Newsworthy Data Leaks – Jurgita Lapienytė, CyberNews

[00:00:00] Jurgita Lapienytė: Basically, cybercrime is linked to data leaks. Whether it's just the leak of your credentials, banking, health information or data as a result of ransomware, all cybercrime to my understanding is about data, whether it's espionage or credential theft or whatnot. So, you know, because data is power and therefore, money.

[00:00:25] Cyril Noel-Tagoe: Hello everyone and welcome to Cybersecurity Sessions, our regular podcast exploring all things cybersecurity. I'm your host Cyril Noel-Tagoe, principal security researcher at Netacea, the world's first fully agentless bot management product. These days, it seems that barely a week goes by without a data leak being reported in the news. According to Atlas VPN, 5.9 billion credentials were leaked in 2021 alone. But it's not just credentials under attack; personal data, payment information, sensitive corporate data, and even source code are all at risk of being leaked. But how is so much data leaked so often? What do criminals do with the data once they have it? And what risk does this pose to the public? Well, to share some of her most memorable stories of data leaks and their consequences, I'm excited to be joined on this episode by our special guest, chief editor at Cyber News, Jurgita Lapienytė. Welcome Jurgita. Thank you for joining us today.

[00:01:15] Jurgita Lapienytė: Thank you for having me.

[00:01:17] Cyril Noel-Tagoe: Would you like to introduce yourself to our listeners quickly?

[00:01:19] Jurgita Lapienytė: Well, yeah, of course. So, I'm Jurgita Lapienytė. I've been with CyberNews for nearly three years, and before that I spent over a decade in business journalism. So, you know, data leaks and hacks and breaches are what we, you know, brief every day. And I'm really happy to talk more about it with you.

[00:01:41] Cyril Noel-Tagoe: Great. And we'll get into the data leaks in just a bit. But let's start with your career journey. So how did you get into journalism and what drew you in particular to reporting on cybersecurity?

[00:01:51] Jurgita Lapienytė: Yeah. So, you know, I've always been very curious and wanted to dig deeper. I always, you know, had questions I couldn't find an answer to, so I wanted to ask more questions, obviously. And so this career path was only natural for me. I always wanted to report more on tech companies. Also as I said, being a business news journalist myself, right? And so, digging deeper and deeper into the tech field, I came across the cybersecurity topics, found them really fascinating and also heavily under-reported in the mainstream media. And so I get that this is a very technical field. So my goal here is to simplify it a bit, you know, so that more people can understand because it's really important and it's crucial that we understand what is at stake here. Right? So I basically dived into the topic because I wanted to learn more myself and also to educate my readers and also just my family and friends, you know, about all the risks and what we can do about our privacy, basically, on the internet.

[00:03:01] Cyril Noel-Tagoe: And I think these days there's definitely a lot more coverage about data leaks, you know, mainly tech news, but you know, there is growing coverage in the mainstream as well. And why do you think data leaks are so popular these days?

[00:03:13] Jurgita Lapienytė: I'm really glad to see thatleaks are being covered not only by the niche media outlets, right, but the mainstream as well. Not that recent ago, that was definitely not a trend. So one of the reasons might be, you know, the cyber war and all its collateral damage, you know, all the hacktivists joining the war on the cyber front, and, you know, going public with those leaks. So, you know, they are of interest. Also, there have been a lot of hacks and data leaks that impact our daily life. For example, I don't know, Colonial Pipeline ransomware attack or Optus Hack in Australia, right? So it's of importance to us. Also recently we've seen, well, many popular brands, and I mean, B2C, so business to sustomer brands suffering a leak. Uber, Grand Theft Auto, Revolut, Facebook, Last Pass, right? So they all experienced different issues, but however, most of them, they put user information at risk and I think that it's only good, right, that those breaches, hacks and leaks, they attract more attention, because this means that there's an increased pressure on those companies to guard our data. Those leaks used to happen even before, right, this increased attention. But, the fact that they are on the spotlight, I think it's, it's good, basically. Also, there's a trend that criminals are mimicking basically legitimate corporations, especially like ransomware gangs. They are operating just like legitimate businesses. And so they have even their own sort of PR departments, right? And they are very public about their victims. They are eager to talk to journalists. They give out their, I don't know, emails or other means to contact them, you know, so they are also being very public about it. So, you know, that's just a couple of reasons that come to my mind.

