Since it’s Halloween, let’s start by comparing and contrasting two of the more well-known figures of horror in recent pop culture.
One feeds on human blood, the other on human data.
One weaponizes their fangs, the other their fingers. (Preferably on a state-of-the-art keyboard.)
They both operate in the shadows, one by force, the other by choice.
Finally, if you invite one to your home, and the other to your network, you can be sure chaos will ensue.
Both are good costume options if you’re heading to a party. A cape, fake teeth, and a general sulk will do for the former, and a simple face-covering black hoodie for the latter. (Or, if you’re feeling especially lazy, just a black hat will suffice.)
Figured out who these are yet? The first one is the vampire, popularized by the likes of Count Dracula and the Cullens. The second one is the cybercriminal, popularized by the sheer amount of horrific hacks in recent times.
This blog is all about how their reign of terror has affected companies all over the world, and steps you can undertake to ensure that you’re not next on their hit list.
Horror at the Hospital: The AIIMS Breach
The setup:
This particular set of “monsters” knew healthcare organizations face the highest cost of a data breach, and so decided to haunt India’s mainstay in that space. On November 23rd of last year, AIIMS reported a breach that compromised e-records & sensitive data of crores of patients.
The fallout was terrifying. Appointments, consultations, and registrations were suspended, medical research was delayed and AIIMS was ultimately left with a ransomware demand of Rs. 200 crore to be paid in cryptocurrencies, or else.
The scary part:
Because of improper network segmentation, it didn’t take much time at all for these criminals to suddenly be in possession of 1.3 terabytes of data spread across 5 different servers. Instances like this lend heft to the stat that it takes a mere 84 minutes for a hacker to break out into the system after getting initial access.
Moral of the story:
A main pillar of your cybersecurity strategy should be to divide your network into different segments. This segmentation minimizes the number of hosts an attacker can potentially exploit and inhibits their ability to spread laterally within an organization. Incorporating the principle of least privilege when it comes to user access also fortifies this.
There is a silver lining to this story. AIIMS learned from their mistakes, and their new approach led to them successfully thwarting a similar malware attack earlier this year.
The Vaccine Crime Scene: CoWIN Data Leak
The setup:
One fine day, a new Telegram bot was released by a hacking tutorial channel called hak4learn. This bot was a lot like other bots, except with a terrifyingly creepy feature: by simply entering someone’s mobile number, you could immediately gain access to their names, AADHAAR details, PAN details, and the exact place where they got their COVID-19 vaccine.
The scary part:
After this breach occurred, a lot of speculation pointed to a direct breach of the CoWIN platform.
Instead, the hacker revealed on Business Today that they found vulnerabilities in an associated platform that focuses on child health. A couple of compromised health worker credentials later, they had access to a platform with over 110 crore registrations.
Moral of the story:
In an age of collaboration, it’s not enough to fortify your cybersecurity. Follow the same stringent guidelines for every third-party provider/vendor you work with, and don’t forget to audit them at regular intervals.
Home Invasion: The RentoMojo Incident
The setup:
Home invasion movies can be a nerve-wracking experience to sit through. RentoMojo and their customers experienced this in real life when personally identifiable information of over 1.5 lakh users was obtained by a cybercrime group called ShinyHunters. Exploitation of cloud misconfiguration was deemed to be the main reason for the breach.
The scary part:
RentoMojo immediately sent out emails to their customers, indicating that a breach had occurred but no financial information was secured by the attackers.
Weeks later, their customers were subjected to very scary emails from the attackers themselves, indicating that they had financial information in the form of KYC bank documents and RentoMojo was taking no steps to retrieve all this.
Moral of the story:
The cloud can seemingly be a tricky place. Gartner’s latest hype report says that by 2025, 99% of cloud security incidents can be traced back to preventable misconfigurations made by end users. Often because of the complexities involved in assimilating to a new product, companies brush through the cloud adoption process and miss even the most essential settings. In horror movie terms, this is tantamount to leaving your backdoor open when there’s a killer on the loose.
Take time to understand the nuances of your cloud system while integrating it. A little more attention to detail will make it a lot harder for attackers to breach your systems.
The Frankenstein’s Monster of Faridabad: Cyberabad Data Theft Case
The setup:
A Hyderabad social worker tips off the Cyberabad police, claiming that personal data is being sold by someone on JustDial. A few weeks later, this is traced to a certain Vinay Bhardwaj, a Faridabad-based turned data thief who sold all his offerings on a site called InspireWebz. What they found on him was far more horrifying than anyone could’ve imagined.
He possessed the personal data of over 66.9 crore people from across 24 states. He had data on students enrolled in Byju’s and Vedantu, info related to 1.84 lakh cab users across 8 metros, and details regarding 4.5 lakh salaried workers in the state of Gujarat. He had GST data, RTO data, bank data from SBI, Axis Bank & Bank of Baroda, and App data from Paytm, PhonePe, Zomato, Upstox, and BigBasket. The list goes on because almost nobody was spared in this digital carnage.
The scary part:
When some of these organizations were called in by the Cyberabad police for questioning, most weren’t even aware of a possible data leak. Many denied data theft but admitted that the data collected was in the same format as what they stored on their database. A few months later, we still have little to no idea about how exactly Vinay got access to all this data.
Moral of the story:
Only 1 out of 3 data breaches are discovered by a company’s security team. That speaks volumes about how ill-equipped most companies are for this monstrosity that is cybercrime. In the face of this ever-evolving threat, IT systems have to be agile and reactive to the task at hand. Start by getting a data security stack that streamlines your cybersecurity, while simultaneously giving you full visibility and oversight across your entire system.
A common factor across these 4 horror stories is the need to streamline logins and authentication for users. To that end, countermeasures like password managers and phishing-resistant MFAs are absolute must-haves.
Right, so we looked at how cybercriminals can terrify organizations. But this last example points to a more insidious threat: after all, sometimes, the enemy lies within.
AI’m Scared: The Samsung ChatGPT Incident
The setup:
Everyone’s using ChatGPT these days, and most dystopian horror stories reference instances like this being the start of AI inevitably taking over the world.
But what if we actively hand over the reins to them? Wouldn’t that be a lot scarier?
Earlier this year, Samsung reported not one, but three different incidents of employees handing over sensitive information to ChatGPT.
One engineer entered source code to find out how to resolve a software bug.
Another executive recorded a confidential meeting, transcribed it using an audio-to-text app, and put said transcript up on the OpenAI platform to get meeting notes.
The third employee used it to optimize a test sequence for identifying defective chips.
The scary part:
ChatGPT saves all its conversations to train its models. So, there’s every chance this sensitive info may be exposed unintentionally in future conversations on the platform.
Moral of the story:
It’s one thing to ban programs like this as company policy. But it will fall on deaf ears if you don’t reinforce the message across the board. Regularly conduct awareness training in all cybersecurity-related topics to make employees your true allies in the fight against cybercrime.
So the next time cyber criminals come trick or treating at your organization’s door, have the tools necessary to scare them off for good. Thanks for reading, and Happy Halloween!
