Email.it Data Breach Exposes 600,000 Users – Expert Commentary

It has been announced that the Italian email provider Email.it and now the data of more than 600,000 users is being sold on the dark web.
Subscribe
Notify of
guest
7 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
April 8, 2020 1:06 pm

Limiting the amount of data hitting the dark web is nearly impossible once it’s out. However, it’s about how you handle the compromise and it’s noble how this company dealt with the threats. Companies should not be pressured into negotiating with cyber criminals and it’s refreshing to see a company not bowing to pressures.

Last edited 2 years ago by Jake Moore
Stuart Sharp
Stuart Sharp , VP of Solution Engineering
InfoSec Expert
April 8, 2020 1:03 pm

This is of course a significant worry for users of Email.it, and for the company itself whose brand reputation and security posture will suffer as a result of this breach. They may also find themselves in breach of legislation such as GDPR, which could incur fines sizeable enough to have a serious affect on the company’s bottom line. Applying proactive measures such as two-factor authentication and other access controls as part of an enterprise’s standard privacy requirements can help to stop or mitigate the harm caused by incidents such as this. The data now hosted on dark web forums will move into the cybercriminal supply chain, working as fuel for further breaches, phishing attacks, malware distribution, data harvesting and in the most extreme cases wholesale identity theft. Stopping these breaches at the source will work to stop the cycle starting again, but in the meantime, Email.it needs to assist every user affected by the breach, urging them to ensure they update their credentials on any websites where they have used the same password, enable two-factor authentication on as many websites as possible, and consider signing up for a free credit rating monitor service.

Last edited 2 years ago by Stuart Sharp
Anna Russell
Anna Russell , EMEA VP
InfoSec Expert
April 8, 2020 12:53 pm

There are two ways to look at this – from a personal perspective and from a business perspective. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised. And from a business perspective, the reality is that it’s just not possible to be 100% secure. With an ever-growing attack surface, classic network protection is not the best way forward. Sometimes you won’t even notice you’ve been breached. In the end, the most important thing to do is to protect your customers\’ data.

Encryption and tokenization are actually more important than access security, because the data would be protected in a way that makes the data meaningless and worthless to a hacker or bad actor. The encrypted or tokenized data could not be listed for sale on the dark web because the data would be undecipherable. The takeaway should be – “If you collect it, protect it.” Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases.

Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases.

Last edited 2 years ago by Anna Russell
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
InfoSec Expert
April 8, 2020 12:41 pm

People’s digital lives are increasingly held in their hands and powered by free services like public email providers and social media platforms. The security resources available to any platform, including the level of talent they can attract, is a function of their revenue streams. Ideally, all service providers will perform real-time audits for abnormal traffic patterns based on the potential threats to their business. Customers assume such security reviews are part of normal business and that they’ll detect any attempts to access customer data – an expectation that isn’t related to the fees paid for the service.
So for any consumer electing to use any free service, the first question you should be asking is how they’re going to protect whatever data you’re providing them. If it’s not obvious how they can afford to both pay for the security services necessary to combat modern cyber threats and hire skilled staff to monitor for new threats, then perhaps there is a better provider.

Last edited 2 years ago by Tim Mackey
James Carder
James Carder , Chief Information Security Officer & Vice President
InfoSec Expert
April 8, 2020 12:21 pm

This is an unfortunate incident all around. We have a provider of email services that not only has access to all of their customers’ personally identifiable information (PII), including usernames and passwords, but also of their emails and the content within those emails. As anybody who has been in the industry long enough knows, people still send sensitive information through email all the time — whether it’s a good practice or not.

Email.it’s claim that no financial information was stored on the hacked server isn’t completely accurate. It’s likely that some of their customers shared sensitive data in the body of an email or in attachments. This very well could have included financial details, like bank statements and social security numbers, or even copies of driver’s licenses, pictures of their families, or other personal documents and information that could be exploited. Therefore, the attackers gained unfettered access to this information, bypassing any security and encryption controls in use — assuming there were some.

What makes this especially upsetting is the amount of time the attackers had access to this environment. They were able to gain a toehold into it and simply sit and collect data for over two years, waiting for the best and most opportune time to strike while Italy is in complete lockdown amidst a pandemic, with users heavily leveraging the company’s platform.

Since becoming aware of the breach, the company was given ample time and opportunity to rectify it, such as through patching and remedying the exploited vector(s) the attackers were using. They could have rebuilt systems and infrastructure. They could have hired forensics and incident experts to identify the issues and remediate. Instead, they chose to notify authorities and then do nothing else.

I think that in addition to the brand damage they’ll experience as the result of the breach, they should be worried about the negligence associated with their lack of action. In the end, this is another classic breach story where there were likely IT hygiene issues that exposed vulnerabilities the attackers could leverage, combined with a complete lack of monitoring, detection, and response capabilities that would have alerted the company early on to what was happening and giving them even more opportunity to do something about it.

Last edited 2 years ago by James Carder
7
0
Would love your thoughts, please comment.x
()
x