[00:05:21] Cyril Noel-Tagoe: And why do you think that might be? Especially with the kind of the cyber criminals becoming a lot more public? What's in it for them?

[00:05:27] Jurgita Lapienytė: Well, sometimes they really exaggerate their claims, as we saw with, uh, Lapsus$, right? So I guess that journalists, especially when they're not careful enough, right? And they don't verify the information. They kind of also help them exaggerate the claims and put more pressure on those companies that are allegedly hit by ransomware. You know, maybe there's not that much at stake, maybe those claims are not even true, but companies might feel more pressured, especially when they get more attention from media. So I guess that's trying to put pressure on their victims just to being public about that. And that kind of works just like a promotion for their business or an ad. And if a company sees that, okay, so I've been attacked by lab and these guys are serious, you know, so I might want to pay them because this is a well known gang. And I better pay them because, you know, I've read about them, you know, going after big companies and corporations.

[00:06:30] Cyril Noel-Tagoe: And I mean, you raised an interesting point there around the media having then to kind of verify that the claims are legitimate. As a journalist yourself, how do you typically go around doing that?

[00:06:40] Jurgita Lapienytė: Oh, definitely in some cases it's it's very hard and in some cases it's impossible. But, you know, we never write about data leaks if we are not sure what's in there or we go about it, like very careful, right? So just putting them as claims, because as I said, there's like so much information now from, you know, those ransomware gangs, so you can't take every statement just for granted. So, you know, sometimes we either take the data samples they provide or we ask for them to see whether at least some part of that information is true. Then we of course, reached out to companies that had fallen victim. But also sometimes just reaching out to those victims doesn't help us much because companies tend to kind of downplay the whole attack. And it's understandable, but, so sometimes it doesn't help us. So we basically, we try to look for data and then look whether that data kind of corresponds to the claims.

[00:07:47] Cyril Noel-Tagoe: So let's talk about some of the data leaks you've covered, and particularly some of the more interesting ones. Have you got any examples that spring to mind?

[00:07:56] Jurgita Lapienytė: Well, yeah, so, there were definitely some interesting leaks at the beginning of the war in Ukraine, right. So hacktivists, as I mentioned, joined the fight on the cyber front, trying to expose Russian government aid and agencies and then Russian companies, right? So there were like so many leaks, data put up there just basically for free, you know. And everyone, and not only like niche media outlets, but like mainstream outfits as well, were rushing to cover these leaks. But, you know, we always want to verify those. So, I don't know. At the beginning there were some interesting ones. For example, the data leak from Russian Foreign Ministry were... even Putin himself email was allegedly in the leak and his password, right? So, you know, that's exciting. You might want to report on that, but then you need to take it with a grain of salt. And then just shortly afterwards, there was a Yandex leak, right? Which also meant, you know, that okay, activists aregoing after Russian companies, but there's also a lot of customer data involved. And, you know, those customers they are just ordinary citizens. So, you know, there's collateral damage here. And you know, we also tried to verify that leak, and it turned out that there were not only Yandex emails and data in the leak, but also there are random Emails like from Gmail and other services. So, I definitely remember the rush at the beginning of the war because there's been a surge of leaks and half of them proved to be fake. Some were not important, right. Some had some truth to them. So, that was definitely the most interesting thing, probably this year, we had to do.

[00:09:54] Cyril Noel-Tagoe: Yeah. And I guess with those ones, especially where it's hacktivists, right? Cause when you think of data, the leaks, you think of these well funded, well organized APT groups or others that, you know, are able to maintain persistence for a while and kind of extract data. But whereas hackivists and these, especially with the war in Ukraine, a lot of these were kind of volunteers who haven't done that much before. How are they able to still kind of steal that much amount of data, like where the leaks were true?

[00:10:19] Jurgita Lapienytė: Yeah. But then, you know, in many of those cases, they don't really steal that data. So there's, already so much data out there, right? On the dark web, you don't even have to buy. Some of it is just basically up there for free. So there are a lot of, you know, databases out there already, and there's a lot of data to play with, right? So, some of them proved to be just some old leaks, or basically some scrap data because big companies still allow... well not maybe allow, that's too strong word, but, don't do enough to prevent data scraping, right? So there's a lot of information you can get by, I don't know, using bot, right? But a lot of those leaks were actually like old leaks and maybe, you know, stolen by someone else and hacktivists just being very public about it. There were, some, what it seemed, new data leaks. But then they were mostly about, you know, very niche Russian companies, and maybe not of that big of an interest to the public, right.

