In a new wave of hacking crime, far more personal data is being held hostage

The cybersecurity world faces new threats beyond targeted ransomware attacks, according to experts at the recent RSA cybersecurity industry conference in San Francisco.

Joe McMann, head of cybersecurity services at Binary Defense, a provider of cybersecurity solutions, said the new battleground is data extortion and companies need to shift gears to address the threat.

Traditionally, ransomware attackers encrypt or delete organizations’ proprietary data and demand a ransom before calling off the attack. McMann said the hackers are now focusing on stealing customer or employee data and then threatening to publicly leak it.

“By naming, shaming, threatening reputational impact, they force the hands of their targets,” McMann said.

The International Data Corporation expects companies to spend more than $219 billion on cybersecurity this year, and McMann said cybercriminals are constantly evolving their exploits.

Hackers changed tactics after ransomware attacks brought an unwelcome level of visibility from law enforcement and governments, and cybersecurity professionals became experts at cracking decryption. Instead of crippling hospitals and pipelines, he said criminals have shifted gears to harvest data and threaten companies with customer dissatisfaction and public outcry.

In late March, OpenAI documented a data leak at an open source data provider that made it possible to see personal AI chat histories, payment information, and addresses. The team fixed the leak within hours, but McMann said once the data is available, hackers can use it.

Chris Pierson, founder and CEO of Black Cloak, a digital executive protection firm, said companies understand the growing threat of data extortion after public breaches. In the last year alone, he said Twilio, LastPass and Uber have experienced attacks that have seen hackers target employees outside of protecting corporate security.

“For example, the LastPass breach saw one of four key individuals targeted on their personal computer, through a personal public IP address, enter through an unpatched solution,” it said.

The hackers stole the credentials “outside the castle wall environment, on personal devices,” he said, using that data months later as a way to break into the corporate environment.

He said the advent of home offices has accelerated employee targeting. As every company transformed into a digital-first world, employees naturally started working on personal devices.

Before the pandemic, Fortune 500 companies spent millions securing corporate devices and buildings, but employees aren’t as protected at home. “As an executive leaves the building, uses his personal device or the home network that he shares with corporate devices, the attack surface changes,” said Pierson. Plus, fingerprints are easy to find online, he said. “40% of our corporate executives’ home IP addresses are public on data broker websites.”

Pierson said it only takes one vulnerable device on a home network to open up the entire network.

Looking across the street at the RSA convention building filled with more than 45,000 industry attendees, Pierson said criminals always choose the path of least resistance.

“You don’t have to go through all the equipment that’s here at the RSA to protect the real company; you go through the $5 cybersecurity back home and you get everything else,” Pierson said. “Cybercriminals target on a personal level because they know they can get the data and there are no controls out there,” he added.

There is increased visibility for cybersecurity this year with an increase in the number of phishing attempts and scam messages commonplace for most people. And companies know that the SEC’s proposed new guidelines will add another layer of accountability.

Once finalized, the rules would require public companies to disclose data breaches to investors within four days and have at least one cybersecurity expert board member. Although a Wall Street Journal survey found that three-quarters of respondents had an information security director, Pierson said companies were at the RSA seeking advice.

McMann said companies should focus on simple fixes first and not worry about AI chat breaches if they don’t use two-factor authentication on personal accounts. The criminals will first try the old methods like ransomware before moving on to the new ones.

He said the practice for cyber attacks has become as important as any other emergency drill. On a positive note, McMann said the success of cybersecurity professionals is why criminals are looking for new ways to attack.

“If you don’t have your operations lean and effective, if you don’t have good people and processes, don’t worry about the other stuff,” he said. “There are a lot of fundamentals that are being skipped.”