Feature2: Where is information security technology headed? Where Does Stolen Data Go?
And Who Do Cybercriminals Target?

Kayoko Ezoe

Kayoko Ezoe is a freelance writer and translator. She has translated around 800 issues of security news for the UK IT media The Register. In 2016, she helped author Dark Web, published by Bungeishunju Ltd. She is in charge of security news mainly for North America and Europe at the online media ZERO/ONE provided by SPROUT Co., Ltd.

Management tends to shun talk of security. It is often perceived as a boring topic that is not even slightly interesting, involves no originality, and generates no profit. There are also situations where strengthening security can work against functionality at the operational level, so many people would probably prefer to avoid it if possible.

Nevertheless, all organizations that use the Internet today need to have security measures in place. It is now considered unavoidable, like mandatory vehicle insurance. After seeing news coverage of the information leaks at Benesse Holdings, Inc. and the Japan Pension Service and the recent ransomware incident, many companies have probably come to see that information security is relevant to everyone.

However, many Japanese companies still prefer to take an optimistic view, telling themselves that their industry is not the sort that is targeted by hackers, and that nothing too bad can happen if they have antivirus software installed. Some people are under the illusion that cybercriminals target big (usually overseas) corporations — probably because of the tendency for the media to focus more on major security incidents. In this article, I will start by looking at why companies are targeted for security breaches in the first place.

1. Where does the stolen data go?

Let’s start by thinking about information leaks. Customer information leaks from security breaches happen all the time in Japan, and depending on the scale of the damage they may receive major media coverage. However, since there are few opportunities to consider why personal information is stolen and how stolen information may be used maliciously, people tend to think of these incidents as having little relevance to themselves.

There are trends in the type of data that is targeted by criminals. The trends depend on what kind of data can be sold for a high price. The Internet has spaces known as the “dark web” that are protected by multiple layers of encryption making it impossible to trace who has accessed them. The brokers who sell personal information in these black markets seek data that can be sold for the highest price possible.

For example, a while ago financial data such as credit card numbers could fetch several thousand yen per item on the black market, but recently the price has dropped to a range between 100 yen and a couple thousand yen per item. However, a list of account numbers for widely accepted credit cards such as VISA with high limit amounts is still a relatively high-priced commodity.

Some may be surprised that data sold between faceless criminals would be so carefully commoditized. However, many black marketers are extremely passionate about trading, and criminals also seek reliable transactions, so some brokers even attach guarantees of sorts to win the trust of their buyers. For example, if the credit card data that they have just sold turns out to be unusable, that is, if the purchaser of credit card data on the black market claims that they were unable to make a purchase with the card, the seller may offer to provide new data for free to replace unusable items.

2. What kind of companies are targeted?

Criminals target various kinds of data other than credit card numbers. One type of data that is particularly worth noting is customer and employee healthcare data. For the past few years, data related to patient histories, chronic conditions, health insurance and so forth has been trading for relatively high prices. The scope of applications for sensitive individual health data is surprisingly wide (I omit details of how it is used here due to space constraints), and it has high usage value both for marketers who trade in the gray zone and organized criminals who conduct targeted cyberattacks. Companies that manage this data are therefore often targeted.

In the United States, the price of personal data is on the rise, including the social security numbers that are assigned to every citizen. In Japan, the equivalent would be My Number. This data should also be treated with special care. My Number is a precious, one-of-a-kind ID that can be used to uniquely manage data.

Brokers do not necessarily sell stolen data directly. They may compile credit card information leaked from one company, email addresses leaked from a second company, birth dates and addresses leaked from a third company, and medical information from a fourth company, and so forth, progressively adding new information to create a full detailed set of personal information for sale. For that reason, even if customer information may not appear usable, it may be useful for such brokers as material for increasing the value of personal information.

One example is email address and password combinations used for web services such as free games. It may not appear to be especially valuable data, however, an extremely large number of people use the same password for multiple services, enabling leaked email address and password combinations to be tried with all kinds of services. If several leaked number pattern passwords are associated with the personal information already held by a broker, it is easy to imagine what kind of damage may ensue.

Does this mean that companies that do not store any of their customers’ personal information need not be concerned about data theft? Not necessarily. Up to this point, we have mainly described brokers who deal in personal data, but criminals who target corporate information may have various targets. Some target employee information in specific industries, some intercept email and dealings with specific companies, and some target data of SMEs as a stepping stone to be used in attacking their ultimate target of an organization that deals with those SMEs. The black market sells all of these kinds of data.

