What is Data Theft? (And How to Prevent It)

New findings from the Identity Theft Resource Center® (ITRC) reveal that 1,291 data breaches were reported in the United States between January 1st and September 30th, 2021, nearly 17% more than the 1108 data breaches reported in all of 2020.

Another report from IBM, the Cost of a Data Breach Report 2021, analyzed over 500 data theft incidents and calculated the average cost of a data breach at $4.24 million, a $380,000 increase from last year’s figure of $3.86 million.

With data theft events on the rise, and the cost of data breaches trending upwards, now is the time for enterprise cybersecurity teams to harden their security and lock down any potential vectors for data theft attacks. 

Here’s what you need to know first.

What is Data Theft?

Data Theft is a type of cybercrime where digital threat actors use technical exploits or social engineering to gain access to protected systems (databases, devices, or networks) and steal sensitive data. 

The majority of data theft attacks (86% of them, according to Verizon’s 2020 Data Breach Investigation Report) are financially motivated. That’s why the most common types of records compromised in data theft incidents include:

• Customer Personal Data - Cyber criminals steal information about the target organization’s customers and sell it to criminals who specialize in identity theft and financial fraud.
• Employee Personal Data - Cyber criminals steal information about the target organization’s employees and leadership. This information may be used in fraud or identity theft scams, or to support phishing or business email compromise attacks.
• Intellectual Property - Cyber criminals often attempt to steal intellectual property, such as internal business documents or the source code for a specific application. These assets may be sold on the black market to business rivals or other interested parties.
• Payment Data - Cyber criminals can use stolen payment data, such as bank account or credit card numbers, to make fraudulent purchases. They may also be sold on to other scammers who specialize in financial crimes.

Data theft attacks can cause significant harm to the targeted organization, including brand and reputation damage due to negative press, loss of customer trust, legal and regulatory penalties, and costly unplanned downtime. 

To protect against these attacks, enterprise cybersecurity teams must understand how data theft happens and implement proactive measures to safeguard public and private attack surfaces against digital threat actors intent on stealing their data.

How Does Data Theft Happen?

Enterprises are moving towards data democratization, expanding data access from data scientists and analysts to include non-technical members of the organization. 

Data democratization promises to put data in the hands of decision-makers who need it, but it will also expand the attack surface for data theft attacks. To protect against these attacks, enterprises need to think about how they’re addressing at least 10 potential attack vectors for data theft.

Compromised User Credentials

When digital threat actors gain access to valid user credentials for the target system, they get free and easy access to steal enterprise data. User credentials for corporate databases may be stolen by hackers or purchased from malicious insiders. Brute force attacks can be successful against enterprise targets with weak password policies and authentication measures.

Phishing Attacks 

Phishing attacks use fraudulent communications, often via e-mail or social media, to trick corporate employees or executives into disclosing sensitive data. Digital threat actors may impersonate another employee via email, or attempt to steal credentials by directing the target to a look-alike domain.

Cloud Misconfiguration 

As organizations become more dependent on the cloud, misconfigured cloud-based databases are being increasingly targeted by digital threat actors in data theft attacks. Inadequate governance in increasingly complex cloud environments results in exposed data that can be stolen by cyber criminals. 

3rd-Party Software Vulnerabilities

Enterprises support their daily operations with software from external providers, but vulnerabilities in 3rd-party software applications can leave enterprise networks susceptible to a data theft attack. Any external apps that connect to enterprise networks expand the potential attack surface for data theft attacks.

Physical Security Compromise

Data theft attacks can occur as a result of compromised physical security at facilities where data is stored. Threat actors can gain access to secure facilities using social engineering techniques, or simply by committing a break-and-enter if security measures are insufficient. Opportunistic threat actors can take advantage of local political or social unrest by targeting physical locations for data theft attacks  when local security and police resources are otherwise occupied.

Malicious Insiders

Malicious insiders include disgruntled employees who may steal data in an attempt to damage their employer, as well as opportunistic employees who may steal data or sell access credentials for financial gain. In either case, malicious insiders are a significant data theft risk due to the ease with which they can access enterprise data.

System Errors

System errors, bugs, and glitches have all been responsible for exposing enterprise data in the past, resulting in opportunistic data theft by digital criminals. 

Business Email Compromise

In a business email compromise (BEC) attack, a digital threat actor impersonates an executive leader within a business to trick employees into exposing sensitive data. 

Threat actors may impersonate business executives using spoofed email addresses, fake social media profiles, or by infiltrating and taking over their actual email or social profiles. Next, the threat actor will contact employees of the target organization and attempt to gain access to protected systems where sensitive data can be stolen.