[00:11:40] Cyril Noel-Tagoe: I mean, that raises some interesting points,especially around kind of the life cycle of breached data, right? So, I mean, you mentioned that these may have been past leaks, which were then made public. If they're past leaks, they're probably then being already used by kind of cyber criminals before they get made public. So I guess generally, how long does it normally take for a breach to occur before it gets public in your experience?

[00:12:04] Jurgita Lapienytė: Well, it depends, but to my view, you know, once the data is out there for free, there's not much use to it for the person who stole it, right? So, basically it's, I feel like it's maybe just leftover. Of course, it depends on the data, right? And with something like, I don't know, Facebook scraper, right? So there's nothing else to do but to sell it. And then many different threat actors can use it for phishing and other attacks. But with the more serious data leaks, I think we don't really see them, right? If a threat actor, a motivated one, maybe a persistent one, steals some documents and some internal data from, I don't know, a government agency or a big company, if it's like intellectual property and whatnot, I think, we won't see it public. If they have that data, they are gonna use it for their own nefarious purposes rather than just put them up for sale, right?

[00:13:14] Cyril Noel-Tagoe: Let's talk a bit about some of the outside factors that have influenced data leaks. And you mentioned earlier the Ukraine war. Are there any others you can think of, maybe the pandemic or others, that have influenced how data leaks are arising these days?

[00:13:28] Jurgita Lapienytė: Well, yeah, of course. The pandemic, because online retail boomed, right? And we just got used to buying stuff online. Even those people who couldn't imagine themselves, you know, buying something online. Now they're buying groceries and Christmas presents and books and whatnot. And also, you know, the shift to remote work, I think, had a huge influence here. So now there are so many more opportunities for threat actors to phish us, right? And to penetrate the corporate environment because we do everything online and we have so many internet of things devices, right? And so basically, cybercrime is linked to data leaks. Whether it's just the leak of your credentials, banking, health information, or data as a result of ransomware, all cybercrime to my understanding is about data, whether, it's espionage or credential theft or whatnot. So, you know, because data is power and therefore, money.

[00:14:56] Cyril Noel-Tagoe: And what about stuff like, I mean, especially in Europe, the GDPR, and regulations like that. How has that affected businesses taking data security?

[00:15:05] Jurgita Lapienytė: GDPR has definitely improved our privacy rights, right? At least now we have this notion that privacy is our right. It's something that we have a right to, and I tend to believe that small businesses are actually trying to do their best to protect our data since they probably can't really afford hefty fines, right. But then what about big tech? Because just a couple of days ago I looked, you know, at the GDPR fines here in Europe. And guess what? Amazon, Google, Facebook, Instagram, WhatsApp, they all got record high fines for GDPR violations, right? So you would imagine that big companies with huge departments, you know, and resources to have people on board to read those documents, to put all the protections in place. So you would think that, you know, they shouldn't find themselves in such a situation. So my question here is, have they really stopped stockpiling our information or not, right? So I highly doubt that. So I think, you know, GDPR to some extent, it's better, but whether it is tackling the biggest problem that we have with like big tech and our data. So I'm not sure about that one.

[00:16:39] Cyril Noel-Tagoe: Mm. And I mean, you mentioned earlier around some of the groups faking that they have data or being very public about data leaks to kind of extort their victims. How do you feel that GDPR has played into that? Right? Because at one point, if a threat actor goes to you, "look, we've got this data and we will make this public unless you pay us. If you pay us, we won't make this public, then you don't have to report your GDPR breach." do you think that's had an impact?

[00:17:09] Jurgita Lapienytė: Well, it's hard to say, you know, I don't have any statistics, but I definitely saw quite some ransom notes where ransom gangs know that companies might violate GDPR if that leak or that ransom case goes public and, you know, so they would threaten those companies with GDPR saying that, "okay guys, if you don't pay us, we will report this case to authorities and then you'll face a fine, which might be way higher that our ransom demand", you know, so, GDPR definitely plays a role here.