Furthermore, cyberattacks can generate monetary gains in various ways other than selling stolen data. One such method that has recently been in the spotlight is ransomware. The intention of ransomware is not to steal data from the target; rather it is to lock the data in an infected terminal and demand payment of a ransom for unlocking the data. It is extremely easy for criminals to execute.

Users of ransomware can distort money directly without needing to consider a target company or data to be stolen, and without needing to take the trouble to on-sell stolen data. The target could be an individual gamer, an apparel company, an equipment manufacturer, or a tertiary-sector provider of infrastructure for hundreds of thousands of civilians. All of them can be coerced in the same way with the threat of their precious data being virtually held hostage, only to be returned upon a transfer of bitcoins.

3. What can companies do?

Naturally, companies should take steps to prevent security breaches in their own company, but this has become exceedingly difficult to do recently. If a company that uses the Internet in its daily operations becomes targeted by a skilled cybercriminal, it will be almost impossible to prevent infection across all of the company’s devices.

For example, older cautionary measures, such as not opening suspicious emails from unknown senders and making sure that antivirus software is up to date, are not only useless against recent targeted email attacks, they may actually be counterproductive. Companies need to assume that their systems may become infected regardless of the level of security awareness among employees and the careful attention to security, and establish sweeping countermeasures for managing data to prevent damage even if an infection occurs.

What specific steps should companies take? Preferably, every company should have its own security countermeasures specialist. Not just a person knowledgeable about networks, but someone with comprehensive insight including knowledge of the latest best practices in data management, exit countermeasures that can prevent data leaks using technological means, and the flow of responses in the event of infection. The person should ideally have a degree of decision-making authority.

However, it is not possible for all organizations, including SMEs, to retain this kind of personnel. In any case, there is a severe and chronic global shortage of security specialists, and despite various government policies in most countries for promoting the development of such human resources, the situation is dire. Realistically, most companies will be obliged to obtain opinions from external specialist companies. What should they focus on in particular when obtaining these services? The first priority is to review everything from ordinary data management. Then, in the case a company is subjected to a security breach, the most important thing is to promptly notice the damage and immediately take appropriate countermeasures.

When a customer finds out that their credit card information has been stolen as a result of a corporate data leak, they will probably request a new card to be issued immediately. Criminals will try to sell the data before that happens. If the company that suffered the data breach does not notice or vacillates in its response, delaying notification to its customers, who are the real victims, the brokers can sell fresh data to black market buyers while it is still valuable. If this leads to damage for customers, the company may face even worse trouble, such as a class action suit alleging that they deliberately put customer data at risk.

Now let us take a moment to examine the sobering figures for security breach damage amounts. IBM Security published the “2016 Cost of Data Breach Study: Global Analysis.” This research report analyzes data breach incidents at corporations in 12 countries around the world. According to the report, the average total amount of damage due to data breaches in Japan in 2016 was $3.3 million (approximately ¥330 million). Incidentally, this excludes so-called megabreaches, such as the Sony Entertainment incident. IBM Security conducted the survey with the aim of providing beneficial information to a large number of organizations, so its analysis excluded large-scale incidents that most companies have never experienced.

4. To close — a happy tale

Having read to this point, many business managers may be feeling somewhat gloomy. However, introducing robust security not only eliminates uneasiness in the workplace, but also means providing services in which customers can have confidence. Moreover, there are some very rare instances where the strengthening of security measures after suffering damage from a malware infection has helped an organization to seize an unexpected business opportunity.

The US NASCAR stock car racing team CSLFR suffered a ransomware infection in 2016, right before a race. They paid the ransom demanded by the criminal and managed to retrieve their data. So far, this story is nothing to boast about. However, the team responded proactively to the incident and requested cooperation from the security company Malwarebytes to bolster their security for the future.

Through this collaboration, CSLFR and Malwarebytes developed a deeper relationship that led to Malwarebytes becoming the team’s main sponsor. The CSLFR racecar now bears a large Malwarebytes logo. The unusual news of the team affected by ransomware gaining sponsorship from the company providing them with protection became the talk of the town in the stock car racing industry, which tends to feel a world apart from the issue of cybersecurity, increasing the recognition of both. It was also very significant in terms of raising awareness of the threat of ransomware among race fans in general.

To put it bluntly, security is a hassle. Nevertheless, it cannot be avoided, and so naturally it feels bothersome. However, we can also consider positive ideas, such as the ability to appeal to people through system enhancements like services that can only be provided using safe environments. In this way, rather than something that simply prevents negative effects, security can be reframed as something that produces positive effects.