Huge Data Leak as RSA 2019 Draws to a Close

It is only fitting that immediately following a week of self-congratulatory cybersecurity thought-leadership at the RSA 2019 Security conference, we learn that 763,117,241 people have had their records leaked by Verifications IO.

This leak occurred sometime between the “Open Source, Open Bar” networking event for "open source enthusiasts who appreciate an open bar" at the Mathilde French Bistro on Tuesday and the “Security Challenges in the Cloud Age” breakfast at the DocuSign offices on Thursday.

The leaked records were unencrypted and totaled 2,069,145,043 containing verified emails, phone numbers, addresses, dates of birth, Facebook, LinkedIn and Instagram account details, credit scoring and mortgage data such as amount owing, and interest rates being charged. And how on earth did that happen, you might be wondering.

Four unprotected open-source databases (of which there are many) were hacked through a known vulnerability and the exploit was able to suck out over two billion email addresses in addition to all that other data. Verifications IO validates bulk email lists for companies wanting to remove inactive addresses from newsletter mail outs. And this is not rehashed data like the batch in Collection1. All of these records are brand new to the dark web which represents a gold mine for phishers and cyber-criminals.

The problem here is not the open-source databases. The open-source companies make it clear all the way through that they are not responsible for assuring vulnerabilities are patched. That burden belongs to the enterprise customer. And these vulnerabilities are not hidden either. There are tons of CVSS open-source vulnerabilities listed and ranked in the database which is available for everyone to use as a guide for patching security holes. The problem which was underscored so theatrically by Equifax is that we don’t do it.

And RSA is not at to blame either. Unless of course, you believe that RSA is about advancing the global interests of cybersecurity protection and data privacy instead its actual goal of promoting technology, networking and camaraderie while generating tons of income.

We are to blame. Those of us who just had our data stolen or “leaked” if you must. We exhibit no signs of concern about this problem as we insist on rejecting all of the cybersecurity advice we receive on a daily basis and then claim we have no voice in government. And those of us in the cybersecurity community who ignore the obvious widening gap between prevention and breach while we instead continue to genuflect at the altar of “big security”.

How hard is it to practice a little cybersecurity hygiene?

Patching known vulnerabilities – learning to detect attempted phishing attacks - applying some skepticism to unexpected emails, text messages, and social media communications. The horses are gone on this one, but threat actors will now use this data to appear like a trustworthy organization in their communications with those 763 million users. At the very least, if you receive email or social outreach that requests a response, don’t do it. Facebook is not your friend.

The bad guys now know who you bank with and the details of your mortgage. Any communication from your bank is to be suspect – verify the linked URL not by clicking on it, but by using the institution’s legitimate address. This should become your common habit. The same goes for phone calls. Banks and credit bureaus will not contact you by email regarding a security matter, nor will they ask for your account details over the phone. Carefully examine every email you get, especially those from “trusted sources”. If you are using Gmail, this is easy to do by simply clicking on the Show Details arrow directly below the name of the sender. Yahoo mail and Outlook are a little more difficult, but both are doable.

2018 was a showcase for the consequence of not having robust enterprise policies in place. Breaches at Google (the Google+ breach), Marriott, T-Mobile, Uber, FIFA all exposed the personal data of hundreds of millions of individuals, and all of them could have been avoided by implementing stronger cybersecurity practices, hygiene and ensuring employees received appropriate cybersecurity training.

If you happen to be a Marriott customer or have a Starwood account, you may want to now pay special attention to all email that warns of a problem with a recent reservation or with your Starwood account, urging you to click on what will probably be a booby-trapped link or attachment to learn more. Now just imagine that similarly targeted emails will likely come from any brand with whom you’ve done business in the past, like Uber and T-Mobile.

Even without a substantial data leak like this Verifications IO disaster, we are sitting ducks for exploitation. With every app, website and social networking site requesting us to “Allow” them access to our phone, contacts, online clouds and other stuff, we unwittingly persist in enriching our online profiles in databases all over the world. With even the nascent and maturing AI capabilities of 2019, all of our online behavior, dislikes, inclinations, choices are being analyzed to develop a very close model of how you actually think.

If we don’t start forcing ourselves into reasonable hygienic habits both at a personal and enterprise level, we will soon be completely outwitted by AI-enhanced cyber-predators and no amount of software or technology will be able to protect us from ourselves. And yes, this is all inconvenient, unfair and expensive but it is long past due that we accept the reality that we can only choose two of the trade-offs between security, privacy, and convenience.

?Not unlike good, fast and cheap. We can’t have them all.