[00:17:48] Cyril Noel-Tagoe: Yeah. I mean these criminals are quite clever in how they try and extort, kinda use whatever levers they can pull. Touching a little bit more on ransomware and in particular double extortion ransomware, where, you know, the threat actor is going to not only encrypt data, but also exfiltrate it and use that as a lever. How have you seen ransom demands and the response to them change in recent years?

[00:18:13] Jurgita Lapienytė: Well, at least it seems a bit more quiet maybe after the Colonial pipeline, you know, and all the increased attention. We still see a big brands listed on gangs' websites. Ferrari, Ikea, Continental, many colleges, higher education institutions, healthcare institutions, definitely. But it seems that ransom demands are not breaking records anymore. What we actually noticed from our own investigations and our own research is that criminals actually use bots to find open databases. And, you know, they ask for quite a modest amount of ransom, I think to, you know, maybe make sure they are paid and the law enforcement doesn't get involved. So in one of our recent investigations, we actually found a threat actor asking only for $200 ransom. And we were able to verify that, you know, at least five victims actually paid that amount. So, five is only, what we know. That threat actor might have way more wallet addresses. So it seems that those criminals are kind of diversifying their risks, going after smaller targets, being a bit more quiet about it, right? Because a company probably would decide to pay if the amount is only like $200 $200 or ev,en $2000, right? It's not worth to call the law enforcement. I know companies don't want law enforcement to get involved too. So, you know, at least that's what we observed.

[00:20:05] Cyril Noel-Tagoe: Yeah. I guess the key thing with an extortion demand has got to be something that the company can actually pay, and also if you keep it quite low, you kind reduce attention being brought to yourself. You don't bring the kind law enforcement to it, then it's easier on you. But I guess also with kind of a $200 ransom, you've gotta be spreading yourself quite wide to actually start making some profit on that, right?

[00:20:29] Jurgita Lapienytė: Well, you know, I don't know how many databases they actually managed to encrypt, right? So another investigation we did last year, it showed that there are like, tens of thousands, of databases left open there, right. So, you know, imagine about just going all over them, encrypting them, you know, and just getting all those $200 from each of the companies. But then also we have to have in mind that ransomware is a service now. So you don't really need to be very skilled. Right. A lot of rookies, basically people without, big tech knowledge go out there, ransomware and then they can go out there and play with it. I mean, it's not that complicated anymore.

[00:21:21] Cyril Noel-Tagoe: And I think that's a general trend we're seeing in cybersecurity, right? Whether it's ransomware or even bot attacks, everything is becoming easier to do, this kind of cyber crime as a service. You know, it's really exploding.

[00:21:34] Jurgita Lapienytė: I also just wanted to add that, you might think, oh, $200, that's a funny amount. But then, I read the report which said that those rookies who just started their cyber criminal career. So they can earn up to $20,000 a month. So if you are only getting started and buying stuff off the shelf, and you know, when you become a cyber kingpin. So, the report said that you can learn as much as $600,000, and I'm not advertising it, you know, but as I said, $200 might seem funny, but it all adds up and then you get like being a rookie to $20,000 a month. So something to think about, I guess.

[00:22:24] Cyril Noel-Tagoe: Yeah, I mean, let's talk about what happens when the criminals get caught because, I mean, you mentioned Colonial pipeline, and that's an example of where there a big kind of law enforcement action there. But is that generally the case where you have mass data theft or is it kind of rare?

[00:22:40] Jurgita Lapienytė: Yeah. In many cases, the mass data theft is associated basically with ransomware gangs, right? They exfiltrate data, they encrypt it, and they also blackmail companies, right? So we don't see that many, at least not to the extent of the cyber crime, and we would definitely like to see more people getting arrested, but, you know, it's not that easy. It's kind of easy for cyber criminals to hide. But just recently, Canadian authorities arrested a Russian national suspected of having ties with the notorious LogBit ransomware cartel, right. And we also, just a while ago we saw some Lapsus arrests. So again, that's not directly... they were not arrested because of theft of data. Right. But ransomware. But it's in the link because as they said, ransomware, it's also all about the data and what you can do with it and what's it worth. So there are some arrests. There are some good signs, I guess.

[00:23:52] Cyril Noel-Tagoe: And, and once the criminal group has the data, you said data is power. What are some of the ways that this has been or can be exploited?

