Smells Like Teen Cybercrime
It’s been a staple trope of fiction for a while now, the shadowy, mysterious hacker who eludes all of law enforcement’s effort, until at last they’re revealed to be some teenager. Usually this is an isolated event, but over here in reality, it’s now becoming a more common trend. Leaders in the cybersecurity field point out the data dangers posed by bored teenagers, as seen by the likes of Lapsus$ and Scattered Spider. These hackers have employed convincing phishing schemes to finesse their way into hotels and tech companies, to name a couple of industries. While these scams don’t appear all that advanced in relation to more sophisticated cyber criminals, simple tools like phishing emails and SIM swapping were sufficient for the purpose, exploiting the human element of the standard social engineering attacks.
This scale of data breach used to be the purview of nation-state-backed hackers, motivated by some blend of profit and/or national interests. The democratization of these skills means that now we have a lot of bored youths with time on their hands, willing to carry out serious data breaches. To paraphrase Michael Caine in The Dark Knight, “some kids just want to see the world burn.”
“It’s a different motivation than the traditional adversaries that enterprises see,” says Darren Gruber, technical advisor at MongoDB.
In other news, an August data breach of oil giant Halliburton has, to this point, cost the organization $35 million (a small drop for a multinational corporation, but still a headache). Ransomware hackers successfully exfiltrated data in the attack, and the investigation is still ongoing. This leaves the possibility that, though the oil giant’s damages are low for now, the culprits could still decide to sell the data on the dark web, increasing the chances of a more material impact on Halliburton’s finances.
For those of us who don’t quite have the resources of a multibillion dollar corporation, incurring the risks of hefty fines is still an unwelcome prospect. Customer outcry led to the likes of GDPR several years ago, and regulatory efforts are constantly evolving. Who knows what might come down the pipeline? Bored teens are never in short supply, and as long as cybercrime is an appealing enough option for those with an inclination, there will be no rest for organizations that aren’t prepared to handle a data breach.