Stealing physical data in a digital world


Stealing physical data in a digital world

Ransomware, breaches and more: evolving cyberthreats in the pandemic era

The second article in our cybersecurity series, "Ransomware, breaches and more: evolving cyberthreats in the pandemic era", explores how threat actors are finding new ways to steal information, including by tracking how often you go to the gym.

As difficult as the pandemic has been for companies, most have succeeded in continuing to deliver critical business services to their clients. Many, however, also saw their level of cyber risk rise exponentially almost overnight. As adept as criminals were at stealing sensitive business information before the pandemic, their jobs became much easier to do when executives and their employees began working in their homes. Many were now using personal technology for work, they were surrounded by unsecured internet-connected devices, and their physical surroundings—which often contain numerous personal details—were displayed on video calls. Indeed, it didn’t take long before reports poured in of virtual calls being infiltrated by individuals who either wanted to disrupt meetings for fun, or worse: to steal information they could use against that business.

Many organizations changed their acceptable-use policies to support employees who had been mandated to work at home to prevent the spread of the coronavirus. They granted employees heightened permissions to do their own tech support, allowing them to connect to home networks, printers, and storage devices. But despite these measures, employees’ lack of technical knowledge and limited awareness of how to safely use technology remotely has resulted in an increase in the number of data breaches due to the insecure transfer of sensitive information to both the cloud and personal email addresses.

In many ways, companies have never been more at risk of experiencing a serious security incident than they are now. Not only are people using personal computers and mobile phones to access company information, but the plethora of physical devices in homes—internet-connected thermostats, voice assistants, lights, and blinds—can all be attacked by criminals, who can then worm their way through a home network and into a treasure trove of personal and business-related data.

This convergence of physical security and cybersecurity is one of three emerging threats organizations must be aware of as we move closer to a post-pandemic future. The two others, which are covered in the first and third installment of our cybersecurity series, are data privacy and protection, and the ever-evolving threat landscape. The more companies know about the cyberthreats that can cripple their business, the better they can protect themselves.

Keeping physical data safe

For many years now, business leaders have focused on protecting their organization’s networks from traditional attacks—phishing emails, malware downloads, etc. They’ve spent much less time thinking about how physical spaces and devices could also be targets. One 2020 report found that some criminals have resorted to old-fashioned dumpster diving to steal tax-related information from tax preparers, which could then be used to steal people’s COVID-19 relief payments. Another article revealed that sensitive health-care files were found in a dump, though fortunately before any bad actors could steal and use it. Scouring garbage for paper may seem outdated, but with more people working from home and perhaps printing documents rather than reading them onscreen, highly sensitive data is thrown into the trash–and criminals will do what they can to find it.

The many physical devices that people have in their homes that are connected to the internet are also ripe for attack. For instance, there have been numerous reports of criminals targeting security cameras and video-enabled doorbells to view the inside of a room, keep track of who is coming and going at someone’s home, or even speak to and threaten people who are inside a building into making extortion payments. One company that makes video doorbells was hit with a class-action lawsuit from users who said they were terrorized verbally by criminals who broke into their camera systems.

There are even websites that stream real-time footage for all to see of people in offices, gyms, stores, homes, and backyards, taken by unprotected video cameras. The business owners and third parties who install these cameras have no idea they’re being watched—they just set the camera up, and often don’t update security configurations or change the passwords that could protect them from prying eyes. It’s a similar story with other devices: criminals break into a smart thermostat or voice-activated assistant to get onto a home network where they can access all kinds of important information.

It’s also possible for criminals to learn about someone’s physical surroundings from their digital data. In one famous case, locations of secret military bases were revealed to the public after a smart-device company published a heat map of where its users were running. It turned out that military personnel used exercise-tracking devices while running around their bases, which then created a border for all to see.

More data, more personal, more value

You may not think that threat actors would find anything useful from a camera in a gym, but the information they’re after today is far broader and more sophisticated than what they sought out only a few years ago. At one time criminals frequently targeted credit card numbers, which controlled illegal dark web markets. Now, markets have shifted to an even more lucrative model: cyber extortion.

