Data leaks: how can you avoid them?

Discover the best practices to implement

5,000 notifications were made to the CNIL in 2021, an average of 20 per day. With an increase of 75% compared with 2020, the problem of personal data breaches no longer spares anyone and is becoming a highly sensitive issue for businesses and individuals alike. What are the main factors behind these incidents? And how can they be avoided?

Over the course of 2021, PwC has investigated several dozen incidents directly linked to data leaks and carried out cyber threat intelligence activities (reconnaissance, Deep and Dark web surveillance) which have enabled us to identify the 4 main factors at the root of these incidents and courses of action to deal with them.

 

1- Vulnerabilities

One of the main causes of data leaks is the exploitation of a security flaw in a company's information system or computer network by a malicious group.

Certain vulnerabilities, such as ProxyShell, ProxyLogon and Log4j, were particularly prominent in 2021. PwC's investigations into these vulnerabilities showed that they were exploited on numerous occasions by different attackers (state actors, opportunists, etc.) targeting all types of organisation, regardless of size.

In this context, several thousand businesses have been exposed to these vulnerabilities, as demonstrated by the Bundesamt für Sicherheit in der Informationstechnik (BSI), the German agency responsible for information systems security, which identified more than 60,000 servers vulnerable to the ProxyLogon flaw at the beginning of March 2021. It should be noted that some attacks were triggered several months after the initial flaw was compromised, due to the persistence mechanisms deployed by malicious actors.

 

How can you protect yourself?

Identify all your systems exposed on the Internet, and check for the most critical vulnerabilities on these assets as a priority. If necessary, quickly install patches to reduce the window of exposure and, at the same time, carry out an investigation on these systems.

 

2- Configuration weaknesses

Configuration errors such as an unprotected database or a weak password often lead to massive data leaks.

The security of a database against potential attacks is highly dependent on its configuration. When this is incorrectly configured, all the data (including the most sensitive data) can be exposed, as shown by the incidents linked to the ElasticSearch and MongoDB databases. In 2021, PwC carried out research into several incidents caused by a database configuration weakness leading to the disclosure of health data or information on financial transactions.

 

How can you prevent this?

Configure your database carefully, putting in place all the necessary security measures. At the same time, carry out regular discovery activities (reconnaissance) of your external exposure.
 
For remote access (remote office, VPN, VDI), configuring connection options is also essential for data protection. Very often these accesses are protected by passwords that are too weak or are used several times without the use of multi-factor authentication. This makes numerous attacks possible, such as "password spraying", "credential stuffing" or the use of passwords bought on hacking forums.

 

How can you protect yourself?

Choose complex passwords, change them regularly and extend multi-factor authentication wherever possible.

 

3- Third parties

The SolarWinds and Kaseya crises have highlighted the risks of data leaks linked to third parties, and more particularly to the supply chain. A company must not only protect itself internally and externally, but also ensure the security of its third parties. In fact, 21% of successful cyber attacks against companies in 2021 were so-called "rebound attacks" (via a service provider, customer or supplier). The problem of rebound attacks is all the more significant when a company is heavily dependent on a single software supplier or IT service provider. In this configuration, an attack on this service provider can lead to mass data leaks. This was the case in July 2021, when IT manager Kaseya was attacked by ransomware, affecting between 800 and 2,000 of its customers.

 

How can you protect yourself?
Create a precise inventory, identify the third parties who handle your sensitive data or have privileged access to your IS. For these critical third parties, set up a monitoring system covering several aspects: contractual clauses relating to incident notification, emergency isolation measures, data leaks and incidents. Threat Watch, the threat monitoring and anticipation platform developed by PwC, can help you identify the risks to which you are exposed so that you can combat them more effectively.
In addition, carry out regular security audits.

4- The internal threat

Although less well known, the leakage or loss of data due to the malice or negligence of an employee can have serious consequences. However, these attacks are particularly difficult to identify, and investigations rarely yield any results.

 

How can you prevent them?

Focus on the classification, storage and management of access to this data. Particular attention should be paid to temporary access to the systems that host sensitive data. It may also be worth equipping yourself with an investigation tool based on data analysis, such as Connected eDiscovery, to combat internal fraud more effectively.