Social Engineering

Social engineering involves the use of deceptive tactics to manipulate employees of a target organization into disclosing sensitive data. Social engineering weaponizes human behavior and emotions, with techniques like pretexting and creating urgency that can influence the target to disclose sensitive data. Sophisticated data theft attacks often incorporate a mixture of social engineering and technical exploits.

Lost Devices and Other Accidents

Lost devices and other accidents can also result in data theft incidents for enterprise organizations. Employees may misplace flash drives, mobile devices, or laptops that contain sensitive data or are configured to access secure databases. When these devices fall into the wrong hands, a data theft attack can take place.

5 Data Theft Examples

These five data theft examples from the past illustrate how threat actors are using different attack vectors to commit data theft attacks against their targets, and the potential damage that those attacks can cause. 

For each data theft example, we include a brief overview of the attack and describe the attack vectors or security vulnerabilities that were exploited.

Parler Loses 70 Terabytes of Data to Legal Hack

In January of 2021, a hacktivist in the United States used a simple python script to systemically scrape and download what was described as “99% of the site’s public contents”. 

The data haul included 70 terabytes of uploaded posts, images, and video, complete with timestamps and location metadata. This data was also tied to individual accounts, as users were required to verify their identities by uploading valid personal identification, such as a driver's license, prior to posting.

Despite the massive breach of user privacy that took place here, this data theft incident was not considered criminal because the data was already unprotected, unsecured, and exposed to the public. In addition to virtually non-existent security measures, Parler’s sloppy programming and configuration left the door wide open for large-scale data theft.

Root Cause: Cloud Misconfiguration, Poor Security Policies

Colonial Pipeline Hack Nets Scammers $4.4 Million Ransom

The Colonial Pipeline, which runs from Houston, Texas, and provides gasoline to much of the Southeastern United States, was hit with a ransomware attack in May of 2021. The attack compromised Colonial Pipeline’s billing system and operators were forced to shut down the pipeline when they could no longer bill customers.

The attackers stole almost 100 GB of data and threatened to expose the data publicly unless a ransom was paid. Colonial Pipeline quickly paid a ransom of 75 bitcoins, worth nearly $5 million, in exchange for a software application that could restore their network and operations. 

It was eventually discovered that hackers gained access to Colonial Pipeline’s networks using compromised credentials to access a VPN account belonging to the organization.

Root Cause: Compromised Credentials

Massive Facebook Data Theft Incident Exposes 533M Users PII

In April of 2021, a massive treasure trove of personal data from over 500 million Facebook users appeared on the dark web. 

According to Facebook, this data was scraped from their platform sometime before August 2019  by exploiting a vulnerability in the Facebook address book that had since been patched. The vulnerability allowed scammers to scrape Facebook user data en masse by using the “import contacts” feature in the Facebook address book and searching by phone number.

Just like the Parler leak, this data theft incident was the result of misconfigured front-end services, rather than a back-end data breach. Still, it amounted to one of the largest data theft incidents ever recorded.

Root Cause: Application/Service Misconfiguration

Accellion Data Theft Case Accentuates Importance of 3rd-Party Security

The Accellion data breach took place in December 2020 and impacted at least 17 customers of the business collaboration and file-sharing software provider. 

A zero-day vulnerability in Accellion’s file transfer appliance (FTA) enabled digital threat actors to gain remote access to servers using the Accellion FTA system. Accellion released several patches addressing the vulnerability, but organizations who were slow to update became victims of data theft or ransomware attacks, including the US Department of Health and the University of California.

These data theft incidents demonstrate the importance of 3rd-party security, the potential impacts of 3rd-party vulnerabilities, and the need for enterprises to monitor 3rd-party applications and promptly update them as new patches are released.

Root Cause: 3rd-Party Software Vulnerability

Socialarks Data Breach Shows Need for Cloud Configuration Management

Socialarks, a social media management and marketing firm based in China, had over 400 GB of data and 318 million records stolen when a misconfigured Elasticsearch server was accessed and scraped by hackers in February, 2021.

The data included personal information of social media users across multiple platforms, including Facebook, Instagram and Linkedin. The data appeared to have been scraped from social platforms, but may have been enriched with data from other sources, as private phone numbers and email addresses were also exposed in the leak.

The Elasticsearch server that yielded this massive haul of data was completely un-secured and exposed to the public, with no password protection or encryption-based data security. 

