On May 31 this year, an entry entitled „Check if your data is safe!” appeared on the gov.pl website. Certainly, reading such a headline on a government website alarmed many Internet users. The later content was also definitely not reassuring - „Due to the publication of logins and passwords of Polish users, the units responsible for cybersecurity in Poland have taken immediate action to limit the negative effects of this situation.” The entry itself was dedicated to encouraging readers to check whether their data has been disclosed. They could do it with the help of a specially created search engine located on the website bezpiecznedane.gov.pl. But how did this amount of data get leaked in the first place? Do such situations happen often? What can be done to protect against them?
On May 29, on the Polish-language Cebulka forum in the Tor network, a file called „pl.txt” was made available without any additional comment. It contained over 6 million lines, most of which were logins and passwords of Polish users and addresses of the websites they concerned. It was the first publication from an account created about two months earlier. The whole matter was revealed by the portal zaufanatrzeciastrona.pl, according to which „We are probably dealing with one of the largest one-off leaks in the history of the Polish Internet.”
The case was investigated by the CERT Polska Team (CSIRT NASK) operating within the NASK National Research Institute (Research and Academic Computer Network). According to this institution, the leak consisted of many smaller data sets obtained by information stealer malware from users’ devices. „Stealer” is a malicious BOT, most often unknowingly downloaded to the device by the user, which steals from the computer (or other equipment) all logins and passwords that have ever been saved in the web browser, and then passes them on to its creators.
What is a data leak?
Data leak is a situation when information that should be protected goes beyond the structures of the company to which it belongs (or which manages it) and reaches people or institutions that shouldn’t have access to it. It is the responsibility of the owner of the database or other important information to ensure that this data is protected, but this doesn’t mean that such unpleasant incidents don’t occur. For example, in 2011 data of Sony PlayStation Network and Sony Online Entertainment users were leaked, three years later, in 2014, a similar situation happened to the Yahoo search engine, and in 2016, Uber users were victims of a cyberattack. The target of data-stealing criminals aren’t only huge corporations - according to the Verizon report in 2020, data leaks occurred in every third company representing the SME sector (Small and Medium Enterprises).
What are the causes of data leaks?
Most often, the causes of this type of incidents are the negligence of employees (lost devices, poor password hygiene, leaving screens unlocked, etc.), outdated software or poor infrastructure and data being derived from the company, for example by former employees. However, data leak can also be the result of planned and well-thought-out attacks. In this case, hackers usually target specific companies or institutions and force security measures to intercept certain information, and then blackmail the victim, sell the stolen data on the black market or simply make it public. Most often, fraudsters use malware, social engineering or a method called SQL injection.
How can database owners defend against data leaks?
Companies with databases or other valuable information should take appropriate measures to prevent these types of attacks. Good practices that can be implemented include raising awareness and educating employees at all levels, using appropriate security systems and testing them (including attack simulations), using DLP (Data Loss Prevention) solutions to prevent data loss, as well as having and updating contingency plans in case of data leakage.
What can be the consequences of data leak from the company?
There are many consequences of a data leak for the company that managed it. Of course, the effect may be financial losses resulting from both the loss or disclosure of data (including in particular the loss of intellectual property) as well as possible compensation for customers or employees or statutory penalties for failure to ensure adequate security. After a leak, there may also be significant difficulties in the functioning of the company (the need to conduct an investigation, introduce new solutions, trainings, etc.). In the long run, however, image losses may be particularly severe, because certainly everyone will think twice before entrusting their data to a company that had a data leak in the past.
In the case discussed at the beginning, although it concerns huge amounts of data, the leak occurred on the part of the users themselves, so it is worth mentioning that it is also their responsibility to ensure that confidential information about them doesn’t fall into the wrong hands.
Cybercriminals are aware that most people use the same passwords (or variations of them) for different websites and services. So, having login details for one site, they can use them to try to get to other sites or log in to other applications and programs. Of course, they won’t do it manually, but with the use of specially created BOTs, often using machine learning techniques. The consequences can also be even more serious if accounts or devices have been hijacked.
How can users protect their data from being leaked?
Among the good practices exchanged in order to minimize the risk of data leak or taking control of devices, the following are mentioned:
- not clicking suspicious links or links of unknown origin,
- not downloading programs and applications from unauthorized sources,
- using a suitable anti-virus program and keeping it up to date,
- updating programs, web browser and using only the current version of the operating system,
- using different passwords for different websites, programs and applications,
- using difficult passwords or password management programs (e.g. KeePass),
- using two or three-step verification wherever possible and
- regularly changing passwords.
But what to do if your data has already leaked?
First, use another secure device to change passwords on all sites and programs where the compromised password was used. Then use an antivirus program to remove the threat on the infected hardware. Also, for a while, keep an eye on your inbox and notifications from the programs and apps you use, paying particular attention to login attempts, spam and other junk mail, and incoming bouncing emails (if you keep getting high volumes of non-delivery notifications, it’s possible someone is sending mass amounts of e-mails from your email address).