The More Things Change, the More They Stay the Same
August 18, 2021 • RBS
2021 Mid Year Data Breach QuickView Report
Powered by our product Cyber Risk Analytics, our QuickView Report provides deeper visibility into the data breach landscape, giving key insights for specific industries.
This article is derived from the 2021 Mid Year Data Breach QuickView Report
It’s not exactly accurate to say that it has been fun observing data breach activity throughout the first six months of 2021, but it has been an interesting period to watch the trends unfold. 2020 saw a sharp decrease in the number of publicly disclosed breaches as reporting timelines slowed, ransomware attacks exploded, and media attention focused elsewhere. The lingering effects of these trends are still reverberating through the first six months of 2021. However, their impact is lessening as we see early signals of a return to more “traditional” breach patterns.
One striking signal of a return to more traditional breach patterns came to light in early Spring. As unemployment benefits were expanded in the United States in late winter, fraudsters went to work devising new attacks useful for taking advantage of the fresh round of funding. This time, malicious actors went after a key piece of data used in applying for unemployment: the driver’s license number.
Several states use standardized formulas for creating driver’s license numbers, typically based on a combination of a person’s name and date of birth. That standardization provides auto insurance providers the ability to assist online shoppers by pre-populating driver’s license numbers based on users entering just a few data points. Attackers took notice.
Using data pilfered from other sources, malicious actors were able to leverage this user-friendly enhancement to steal driver’s license information from the quotation platforms of Geico, Liberty Mutual, American Family, Farmers Insurance and USAA. Attackers have a long history of taking advantage of timing and opportunity to commit fraud. After a brief absence in 2020, it is intriguing to see this type of pattern re-emerge in 2021.
Is Ransomware too Successful?
In the first half of 2021, there were 352 reported data compromise events that also included ransomware as a component of the attack. If that pace continues, there will be more data compromise with extortion events in 2021 than 2020, which is saying something in light of the 100% increase in such attacks in 2020 compared to 2019. But will this actually come to pass? It is tempting to assume the trend will continue but the tide may be changing thanks to overreach.
Up until May 8, 2021 ransomware creators and their affiliates were operating in something of a sweet spot. Several groups had developed reputations as formidable foes, capable of inflicting significant economic and reputation damage on their targets while staying just far enough out of the reach of law enforcement to act with impunity. That is, until the Colonial Pipeline incident.
At first glance the Colonial Pipeline Company makes for an attractive target. It is a large corporation, operating mostly outside of the public eye, that earns revenue through continuous delivery of goods. In short, a business with the ability to pay a hefty extortion demand and the motivation to do so in order to avoid more costly downtime. The attack was a success but as time ticked away and fuel supplies along one of the most populated corridors of the US began running low, panic buying kicked into high gear setting off a chain of events that elevated DarkSide ransomware operators from shadowy criminal gang to public enemy number one.
The aftermath of the attack altered the conversation around ransomware. Not only did it draw the focus of the nation’s top law enforcement resources – leading to an unprecedented recovery of over 50% of the extortion payment and takedown of DarkSide’s public infrastructure – it also propelled the issue to the highest levels of government. In a mid-June summit between Presidents Biden and Putin, the US pressed its case for Russia to end its laissez-faire approach to ransomware groups. The conversation seemed to have little impact at the time with groups like the notorious REvil/Sodinokibi operators seeming to continue business as usual.
As June came to a close and the long 4th of July holiday approached, word of a new attack deploying REvil/Sodinokibi ransomware began to surface, this time leveraging zero-day vulnerabilities in on-premises installations of Kaseya’s Virtual System Administrator (VSA). The nature of VSA allowed the attack to spread malware to hundreds of organizations relying on Managed Service Providers for IT administration. As Q3 was getting underway, the US once again pressured Russia to take action. This time, it may have produced results. As of the drafting of this report, REvil’s public-facing infrastructure has gone dark. It is too early to know why, whether it is a temporary pause in operations, or perhaps another sign ransomware’s golden age may be coming to a close.
Long Term Breach Investigations
Throughout much of 2020, we noted that breaches were taking an unusually long time to be publicly reported. Some of the lag was due to lighter-than-typical media coverage, a trend that has largely reversed itself in 2021. Ransomware also played a role, with its potentially lengthy recovery times that can delay investigations. That said, there are still plenty of examples cropping up in 2021 of unusually slow disclosures from compromised organizations. One such example can be found in the notification letter released by E.A. Renfroe & Company. On September 3, 2020 an unauthorized party was able to access five employees’ email accounts. The organization was able to disable access quickly, closing the breach two days later on September 5th. The same speed was apparently not applied to the investigation into what, exactly, attackers may have been able to access over those two days. It was not until January 27, 2021, 144 days later, that Renfroe discovered personal data was held in one of the compromised email accounts.
It was another 26 days before notification letters were sent to impacted persons. A total of 170 days, nearly six months, from discovery to disclosure. It is important to note that, from our outside perspective, it is impossible to know what extenuating circumstances may have prevented quicker reporting. There may be good reasons for the delay, although it is difficult to imagine what circumstances lead to five+ months to review the content of one email account. Regulators in the E.U. are taking notice. In April, the Dutch data protection authority announced a €475,000 fine against Booking.com for failure to report a data breach in accordance with GDPR disclosure requirements. The company waited 22 days to inform authorities of an incident discovered in January of 2019 (far from the requirement to disclose to authorities and subjects “without undue delay and, where feasible, not later than 72 hours”). While a similar outcome is unlikely in the US, it does show some regulators are willing to flex their muscles in order to prompt quicker action.