How Is Covid-19 Creating Data Breaches?

From telework mistakes, to virus-related phishing links, to new work processes to nation-state hackers, here’s how the coronavirus creates new opportunities for cybercriminals.

by / March 30, 2020

Trevor is working from home for the first time. He loves the freedom and flexibility, but doesn’t read his company’s new BYOD policy. Sadly, he misses the fact that his home PC is not protected with updated security software nor the latest operating system patches.   

Kelcie’s home PC is faster than the old work laptop that she’s been issued to use during the pandemic. She decides to use a USB stick to transfer large files back and forth between her PCs to speed things up.  After a few days, she does all her work on her home PC, using a “safe” virtual desktop app. But unbeknownst to her, there is a keylogger on her home PC.  

Emma is really worried about her mother’s health. She is constantly searching the Internet for the latest guidance and tips on how to get a covide-19 test quickly. To her surprise, she is finding the best information on new Asian and European websites. The URL links seem secure, all starting with https://, so she’s not worried.

Liam doesn’t like the applications he’s been given by his local government to work from home. His friends have much better web conferencing tools and other productivity apps. Even though it’s against policy, he decides to take advantage of several free offers that software companies have made, so he downloads new apps. He tells himself, “It’s just temporary during the pandemic.”

Ben is a student who suddenly has all his classes online. He was also just laid-off at the coffee shop, and has no extra money. He decides to use his neighbor’s WiFi to save cash, which he knows is unsecure but is pretty fast.  Along the way, he discovers that he can also snoop on his neighbors files.  

Question: What’s common across all of these situations? If you think each of them has potentially serious security concerns, you are correct.  

And these situations are just the tip of a virtual iceberg of security incidents that are being created right now as the global pandemic changes the way America (and much of the world) now works. We are facing a virtual tsunami of cyber problems related to these massive changes currently happening to people, processes and technology.

Most of these security issues are not intentional nor performed with malicious intent. Nevertheless, inadequate or dated training contributes the problems. Each of the well-meaning employees mentioned at the beginning of this piece are increasing the likelihood of a data breach with their online actions. 

Most experts believe that public and private sector organizations will need to address numerous data breaches as a result of the extraordinary move to almost ubiquitous working from home within a few days and without much time for planning.  I will try to address some of these concerns in this blog, and point to early examples to watch and resources available to help.     

Yes, But….

No doubt, contrarians will say that all this potential data breach fuss is way overblown. This coronavirus, specifically the Covid-19 virus, has no ability to hack anything. This is a health emergency, and trying to scare people, with extra FUD, while we face an international pandemic is just plain wrong. Can’t we just drop all this cyber-mumbo-jumbo and help their grandmother get connected to Zoom – or perhaps speed up client WiFi networks a bit?

Better yet, send over some rolls of toilet paper and some canned soup.

But that line of thinking, though perhaps well-intentioned, is seriously flawed. Just like March Madness, or the Olympics (by the way the 2020 version just got delayed a year) or Hurricane response, major events are often catalysts for cybercrime.

In our current global pandemic situation, this 21st century reality is not just true regarding phishing scams or fake news, most people are dramatically changing their daily routine, and online life is becoming even more important as we try to communicate while implementing social distancing. The domino-effect of this emergency has led to massive changes that are leading to security vulnerabilities for people, processes and technologies.  

As NBC News says in this article about our way of life: “It may never return.”  (I actually think it will return to a major extent, but not to exactly the same place we left in February, 2020.)

More Examples Please

This CNBC video from “Mad Money” shows some of the necessary steps that are needed now for securing remote work.