Criminals are blackmailing employees and selling their information on dark web marketplaces. Through social engineering (when attackers carry out malicious activities through another human), information—such as names, organizations, and roles—is stolen and used to force victims to carry out activities at the attacker’s discretion. Threat actors with access to employee login accounts are forcing staff to steal data from their employer or provide sensitive information that can be used in other attacks. In many cases, attackers will stop these nefarious activities in exchange for a hefty fee. But not always.

In one well-known example that took place in 2020, attackers used social engineering on a number of employees at a major social media company, blackmailing them into extorting US$180,000 from high-profile users through various scams and messages before the operation was shut down. Also last year, a leading automaker employee was offered US$1 million to install malware on the company’s network, but refused.

Cyber blackmail and extortion is the main reason insider threats have climbed by 47% since 2018. This elevated risk, coupled with an insecure remote-work environment, is allowing criminals to gain knowledge of a victim’s personal activities, including any gambling debts or health conditions. Some are even taking compromising photos or video of their victims, then threaten to release images of a sex act unless money or other services are provided. The rate of police reported so-called sextortion emails was at 44% in 2018, a number that has only climbed since.  

All of this makes it easy for threat actors to target their victims. If they’ve got their eye on, say, the CEO of a company that has sensitive customer information–maybe it’s a health-care business or a large law office–they can simply find a website that’s displaying real-time footage from the unprotected camera of the gym the CEO works out at to see when the person’s not home. They can then either physically get into the executive’s house or break in digitally without being noticed. If a target has an internet-connected doorbell, criminals could see how often the person leaves home and for how long. A smart thermostat might reveal room-temperature data, which could also indicate whether or not someone’s home, as people often make their rooms cooler when they’re not around.

The combination of all this data makes it easier for criminals to send emails that appear real–that includes highly personal information that only a close friend or colleague would know, for example–and trick recipients into clicking on a phishing link. This could then lead to a ransomware attack, in which attackers lock a computer and then force its owner or user to pay large sums to regain access. As well, the more complete picture a threat actor has of an individual, the more value that information has on the black market. (Credit cards expire or get locked; personal details never go away.)

Protect your staff’s devices

If sensitive data is stolen and client information ends up on the dark web, then your company could be sued and held liable for damages. That’s why it’s important that you assume every piece of data, whether it’s gathered in the physical or digital world, is susceptible to an attack.

One way to protect your business is to send a team of cybersecurity experts into the homes of your employees who may be targets—C-suite executives, board members, data scientists, and others who may have access to sensitive information—to perform a security review, ensuring their smart devices are properly updated and that passwords are changed frequently, or at least regularly. It’s also important to update any other security patches on computer-related software, especially with programs that may be years old.

Employee education continues to be vital protection for today’s organization. Explaining to staff how throwing away a piece of paper with private data can be dangerous, how someone’s surroundings in a video could reveal sensitive information, or how social media posts can contain details that attackers may want, are all must-dos. Also hammer home the idea that private information can easily be made public—and that it often stays public forever.

So make sure your company can prevent, detect, and respond to cybersecurity incidents, in both the physical and digital spaces, especially now that many of your people may be working from home. Ensure the personal devices of your executives and key staff are secured, that their online profiles and accounts are adequately secured, and their homes and properties are protected from cyber and physical threats.

An external managed detect-and-response team can help your organization understand where and how attacks take place, help you develop the most effective methods for protecting your business, and respond quickly should an attack occur to prevent any damage from being done.

Criminals are only getting smarter, and they have more tools to work with than ever before. The companies that understand all the ways the criminals can breach their business, and take appropriate counter measures to keep their data safe, will be the ones that protect themselves best.

In the next and final article of our cybersecurity series, Four types of breach you need to know about, we look at the top four ways breaches occur today.


Adrian Cheek
Manager, Threat Intelligence & Threat Hunting
Deloitte Cyber Intelligence Centre

Did you find this useful?