“Users should be wary of social engineering” — experts about mass personal data leaks

According to experts, the risk that one in thousands of employees decides to earn extra cash by stealing data is close to 100%

Over the past days, the Russians have faced two large-scale leaks of personal data at once. First, the data on 60 million credit cards of Sberbank customers (officially, the Bank says about 200 victims) leaked in the network, and later Beeline “distinguished” itself — the data of several million customers of the telecom operator were also in the public domain. Read about how the leak occurred, who needs your personal data and how to prevent such cases — in the material of Realnoe Vremya.

“Non-critical” leak of Sberbank

The data on 60 million credit cards of Sberbank customers has been revealed on the black market in early October. The seller offered potential buyers to acquaint with a trial fragment of the database of 200 lines, containing data of 200 people from different cities, which are served by the Ural territorial bank of Sberbank. It should be noted that in the database, it was possible to find detailed personal data, detailed financial information about credit cards and transactions. August 24, 2019 is indicated as an operating day, which may indicate the date of the leak.

Sberbank confirmed the leak of data on credit cards of 200 customers and began an internal investigation, which quickly ended with the detection of the alleged attacker.

“The bank security service in the interaction with law enforcement agencies revealed a bank’s employee born in 1991, sector manager in one of the business divisions of the bank who had access to databases owing to performance of official duties and who tried to steal client information for mercenary purposes,” the press-service of Sberbank reported. “Yesterday, the employee made a confession statement, and now representatives of law enforcement agencies are executing process. There is no threat of leakage of customer data (besides credit card data of 200 bank customers). In all cases, there was no threat to the safety of the bank's clients' funds.”

The inspection additionally determined that at the end of September the suspected employee “sold in a total of five thousand accounts of credit cards of the Ural Bank of Sberbank, a considerable number of which are outdated and inactive, in several tranches to a criminal group in the deep web.”

Sergey Golovanov, a leading anti-virus expert of Kaspersky Lab, is sure that the recent data leak is unpleasant, but in this case, it is not critical because the attackers do not have information about CVVs or passwords from personal accounts in Internet banking.

“As for precautions, then, first of all, users should wary of social engineering. Now the attackers have a better chance to cause trust of the client. If they have a card number, they will try to find out the CVV, the password to enter the Internet banking or the code from the SMS. This information should never be disclosed to anyone. It is also necessary to be wary of the following scheme: allegedly a bank employee calls the customer, he or she does not ask anything or checks the information available to him or her, reports about a blocked fraudulent operation, and then strongly recommends installing a certain software on the phone, a link to which he or she sends in an SMS. One should never do this, the link may be either a banking Trojan, or a programme for remote control of the device,” said the expert.

“Outdated” data of Beeline

Beeline has recently got in a no less unpleasant story: the information about almost 9 million users who connected the home Internet through this operator have also been leaked

As a result of an internal audit, it has been found that some of the information in the distributed archive does contain data of the subscriber base of fixed internet customers (Broadband Internet access), but a significant part of the information is outdated and irrelevant.

“At the end of 2017, the company recorded a leak of information about broadband customers due to malicious actions of a number of persons. The measures were immediately taken to prevent the recurrence of such incidents and to bring the perpetrators to justice,” TASS quotes the press service of Beeline.

Besides, the company drew attention to the fact that at the end of the second quarter of this year they had only 2,5 million subscribers of the wired Internet, while the archive allegedly contains data on almost 9 million users.

“This vulnerability is enough to steal the data”

Commenting on the situation with Sberbank, the head of the analytics department of SearchInform, Alexey Parfentyev, suggested that in this case, it is not quite correct to lay all the responsibility on the human factor.

“Sberbank has a huge client database, and a very limited circle of persons has access to this information. I do not mean operators who have the opportunity to look at the dossier on a particular client, but those who can upload data on tens of millions of customers. Accordingly, it is highly likely that the leak was initiated by a privileged employee, not with administrative privileges, but with technical ones.”

This employee understood that the bank was using some kind of data protection system that monitors, detects and prevents leaks. The market offers programmes with quite different functionality, so he faced two questions: ‘What is the system?’ and “What vulnerabilities does it have?’. The answer to the first question he could just know as a privileged user. And he could find it literally in three clicks — on the tender site through which the bank bought the software.

After that, he had to deal with what problems the protection system, which was used by Sberbank, had. They, by the way, are not very much, but enough to organize the incident. For example, this particular system does not see the transfer of data through remote administration tools, such as TeamViewer, if they are transmitted through the programme interface. This vulnerability is enough to steal the data. And this is not the only vulnerability of this software,” the expert believes.

At the same time, the head of analytics at SearchInform doubts that the data was physically extracted.

“I don't really believe in hard drive theft and other physical data extraction options. If the fraudster, according to the bank, is a regional employee, he had to, first, download the information, and only then extract it from there. It is technically very difficult to download the full database from the head office where the server is located. And stealing data directly from the server via the hard drive is an even more dubious version. First, the data is stored encrypted. Second, the databases are hardly stored on a single hard disk on the server. Almost always on the DBMS server, there is a RAID, and not only one HDD,” Alexey Parfentyev believes.

“Programmes help to predict the intention of a potential fraudster”

According to the head of the analytics department of SearchInform, there will always be those who want to harm the company from the inside. On many forums, where they trade bases, right on the first page you can find banners about the following content: “We are always glad to see people who work in banks, insurance companies, mobile operators. Daily payments, large sums of money.”

“Advertising campaign at the level of professional headhunting. At the same time, even in large companies, not all employees earn as much as they would like. For this reason, the risk that one of the thousands of employees decides to earn extra money is close to 100%, and the information security units need to be constantly vigilant,” Aleksey Parfentyev explains the motives of negligent employees leaking personal data.

The expert is sure that the human factor in such stories is very important. To prevent similar incidents at an early stage, the systems that prevent leakage at the moment or simply block access in real time are not enough.

“It is necessary to understand that data theft is a whole process for which a person is prepared in advance. And now the whole IT world faces the question: ‘How to see this process at the earliest possible stage — at the level of intentions?’ To solve this problem, security programmes have learned not just to stop information leaks, but also to analyze employees' statements, evaluate their loyalty, and so on. However, this is not the first stage. Programmes are developing in the direction of assessing user behaviour, profiling employees, which allows you to predict the intention when a potential fraudster has not yet manifested itself. The psychotype of the person, the risks connected with it and many other things are estimated. This direction is now considered the most promising, we have chosen the same way,” the interlocutor of our edition summarizes.

By Lina Sarimova