We are so used to breaches in the news that we are blind to the likely way larger number of breaches that never make the news. In this case, United Airlines was hacked, likely by the same Chinese group that hacked OPM and Anthem. Bloomberg is reporting that the attackers stole manifests, among other data and that they may have been inside United’s network for months or longer. A “look alike” domain, often used for spear phishing was registered in April of last year.
Since a passenger manifest would not fall in the category of data that a company is required to disclose if breached, United likely would try to keep things quiet. Unfortunately for United, there likely are employees who don’t think keeping that kind of thing quiet is the right thing to do.
United is a large vendor to the government and certainly being able to figure out who from the government was in some given place at the same time as other people might allow foreign spies to figure out who is working with whom. For groups like the NSA and CIA, they would prefer that kind of information not fall into unfriendly hands.
If you assume that the the purpose of this incursion is a test run to see if they can get in and stay in undetected – so that they can come back later and do something more sinister, that is still not good. True, United will likely try to tighten things up, but commercial companies are usually not willing to deal with the heat from employees over the tightening.
I was in a meeting today and spoke to a participant who worked for a large defense contractor. I was highly impressed with the seriousness that they took towards security. As an example, if you had a laptop and you had access to certain classes of sensitive information, you can not take that laptop and use it except at a company facility. If you wanted to work at home or travel, they will provide you with another clean laptop that has none of your data on it. If you need to travel with a subset of your data on that laptop, you have to fill out paperwork explaining why and get approval to do that. Do you think that most companies have the guts to do that? I don’t think so. And that is just one example of what they do.
Unless the laws change – and I don’t anticipate that happening any time soon – these types of breaches will typically remain undisclosed and we will likely have a very incomplete view of how bad things really are.
As another example, if your law firm is hacked and all of your company’s confidential communications are stolen, there is no LAW requiring the law firm to tell you. Since they are likely to get fired if you find out, they might not tell you. Assuming they even know that they were hacked. IF there is language in your contract with the law firm that requires them to disclose it AND if there are significant penalties associated with not telling you if they are caught failing to disclose, then they likely will disclose it. Again, assuming they even know. I am picking on law firms only because they are a hot target right now and often do not have very strong defenses, but this would equally apply to any firm that has copies of your sensitive data.
What does appear to be clear is that some hackers, likely affiliated with the Chinese, are hell bent on collecting LARGE quantities of data (think Anthem, OPM and now United) for the purpose of building profiles on people of interest and cross correlating that data. What is less clear is what they plan to do with that data. Likely, it is not to send out birthday cards.