Root Cause: Cloud Misconfiguration, Poor Security Policies

Strategies for Preventing Data Theft

Now that you’re aware of the most common attack vectors, and the damage that can be caused by a data breach, how can you protect your enterprise against data theft? 

While there’s no one-size-fits-all approach to securing your data, organizations should work towards limiting data theft risks from the most common attack vectors, especially cloud misconfiguration, compromised passwords, and social engineering vectors like phishing and impersonation attacks.

As a starting point, we recommend the following strategies for securing your enterprise data assets against digital threat actors.

Audit Your Cloud Security Posture

As enterprise cloud environments grow in complexity, misconfigured cloud assets are a growing data theft concern. Enterprises should continuously review and audit their security posture and asset configurations in both cloud and on-prem systems to ensure that sensitive data are adequately protected and not exposed to the public.

Implement Password Protection and Authentication

Compromised credentials can leave enterprise networks vulnerable to data theft. The most proactive defense against these attacks is a strong password protection policy. Such a policy should at least require employees to:

• Avoid using default passwords for any sensitive networks or systems,
• Avoid using weak passwords (dictionary words), common passwords (“password”), or short passwords (“567”),
• Change passwords regularly, usually every 60-90 days, and
• Avoid reusing the same passwords over time.

Physical or biometric authentication techniques can also help ensure that only authorized persons can use valid credentials to access secure data.

Secure Endpoint Devices

In addition to password-protecting data, enterprises also need to think about how they’re securing access to endpoint devices. Lost or stolen laptops or mobile devices can pose a major risk to enterprise data if they are not properly secured. 

Enterprise IT teams should ensure that employees only access enterprise data on their work devices, and that those devices can be blocked, locked, or wiped remotely if they become compromised.

Update Software and Operating Systems

Software applications sometimes contain programming errors that can be exploited by digital threat actors to commit a data theft attack. When developers discover these bugs, they address them by releasing software updates (patches) to their users. 

If you’re ignoring new patch releases, that means you’re probably vulnerable to known exploits and it could just be a matter of time before you become a target for data theft. Be on the lookout for new bugs and patch announcements for your software tools and perform updates regularly to stay protected.

Deliver Security Awareness Training

Every employee within your organization has the capacity to act in a way that compromises your data. With that in mind, every employee should receive some level of security awareness training. Security awareness training should be relevant, actionable, and specific to the employee’s role. 

In addition to learning about enterprise cybersecurity policies, employees should learn how to recognize social engineering attacks, including phishing, business email compromise, and impersonation.

Alert on Suspicious Business Communications

Primary vectors for social engineering attacks against enterprise organizations include email, social media, and internal business collaboration software. 

To safeguard these channels and the employees who use them, enterprises can invest in 3rd-party software platforms like ZeroFox that monitor the public attack surface, detecting, identifying and alerting employees to suspicious communications before they become victims of social engineering or an impersonation attack.

Control Physical Access to Data

When it comes to protecting your most sensitive data, physical security is just as important as cybersecurity. It should be impossible for anyone to access the room where your data lives without specific authorization and oversight. 

Invest in Threat Hunting

IBM’s Cost of a Data Breach report found that enterprises in 2021 took an average of 287 days to identify and contain a data breach. When data breaches aren’t promptly detected, threat actors get prolonged access to secure systems and damage is multiplied. 

To effectively detect and prevent data breaches, enterprises need the ability to detect intruders and proactively hunt for threats in their networks using the latest threat intelligence.

Access Timely Threat Intelligence

Cybersecurity is an arms race between digital threat actors and enterprise organizations attempting to protect against data theft. Threat intelligence is the cybersecurity function of collecting and analyzing information about digital threat groups and their recent attack behaviors to better anticipate threats against your organization.

Enterprises can gather their own threat intelligence through open source intelligence, tap into publicly available threat intelligence feeds or receive timely, relevant, and tailored threat intelligence updates from industry security leaders like ZeroFox.

Protect Your Organization from Data Theft with ZeroFox

ZeroFox helps protect your organization against data theft by monitoring the public attack surface for brand abuse, domain abuse, and impersonation attacks against your organization and its employees. 

The ZeroFox Platform combs through massive datasets across platforms including email, social media and the dark web to identify, detect and alert on fraudulent messages, social engineering attacks and data leakage, proactively protecting your enterprise from digital attackers targeting your organization for data theft.

Want to learn more about the digital threat landscape in 2021? Download our free report The Future of Digital Threats: 2020 Insights, 2021 Predictions to discover the latest techniques, tactics, and procedures being used by threat actors to commit data theft.