To show that I am not alone in my views regarding a coming wave of data breaches during our current coronavirus emergency and after the pandemic subsides and staff head back to offices, here are some additional articles worth exploring, including some brief excerpts:

National Review: Working Remotely and Cyber Security During the COVID-19 Outbreak

 “The work from home dynamic creates a very opportunistic situation for hackers and phishers. Every home device or wireless connection is a potential entry point.  Moreover, with employees justifiably focusing on other things – their children, pets, health concerns, finances, etc. – data security is understandably not top of mind and employees' typical safeguards against cyberattacks are down. We have seen a significant rise in COVID-19-related phishing attacks, where hackers are taking advantage of individuals' fear and need for health, safety, and financial aid information. Unfortunately for businesses, a company can lose control over its data and be subject to significant legal liability due to a single email click or transmission of its data over an unsecured network. However, with appropriate planning, policies, and employee education and communication, companies can minimize risk and support their employees. …”

BankInfoSecurity.com: But Can Nation-State Hackers Be Stopped?

“Now that the World Health Organization has declared COVID-19 a pandemic, and U.S. President Donald Trump has declared a state of emergency, hackers with apparent links to the governments of China, Iran and other nations are using the crisis to create phishing emails designed to lure victims, according to Recorded Future.”

Wall Street Journal (WSJ): Coronavirus Cybersecurity Fallout Might Not Be Felt for Weeks or Longer

 “As millions of U.S. workers frantically pivoted to remote work last week, putting new strains on their computer networks, federal officials warned that hackers smelled blood.

But the fallout from coronavirus-related breaches may not become clear for weeks, months or even longer, experts say. The expected delay highlights how confusion from the pandemic has created long-term security risks that could eat up precious resources as the economy hurtles toward a recession. …”

International Association of IT Asset Managers (IAITAM): Unprepared Companies, Gov’t Agencies Sending Workers Home in Response to Coronavirus Face “Nightmare” Data Risks

Dr. Barbara Rembiesa, president and CEO of IAITAM, said:  “We always say that you can’t manage what you don’t know about and that is going to be a truth with nightmare consequences for many companies and government agencies struggling to respond to the coronavirus situation.  The impulse to send employees home to work is understandable, but companies and agencies without business continuity (BC) plans with a strong IT Asset Management (ITAM) component are going to be sitting ducks for breaches, hacking and data that is out there in the wild beyond the control of the company.”

Hard To Find Data Breaches

Another trend that will emerge is for companies to announce data breaches that do occur at the same time that other headline news is more urgent and grabbing the public’s attention. This happened with the Equifax data breach and hurricanes a few years back. Watch out for stories such as these:

TechCrunch: Princess Cruises, hobbled by the coronavirus, admits data breach

“Princess Cruises, the cruise liner forced to halt its global operations after two of its ships confirmed on-board outbreaks of the coronavirus, has now confirmed a data breach.

The notice posted on its website, believed to have been posted in early March, said the company detected unauthorized access to a number of its email accounts over a four-month period between April and July 2019, some of which contained personal information on its employees, crew and guests.

Princess said names, addresses, Social Security numbers and government IDs — such as passport numbers and driver license numbers — may have been accessed, along with financial and health information. …”

SiliconAngle.com: Samsung suffers data breach as coronavirus spreads through South Korea

 “A technical error resulted in a small number of users being able to access the details of another user,” Samsung said in a statement reported by The Register. “As soon as we became aware of the incident, we removed the ability to log in to the store on our website until the issue was fixed.”

How many users were affected remains a mystery. “Small number,” at least as described by Samsung, could mean millions of users given the company is the world’s largest seller of smartphones.

What is clear, however, is that those affected could see details of other Samsung users when logged into the Samsung shop.

Closing Thoughts

There are some great resources available to help during these difficult times that can help with telework and other technology and security issues during the pandemic. These resources on working remotely can help prevent data breaches and other cybersecurity incidents. [Note: I rarely reference work from my day job in this blog, but the last items is a white paper I co-authored from Security Mentor, Inc.]  Three of these top resources include:

Government Technology Magazine: Resource Guide to Coronavirus for Government Leaders

National Association of State CIOs (NASCIO): COVID-19 Planning and Response Guidance for State CIOs

Security Mentor, Inc.: Key Considerations for Quickly Transitioning to a Remote Workforce / March 2020

Platforms & Programs