[00:24:01] Jurgita Lapienytė: Well again, it depends on the data, right? So, simple sets of phone numbers and emails, they are used for phishing, right? And business email compromise is such a big problem for companies and it costs billions in losses worldwide, right? In some of the more extreme cases, for example, Optus hack in Australia, right? So a threat actor basically stole passports, passport numbers, and then driving license data. So basically people's identities, right? And the government ordered the company to pay for the replacement of victims' IDs, right? So that's one of the extreme cases, right? Well, data theft can also result in supply chain, have collateral damage. And basically hurt third parties because the data that you have on your server, your computer, it's not only your data, right? Let's be fair, it's also whether your employee data is out there. Also, your customer data, your client data, your provider data, and whatnot. So, you know, the collateral damage might be huge and in some cases, it is huge. We saw that with Solar Winds, Castilla Hack a while ago. And, you know, in some cases, as we already talked about it, criminals don't even extort the data. They just find that open database, data is out there for grabs and they just lock that data and, you know, ask for a ransom. Cyber criminals can steal your identity, steal your money and, you know, it can also lead to reputational damage and whatnot. It can be the whole domino effect. I mean, it depends on the data, but it's really serious.

[00:26:05] Cyril Noel-Tagoe: And I mean, especially considering, you mentioned stuff like identity theft that can have such an impact on an individual. So should people be worried if they see their company they're a customer of, has been a victim of a data leak? And what can we as consumers do to protect ourselves from harm if our data is leaked?

[00:26:27] Jurgita Lapienytė: Well, worry will get you nowhere, right? Of course we should be worried, but, we should just assume that our data is out there and it's not realistic to think that we are safe because so many companies, so many third parties sit on our data, right? And there's basically nothing you can really do about it because, none of the companies are immune to hacking, and so our data is not safe. So what we can do basically, is to look at how much data we share with those companies. So, you know, we should never share excessive data with any company, or that matter, just maybe put it publicly right out there. So, just limit the location data, the contact data, that you share with Facebook and other social media companies and whatnot. Also, one of the advices I truly believe in is just, do not reuse your password because your password can be hacked, even if that's a really strong one. But, you know, it still can be hacked by a persistent, advanced threat actor. You know? So just make sure that if one company has been hacked, the threat actor won't hack into your other accounts using the same credentials, you know, so that, let's try and keep that damage to a minimum. Then also I found myself, that multifactor authentication helps in so many cases. So go ahead and enable that on every account, every app you use and, you know, monitoring also your banking data, credit cards is always good because, well, basically scams are simply on the loose, right? So I also would suggest just go to any data leak, check if your data has been leaked. I'm sure it has been leaked. So, just go and check whether you need to enforce some stronger security on any of your accounts. Change passwords, you know, and whatnot. So yes, we should be worried, but we also should try and take matters into our own hands because we can, to at least to some extent, protect ourselves. Right? Just be smart about it.

[00:29:07] Cyril Noel-Tagoe: You know, those are some really great tips and I'll just second the, have unique passwords for every account. I mean, one of the things we deal with at Netacea a lot is credential stuffing. And that exists as an attack purely because people reuse passwords. Yeah, if you use separate passwords for every account, you know, that's a great help. Before we close out, thank you so much for sharing your insights with us. Do you have any closing remarks for our listeners?

[00:29:38] Jurgita Lapienytė: Well, you know, I could talk and talk about data leaks, but, you know, I just... it's my goal to... I want people to be interested in this. I know that we all tend to think, okay, that I'm too small. I'm of no interest to anyone, you know, so why would someone hack me? But then a lot of criminals, they are just, they're opportunistic, right? And they don't exactly pick their targets. They just kind of, do the mass phishing you know, the massive, mass attacks, and then they see who falls for it. And also, we might open back doors to our companies, right? To the corporations we work for, you know, and then it might have that collateral damage that I talked about, right? So, every one of us is on the hackers' radar. So we definitely need to take this seriously, right?

[00:30:41] Cyril Noel-Tagoe: Well, thank you so much Jurgita for sharing your time with us and thank you to all our listeners for tuning into this episode of Cybersecurity Sessions. If you enjoyed this podcast, please be sure to subscribe and like, or leave a review on your podcast platform of choice. We'd love to get your feedback. You can also get in touch with us via our Twitter, that's @cybersecpod, or by email to podcast@netacea.com. Thanks again for listening, and we'll see you again next month.