Perspectives

Data breach scenario I

From riches to rags to riches

For a layperson, what do recent events of data breach and manipulation mean? Are there serious repercussions, especially given the fact that crores of people’s records have been compromised? The chances of an individual being impacted might thus be miniscule.

Deloitte’s Forensic practice in India presents a five part article series where fictitious cases help explain different data breach scenarios and their impact. These cases have been put together based on Deloitte Forensic’s extensive experience of working on some of the top fraud, misconduct and noncompliance investigations in India over the last decade.

Rhea had a guilty pleasure. At 44, being the CEO of a mid-sized financial firm, she had to maintain a certain image. Reading trendy fashion magazines and subscribing to select fashion aggregator newsletters to keep up-to-date on the latest developments in the fashion world may strike some as an unusual interest area for a high powered corporate executive and mother of two daughters. Yet Rhea did not let societal and corporate expectations distract her from her weekly Wednesday reading of a leading fashion newsletter, which she had stumbled upon accidentally many months ago, while reading about fashionable attire on a website.

It was 17 May 2016, a Tuesday, when she received the newsletter in the middle of a tense meeting she was having with her CFO. While the CFO droned on, she absentmindedly opened the newsletter on her smartphone. At the back of her mind she noticed that it seemed near identical to last Wednesday’s newsletter, save for a prominently displayed link at the top. She clicked the link and was directed to a website that contained some text in Russian. Confused, she went back to her email and clicked it once again. The same thing happened again. She closed her phone’s browser and deleted the email, rationalizing that the author of the newsletter probably sent it out by mistake. She refocused on her discussion with the CFO. Half an hour later, while explaining a potential acquisition, her phone beeped and as she picked it up, she realized it felt very hot. Plus the battery had drained. “Phones seem to barely last a few months these days”, she muttered as she plugged her phone into her laptop for charging and continued with the rest of the discussion.

Several months later, at the annual board meeting, Rhea was facing the heat for the last few months’ financial performance of the company. The firm had suffered massive losses in recent months and she wasn’t able to explain what happened. All the firm’s recent bids for work had been undercut on price by their main competitor. To make matters worse, the competitor was seemingly always one step ahead of them in developing new product offerings, many of which Rhea had thought were her firm’s original ideas. The board gave her an ultimatum—either improve in the next six months, or start looking for an alternative job.

She spent the rest of the year trying to understand what may have gone wrong. Her mentor hadn’t been able to help her, besides telling her this was common in business. Six key staff members had left the firm for better opportunities. The innovation team’s request for funding had been turned down and it appeared that in three months, all team members would leave. The CFO had suggested cutting down on the marketing budget and a war of words had ensued between him and the marketing leader. Recently the media had published an unverified article on the state of affairs in the firm, in effect questioning her leadership. Dealing with all this was made worse by her laptop and old phone slowing down significantly, losing battery within 30 minutes and frequently hanging. She hoped the next year would give her some respite.

Fortunately, it did. She got her laptop upgraded by the IT department and recently received a new smartphone as a gift for her wedding anniversary. Soon after, her spate of bad luck with bids for work changed and suddenly the firm was looking to be in the black. Unknown to her, her IT personnel had just saved her job and perhaps inadvertently, restored her company’s fortunes – all through a simple upgrade of her laptop.

What went wrong?

In February 2016, Rhea signed up for the newsletter by clicking on an ad she saw while browsing the web on fashionable attire. Unknown to her, the website recorded all ad clicks and matched that data against user profiles to pinpoint the identity of the user who clicked on the ad. The website in question suffered a massive data breach shortly after, which they did not disclose to the public. The breached data swirled around the dark web for some time, before it found its way into the hands of a corporate espionage hacker group. They searched the data for high profile targets and found Rhea’s details. They formulated their plan shortly after.

It was a simple plan: send out a spear-phishing email to Rhea’s personal email ID, imitating the newsletter. They sent it on a Tuesday, a day before the original newsletter was released, so that Rhea would be enticed to open it on her phone thinking that it may be an exclusive invitation to check out a new brand. They copied the previous week’s newsletter entirely, except for the link, which directed the user to a domain that would silently download and install malware onto the user’s device.

The plan worked. Once Rhea had connected her phone to her laptop, the malware was able to transfer onto the laptop as well. Both on her phone and laptop, the malware silently executed a number of scripts which had the effect of uploading all Word, Excel, PowerPoint, and Outlook files to a remote server controlled by the hackers. Crucially, it only did so when it detected that the devices were connected to her home Wi-Fi network, so that her corporate IT team would not notice the anomalous data transfer. Pinpointing her location was easy, since they had her home address, which she had indicated on social media while creating a profile five years ago.

The hackers sold all the information uploaded by the malware to Rhea’s firm’s main competitor who used it to price its bids differently and launch new products ahead of Rhea’s firm. However, once she changed her laptop and phone, the hacker’s access to her data was cut off. Subsequently, her personal email provider identified another attempt at spear-phishing (via the same modus operandi adopted previously) and automatically deleted the email received.

A version of this blog post appeared on etcio.com, an initiative of The Economic Times. You may read the article here.

If you have any comments or would like to share your views, please write to us at inforensic@deloitte.com

Authored by: Nikhil Bedi, Partner and Leader, Deloitte India

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from ly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use.

©2018 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited

Did you find this useful?