The big breach news of the day is that an unidentified hacker threatened to expose a large stash of employee data allegedly stolen from the US public service…
…and then followed up with a “proof of concept” leak of 9000 Federal employees from the Department of Homeland Security (DHS).
By leaking what seems to be a subset of their data, hackers hope to convince the wider world that they really do have the giant stash they’re claiming, while keeping the bulk of the data up their sleeves for later.
Coming next, said the hacker, would be a 20,000-strong database of Federal Bureau of Investigation (FBI) employees.
Apparently, that FBI data has now been leaked as well.
Online IT site Motherboard says it acquired the leaked DHS data before it was made openly public, and by calling some of the phone numbers in the database, decided that it was probably genuine.
Additionally, Motherboard claims its was contacted by the hacker today via the email account of a Department of Justice staffer who was allegedly the “way in” for the hack.
The hacker apparently hasn’t get said how he tricked the employee in question, but it’s not hard to imagine that, if true, some sort of spear-phishing was involved.
PHISHING AND SPEAR-PHISHING
Phishing is where you send out links or attachments in believable-looking emails in the hope that someone will click through, or open up your attachment, and end up sucked into giving away secret information such as usernames and passwords.
Spear-phishing is essentially the same approach, but with the emails made yet more believable by targeting, or tailoring, each email for each recipient.
This targeting can be as simple as getting your name right (because so many careless crooks rely entirely on “Dear Sir/Madam”), or as personalised as choosing content that aligns precisely with your interests, your job, or both.
If you’re a nuclear scientist, for instance, an email about joining a research panel on the future of energy generation, or attending a conference, or refereeing a paper by someone in your field, is likely to attract your attention.
If the crook has sufficiently many other details right, such as your full name and your job title, and perhaps a little of your own research history, he might get to you take that last step and open up the dodgy website or document.
Afterwards, you’ll no doubt figure out that most of the information used by the crook was available to anyone with a search engine and a little spare time, but compared to most spammers and scammers, the email probably looked good enough.
HOW SAFE IS YOUR STAFF DATA?
If verified, this breach will be more embarrassing for the DHS and FBI that it would be for most businesses, given the remit of those organisations.
But not looking after employee data seems to be something of a theme at present.
A recent Sophos survey showed that although more and more companies are taking care of their customers’ data (something we can all cheer about), they aren’t always applying the same care and attention to the data they hold on their staff.
That’s worrying, because personal information about your employees is a gold mine for just the sort of spear-phishing attack we spoke about above: an organisational chart and an internal phone directory stolen today could be the basis of an even more serious attack tomorrow.
As we warned during Cybersecurity Awareness Month in 2015: when it comes to spear-phishing, nothing breeds success like success.
The more that crooks, or cybergangs, or a team of state-sponsored actors, learn about your organisation, the more believable their attempts to talk their way in will appear.