesses, universities, and other organizations with powerful and sophisticated trade-craft techniques designed to steal confidential information that can result in massive data and revenue loss.

People have many different motives to spy on behalf of a foreign government. The vast majority of nefarious insiders are acting on financial greed, but other motivations include, anger, ideology, patriotism, and organizational conflicts. The news has been flooded about employees convicted for working on behalf of a foreign government. Most recently, Chinese-born scientist You Xiaorong was accused of using her employment at Coca-Cola to steal trade secrets, with the intent to set up a competing venture in China and win a reward from a Chinese government-backed program. Apple also has come under fire, with two employees charged with stealing self-driving car project secrets in the past year.

Power-hungry executives are a major target for state-sponsored recuitment, along with those who may be suffering from financial problems. These executives can be lured into revealing secrets in return for money or power – from credentials to highly confidential documents and trade secrets. If nation-state spies have enough information to identify potential financial instability, they can determine the best targets to identify as spies, especially individuals they can convert for monetary gain.  

Are There Spies in Your Organization?  
As more employees become the targets for spy recruitment, it is more important than ever for businesses to quickly defend themselves before it is too late.

However, the reality is that most organizations do not have much visibility into what their employees and other insiders are doing with valuable company data. One study found that 42% of organizations rely on server logs to detect threats. These are very difficult to parse and rarely provide sufficient context to indicate that an employee may be conducting nefarious activity. The study also found only about a quarter of organizations are using keylogging or session recording, while 8% admit they have zero visibility whatsoever into all employee activity.

These gaps can leave organizations open to some major risks. Criminal insider incidents can have serious financial repercussions – to the tune of an average annualized cost of $2.99 million, according to a recent Ponemon report. Many organizations simply can't recover from the financial loss and reputational damage that an insider incident can bring.

Security teams' lack of visibility into insiders’ actions also poses a massive security risk to organizations. With the Equifax breach's true implications becoming increasingly clear, it has never been more important to understand what actions users are taking related to sensitive corporate data and systems. In particular, organizations should aim to gain visibility into all employee activities, especially when they are related to:

  • Unauthorized cloud storage or large file-sending sites
  • Disposable or temporary email clients
  • USB storage devices and other removable media
  • Copy/pasting, cut/copying, and large print jobs

These are just a few examples of user activities that, when put into context with the specific types of data in play and other factors, can shed valuable light on potential malicious employee activity.

Given the likelihood that we will see some major spy-recruitment efforts take place over the coming years, any business that stores or handles sensitive data should have full visibility into exactly how all employees are using organizational data. It might sound like the plot for a good movie, but when it's valuable company or customer data on the line, the ending could be very unpleasant.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Mike McKee brings 20-plus years of cross-functional, global experience in technology to ObserveIT. Previously, he led the award-winning Global Services and Customer Success organizations at Rapid7, served as senior vice president, CAD Operations and Strategy, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.