As high-profile data breaches and leaks continue making headlines, a new report from Massachusetts Institute of Technology (MIT) examines the triple-whammy of factors enabling this tidal wave of personal data theft.
According to Stuart Madnick, cybersecurity expert and professor at the MIT Sloan School of Management, three primary drivers are behind the alarming uptick in consumer and corporate data hijacking:
1. Cloud misconfiguration vulnerabilities
The mass migration to cloud computing has opened up new attack vectors due to the complexity of properly configuring these environments. Madnick's report cites multiple incidents where unsecured cloud storage buckets and databases exposed troves of personal records.
"The scalability and flexibility of the cloud is also its biggest insecurity," Madnick stated. "Misconfigurations, over-permissive access settings, and confusion around shared security responsibilities with providers creates constant breach risks."
2. Proliferation of dangerous ransomware variants
While ransomware itself is not new, Madnick highlights the emergence of more virulent and destructive strains that go beyond just encrypting data for extortion. Some newer ransomware variants now exfiltrate sensitive data prior to encryption to further incentivize ransom payment through additional extortion leverage.
Other aggressive tactics noted include targeting cloud backup data, deploying distributed denial-of-service (DDoS) attacks, and implementing multi-layered extortion demands. These escalations have made ransomware an even more potent data breach threat.
3. Supply chain and vendor system vulnerabilities
The report's third major threat vector focuses on cybercriminals increasingly targeting third-party vendors, suppliers, and service providers as initial entry points to gain access into the networks of their ultimate targeted victims.
"No company operates in a vacuum—they all rely on an extended web of interconnected vendors and partners," Madnick explained. "And vendors often have front-door access and trusted relationships, making them ideal proxy attack surfaces."
Recent years have seen numerous major breaches originate from software supply chain compromises, such as the SolarWinds hack, and from vulnerabilities in vendor payroll or billing systems, such as the Change Healthcare breach.
"These three primary drivers are consistent with what I've been reading in the recent '2024 Data Breach Investigations Report' [downloadable with a form submission]. But, we're not going to be able to prevent all future breaches," said Kip Boyle, vCISO, Cyber Risk Opportunities LLC. "That's the whole idea behind the 'assume breach' philosophy. We all need to invest in bettering our detection, response, and recovery capabilities. Look to the NIST Cybersecurity Framework v2 for the guidance you need."
Boyle is teaching a SecureWorld PLUS training course, "Implementing the NIST Cybersecurity Framework, Including 2.0," on June 5th as part of SecureWorld Chicago. It is open to any cybersecurity professionals looking for a deep dive into the latest guidance from NIST. His course is the day before the SecureWorld Chicago conference at the Donald Stephens Convention Center in Rosemont, IL. PLUS Course payment includes access to the full conference day and earns participants 12 total CPE credits.
The compounding effects of these three vulnerability fronts—misconfigured cloud systems, advanced data-extortion ransomware, and third-party exposures—have coalesced into a "perfect storm" enabling such frequent and large-scale data breaches, according to the report's findings.
"Third parties are continuing to be utilized more and more in the delivery of any and all capabilities in the delivery of products and services to organizations and people," said Arvin Verma, Senior Strategic Advisor & vCISO, Sentinel Technologies. "With this increased usage, the large amount of data being sent in between organizations and third parties providing support capabilities is only expanding the potential opportunity for that data to be intercepted by non-authorized individuals. Ensuring third parties are protecting the data while in their possession is as critical as evaluating your own organization's data privacy and security controls"
Madnick emphasizes the need for a "back-to-basics" cybersecurity hardening approach centered on access restrictions, system configuration monitoring, comprehensive backup protocols, and robust vendor risk management.
Here are some additional comments from cybersecurity vendor experts.
Saeed Abbasi, Manager, Vulnerability Research, at Qualys Threat Research Unit, said:
"We are seeing a critical increase in vulnerability exploitations, highlighting the need for urgent, strategic vulnerability management. We advise organizations to implement comprehensive, proactive strategies, including agent-based and agent-less security measures, to preempt potential breaches. Additionally, organizations require a multi-layered defense strategy, integrating advanced detection tools, Zero-Trust frameworks, and rapid patch management. Given the increasing complexity and interconnectedness of supply chains, this holistic approach to cybersecurity is essential. These networks are often targeted by cyber threats, affecting not just individual organizations but also extending to third-party interactions and the broader supply chain."
Venky Raju, Field CTO at ColorTokens, said:
"It is fair to say that breaches are inevitable, given the difficulty in finding and patching vulnerabilities before adversaries can leverage them. It is essential to contain the breach as early as possible and prevent it from becoming a crisis. Hardening systems and limiting human and machine access using techniques like micro-segmentation is an excellent first step toward implementing a breach-ready security posture."
Tamir Passi, Senior Product Director at DoControl, said:
"Attackers are looking for information they can sell, ransom, use for extortion, or leverage in social engineering attacks. So, it's not as simple as a Triple Threat. The MIT report does a good job highlighting critical areas that have long been concerns in cybersecurity, but I think it needs a sharper focus. It's not just the rapid adoption of cloud platforms; it's also the surge in SaaS solutions. Both have undeniably brought efficiency and scalability, which encourages widespread use and data uploads. However, this rapid adoption has outpaced the development of security tools and understanding, making it easy for misconfigurations to lead to breaches. High-profile incidents have shown this repeatedly. The key takeaway is the need for robust Cloud Native Application Protection Platforms (CNAPP) and SaaS Security Posture Management (SSPM) solutions. These can provide continuous monitoring and remediation to prevent these misconfigurations."
Passi continued: "You can say similar things about ransomware and supply chain issues. Infostealer attacks are on the rise, focusing on data collection rather than just hiding data behind encryption. Attackers use this data for further attacks, like social engineering or deep fake audio and video attacks. The information collected via a supply chain partner can also be used in these attacks. This highlights the importance of knowing where your data is and how it's accessed."
"Addressing these threats requires a holistic approach to cybersecurity that includes proactive measures and real-time response capabilities," Passi added. "As data becomes increasingly central to business operations, safeguarding it demands a vigilant, adaptive, and comprehensive security posture. Focusing purely on internal data protected by a security perimeter is not enough. The approach must encompass the cloud, SaaS, third parties, and more. This ensures we not only address current vulnerabilities but also stay ahead of emerging threats, aligning with the back-to-basics cybersecurity hardening approach recommended by the MIT report."
As data increasingly represents the "crown jewels" of modern business, Madnick's report serves as a call to action before negligence compounds into a full-blown "cyber disaster" of personal record exposure.