The other day, my wife turned to me casually and asked a question every security practitioner dreads: “Why did AT&T have my data anyway?!”
This perhaps needs some context: before we were married, she subscribed to AT&T’s home Internet service. She hasn’t been a subscriber for more than 4 years but she recently got a notification from them that her data was included in the most recent AT&T data breach. It’s thus perfectly reasonable for her to wonder why AT&T kept her data. That question is also a good entry point for a discussion of what actions you, and your organization, should take after a breach that causes disclosure of personal data.
You Against the World
Most of us spend more time thinking about how to prevent breaches of the data we manage in our organizations than we do thinking about our personal data. This makes sense because we have a degree of control over data on our own systems (even in the cloud), whereas we have very little visibility into, control over, or recourse for misuse of our data when held by others. Zillions of pages, tweets, and so on have been written to cover how to deal with data breaches as an organization. And of course, there’s plenty of guidance out there for individual breaches that say “Oh, just put a credit freeze on your account”. That is a necessity but there’s a great deal more that you might want to consider doing, both to protect yourself and also to protect your work. There’s a worrisome trend emerging where threat actors attack personal accounts and networks of key personnel at their real targets, hoping to pop one of those accounts and use it as an entry point to the target network. It’s happened to LastPass, it happened to Microsoft, it happened to Sony Pictures… and it could certainly happen to you.
Step 1: Add More MFA
In a recent Practical 365 Podcast episode, Microsoft’s Alex Weinert shared that MFA adoption in Microsoft 365 continues to trend upward, but much of that trending is driven by Microsoft forcing the use of MFA. Assuming you’re not using the same credentials on your work accounts as you do your personal accounts, you may be thinking that the risk to your work systems of a personal data breach is low… but you can make it lower by improving your MFA posture on your personal accounts.
Start your post-breach defense by enabling MFA on any application where someone else might get phished if your account is compromised. The obvious examples are LinkedIn, WhatsApp, Instagram, Threads, Twitter, and other social media sites. If you can avoid it, don’t use SMS as the MFA method (I’ll explain why in a moment). While ideally, you would have already done this before the breach, doing it afterward is still better than not doing it at all.
While you’re at it, you may as well turn on MFA for other accounts whose misuse might cost you money. Obviously, this includes bank and brokerage accounts, but it should also include e-commerce sites (you can run up a large bill very quickly at homedepot.com or apple.com!) For some inexplicable reason, none of the major US airlines seem to support MFA, though.
Your goal in adding MFA protection to non-work accounts is twofold. First, you want to stop attackers from taking over the accounts; second, by reducing the takeover risk, you want to reduce the risk that a successful attack will give the threat actor a way to pivot into your work networks.
Step 2: Harden Your Network
When was the last time you checked for firmware updates on your home wifi router? For far too many people, the answer is “I don’t remember” or maybe even “never.” Now’s a good time to remedy that. The same holds true for other devices on your home network, especially if you have NAS devices, Raspberry Pi units, or other computers-in-disguise that may be easily discoverable and exploitable. An attacker who can get into one of those units can enlist it in a botnet, use it to pivot to other devices on your home network, and cause all sorts of other problems for you. It should go without saying that of course, you should stay up to date on patches for your desktop, laptop, and mobile device OSes too.
Step 3: Protect Your Cells
It’s ironic that in this particular case, AT&T, a cellular carrier, was the inspiration for a column on security where I’m going to tell you to harden your cellular carrier accounts. In fairness, T-Mobile, Verizon, and other large carriers have had their own breaches, so I’m not only picking on AT&T. It’s trivially easy for attackers to mount “SIM swap” attacks against unprotected accounts. At a minimum, apply a PIN to your carrier accounts. Along with that protection, turn off SMS as an MFA factor to the greatest extent you can. Some services only support SMS and not authenticator applications or hardware tokens—but if you’re able to disable SMS MFA on an account, you should do so.
Step 4: Everything Else
We could have a lively debate about whether applying credit bureau account freezes, buying identity fraud protection services, or moving to an isolated cabin in the wilderness are useful protections against threats to your personal identity or finances. You may even already have experience with some of these services from past breaches. I’m not making any specific recommendations here other than to point out that consumer-focused services like IDnotify focus on, well, consumers. They’re not meant to keep attackers out of your personal networks or devices, nor to make it more difficult for them to steal your identity for the specific purpose of attacking your workplace. If your focus is on preventing this type of pivot, you will need to pay more attention to network, application, and device hardening than on these consumer offerings. A good heuristic: if the service name or description makes any reference to “the dark web” you can probably assume it won’t help protect your workplace assets.
Step 5: Waiting for the Wheel to Spin
Breaches have happened before. They will certainly happen again. The degree of worry and effort you apply after any specific breach may vary according to what was breached and how much you value it. The good news is that, for the most part, the incremental protections you apply now will continue to have value in the future, so even if you weren’t directly affected by AT&T’s shocking carelessness, you can proactively get some protection for yourself, and your organization, that will help protect you against the next breach.