Privacy Concerns for Employees – and Their Organizations

Last month, Yahoo announced that hackers had stolen personal information linked to at least 500 million user accounts. The compromised information included login names, hashed passwords, email addresses, phone numbers and birth dates, along with secret security questions and answers. The breach originally occurred sometime in 2014, but the company did not disclose until the September 2016 announcement. Given that Verizon is currently in the process of acquiring Yahoo for $4.83 billion, the breach is stirring new questions about cybersecurity in M&A and the adequacy of current disclosure rules.

This high-profile incident demonstrates how breaches like this can create unforeseen situations for all enterprises and their employees. For many individuals, their Yahoo accounts had been unused for many years and yet the email addresses, passwords, phone numbers and secret Q&As associated are still valid and used across a series of other personal accounts, and even potentially in the enterprise. As the line continues to blur between the personal and business-intended usage of devices, applications and websites, organizations can jeopardize their security posture if their employees do not proactively follow vigilant steps to protect their data and privacy.

As we seek to educate readers in this space with National Cyber Security Awareness Month underway, let’s break this down into two takeaways:

Your employees are likely connected to Yahoo – in some manner. Even if they do not have a Yahoo email account, they may have had one in the past. What’s more, it’s conceivable that they’re taking advantage of other Yahoo-associated online products, such as Yahoo Finance, Flickr, Tumblr or its popular fantasy football platform – which creates a Yahoo-linked account. Much of the information shared and added to the account detail remains, regardless of whether or not use of that particular service/account is discontinued. If employees are setting up Yahoo accounts on devices that they also depend upon to connect to the organization’s network, it could impact your cyber defense capabilities. Especially because…

…hackers find a lot of information in these accounts valuable. Where to begin? There is the aforementioned personal information – phone numbers, passwords, birth dates, as well as a wealth of additional details – stored there. Banks will send links to users to direct them to monthly checking account and credit card statements, for example. Additionally, employees may have used their Yahoo email to send their resumes to your HR department when they were looking for their current role. An adversary can cause harm by leveraging the information to pose as a current employee to ultimately gain entry to payroll systems and other sources of confidential data. A compromised email account can also be used to send malicious links and attachments to other employees via their work and even personal email accounts. Using a compromised account will typically bypass common anti-spoofing controls. This can cause significant and widespread issues, as illustrated by the number of accounts impacted by the Yahoo breach.

Often with login information, the adversary can gain “keys to the kingdom” access to many other sites that employees join, such as PayPal, Amazon, etc. Or they can attempt to access your corporate network using the same credentials, or slight variations of them. The theft of secret questions and answers data also poses a risk to organizations that use single-sign-on technologies and automated password reset tools whereby the secret challenge is used to verify the identity of the individual. How does this relate to the Yahoo incident? Unfortunately, people still rely upon the same logins and passwords for different sites and networks, despite the risks. Combining this access with the corporate intelligence they’ve gathered, adversaries can make purchases via these sites and charge them to your business. Thanks to automated tools which are readily available on the black market, cyber criminals can rapidly match thousands of accounts to the PayPals, Amazons and corporate networks of the world to go on a massive shopping spree – at your expense.

The good news? Employee awareness matters. It’s critical to set up educational programs so everyone understands the need to establish different passwords for different accounts. But it doesn’t stop there. Employees must also change them on a routine basis. This way, the damage of a breach is limited to the site that was compromised – not every site that victims use during the week.

At Forcepoint, we’re constantly helping enterprise customers launch awareness programs that cover these and other crucial topics. In addition, we provide cybersecurity tools – which enable network segmentation and the monitoring/mitigation of both accidental and intentional insider threats – that are proven to effectively combat modern attack methods. If you’d like to learn more please contact us.