Since last October, Terbium Labs has seen a steady stream of data coming out of Brazil. We’ve talked about this before, when news broke about the Poseidon Group last year. We’ve had ongoing discussions with others in the industry about the kind of data we’re seeing (hint: there’s a lot of PII) and why. We expected to see an increase in activity around the Olympics, and we did.
So, how did it all shake out?
The Olympics aren’t over yet. Let’s start there. The Paralympic games begin September 1st, and Rio will continue to play host to a series of incredible athletes from around the world. The media’s coverage, however, will fall off steeply now that the closing ceremonies for non-disabled athletes are over, and along with the drop off in media coverage we expect to see a slight drop off in leaked data.
Data leaks won’t stop, however. They never do.
What exactly has happened so far, though? About what you’d expect: a lot of talk, a little action, and indeterminate number of individuals who now face compromised personal information. Along with the host of DDoS attacks on Olympic sites, we saw new and steady dumps of personal information appear across popular paste sites and dark web forums. As with the data leaks before the Olympics, these leaks included information from public institutions, government agencies, law enforcement, retailers, telecoms, payment processors, and other regional institutions that everyday Brazilians trust with their information.
Organizations must be proactive about protecting their data […] or accept the consequences when a small leak turns into a big problem.
In keeping with the same patterns as the earlier leaks, we saw similar operations depending on the type of the leak. Dumps designed to be distributed internally through social media and forums appear unsigned and unattributed. When creators are sharing through twitter, messaging systems, and forums, it’s a lot easier not to sign your work. The more “hacktivist” dumps, however, tend to contain not only signatures, but also directly cite motivations. Earlier last week, “AnonOpsBrazil” dumped the Olympic Broadcasting Service’s database, with the following salutation:
“Hello, Rio de Janeiro. We know that many have realized how harmful it was (and still is) [to have] the Olympic Games in the city.”
Why did hackers release this information? Because they could.
Because the Olympics provided a unique platform to promote new players on the field, or to get a little more attention directed to their Twitter account. Because of commentary on government oversight, misused resources, the problems that face the Brazilian economy and employment rates, because the internet provides a platform for activism with a broader audience than any street corner possibly could. All eyes were on Brazil, and how can the media resist the call of an #OlympicHacking hashtag?
Somehow, though, they did resist it.
The number of high profile breaches were few and far between, and the DDoS attacks make for a better headline. Unfortunately, that still leaves a huge number of dumps containing personal information simply floating along, waiting to be exploited further. These breaches are quiet by design: 300 credentials here, a thousand names there, a few dozen payment accounts, and no one expresses concern.
That’s the problem. No one seems to be concerned about the volume of small PII dumps that appear all day, every day. For the publicized breaches that make headlines, Terbium sees five to ten smaller attributed data leaks every week. Organizations must be proactive about protecting their data - both their employees and their customers - or accept the consequences when a small leak turns into a big problem. The steady stream of small leaks is what organizations should worry about, but that’s never going to make headlines.
So what’s the deal with Brazil? Nothing. It’s just another day on the internet.