September 11, 2017
8 minute read
Previously we introduced the concept of cloud leaks, and then examined how they happen. Now we’ll take a look at why they matter. To understand the consequences of cloud leaks for the organizations involved, we should first take a close look at exactly what it is that’s being leaked. Then we can examine some of the traditional ways information has been exploited, as well as some new and future threats such data exposures pose.
The most common type of information exposed in a cloud leak is customer data. This data differs from company to company, but there are usually some common factors involved:
Additionally, whatever information is specific to the company is also usually exposed. This can be financials for banks and investment groups, medical records for hospitals and insurers, and for government entities, customer information can include any number of sensitive documents and forms.
But customer information isn’t the end of the story. There are several other types of data that pose significant risk when exposed in a cloud leak. Corporate information can also be leaked. This can include:
The exposure of this type of information can hamstring company projects, give competitors insight into business operations, and reveal internal culture and personalities. The bigger the company, the more interest there is in this type of data.
But the most dangerous kind of company data to be exposed in a cloud leak are trade secrets. This is information crucial to the business itself, and its secrecy is what gives the business the ability to compete. Trade secrets can include:
Obviously this data is only advantageous when it is kept secret from competitors. Exposure of this type can be disastrous for a company, undoing years of research and work, devaluing the products and services the business provides.
Finally, analytics rely on large data sets comprised of multiple information sources for the purposes of revealing big picture trends, patterns, and trajectory. As powerful as analytics can be for informing business decisions, the data necessary to perform such analyses also is a vector of risk when exposed. Some data of this type includes:
This information is extremely powerful in its ability to understand individuals as a set of data points, and then predict with a high degree of accuracy other data points in relation. As abstract as this might sound, consider that this is the type of information gathered on voters that helps political campaigns persuade more effectively at scale.
Business is digitized. Anything that’s anything is some type of information, and that information can be leaked in the cloud without proper process controls in place. The examples above list some types of sensitive and dangerous information, but really everything is at stake. Any aspect of enterprise business (and personal life, for that matter) has its information set. When we say that cloud leaks are a business problem, we mean that information and technology are so critical to the modern enterprise, that their risks have become existential.
When examining the types of information above, some obvious threats probably present themselves right away. These vectors have been around for some time, and whether information is leaked through the cloud or obtained through a hack or phishing email, many of the consequences are familiar. We’ll take a brief look at how this type of information is commonly exploited, then move on to more sophisticated uses and what the future holds.
The first and most obvious example of a crime that exploits leaked data is credit card fraud. By ordering online, people pass their credit card details through the internet, and through the systems of whatever business they are patronizing. Much attention has been paid to the transaction process, and protecting the information as it crosses the internet, but far less has been given to what happens after the data is stored. As we saw in the last cloud leaks article, data is copied repeatedly for various purposes, and credit card data is no exception. Skimmers might get a hundred credit cards a day, but a database involved with a cloud leak could contain millions, and requires none of the effort of installing and configuring a malware skimmer.
Often those who get the data and those who use it are separate parties. An economy has grown around black market information trading, where data that has been breached is offered up for sale to the highest bidder on the darknet, using difficult to trace cryptocurrency such as Bitcoin. In this case, the information retrievers specialize in getting the data-- from an unsecured cloud instance, from a vulnerable database, through social engineering-- while the information purchasers specialize in using that information-- credit card schemes, SSN and identity fraud, spam and phishing operations.
Sometimes the exposed information is held over the company’s head, either for ransom, or simply to humiliate that company to the public. Ransomware attacks lock assets and data, but cloud leaks give that data away to anyone who’s looking. Activists looking to undermine a company with whom they disagree might find it advantageous to share their salary structure, internal communications, or business plans. Whatever the specifics, the fact is that cloud leaks give potential adversaries an incredible amount of leverage.
Aside from criminal actors, competitors could easily take advantage of information exposed in a cloud leak. Everything from customer lists to trade secrets give other companies access to resources and strategy. Competitive insight is something every company works on as part of their marketing operations, and information exposed in cloud leaks makes that insight much sharper.
We mentioned phishing attacks earlier on. The most effective phishing attack is known as spearphishing, because the fake email is laser focused on its recipient, using known information to better impersonate an authority figure or executive. The efficacy of phishing attacks depends on how convincing they are to the person reading them. Many, littered with typos and using strange formatting or HTML are quite easy to spot, but the best of them look real upon first glance. Information exposed in cloud leaks, especially psychographic data and other behavioral analytics, are exactly the kind of information to sharpen social engineering attacks, giving the attacker the ability to use information about a target that they otherwise shouldn’t know.
Personally identifiable information (PII) can be used for more than credit card fraud. Obtaining someone’s personal information and publishing it against their will is a practice known as “doxxing,” and it is done for various reasons, but always leaves the person being doxxed vulnerable to the predations of an unknown amount of anonymous people. In cases of political extremism, vendetta, harassment, or stalking, the exposure of PII can lead to actual harm against people. What makes cloud leaks especially dangerous is that they do not require any special technical skills to exploit-- simply go and get the data. This significantly widens the pool of potential discoverers.
When it comes to psychographic data, the potential uses are limitless. The very purpose of obtaining psychographic data is to better predict how people will react and to shape their reactions. Political campaigns use it to win votes. Businesses use it to win customers. Just given the normal use cases for these kinds of analytics, it’s easy to see how a motivated third party, another state or private business, could obtain this data through a cloud leak, and use the information to their ends. When an RNC contractor leaked the voter data of nearly every registered American voter, it wasn’t just a violation of privacy, but a new vector of possible manipulation.
Finally, cloud leaks throw a wrench into business operations by exposing unvetted information directly to the public. As we’ve seen, the information exposed in a cloud leak can have drastic consequences for companies and even governments. Disruptive attacks are not new; a denial-of-service attack seeks as its goal to simply prevent a resource from being used. Informational disruption is a new class of this type. When company information is exposed in the cloud, it presents an opportunity for that company to be derailed. The motives behind these attacks can be anything from activism to profit, but as with an extortion scenario, exposing this data to the world gives unknown third parties drastic leverage over business interests.
Asking why cloud leaks matter is a lot like asking why data matters. The answer is the same-- information gives people and organizations power. The inadvertent exposure of that data to the public gives others the opportunity to wield that power against the data’s owner. We outlined some of the known and possible manifestations of this; but however data is exploited, as long as our economy, our communications, and our society is digitized, data will be valuable. When it comes to customer data, the main reason cloud leaks matter is that data represents real individuals who often have to bear the repercussions of the leak. Companies who collect data and use it to improve their business have a responsibility to them to handle it carefully.