Getting to the “Root” of Data Breaches

The scale of the data breaches that have been reported this year is just simply massive. For example:

  • Ashley Madison ― over 30 million users impacted
  • Office of Personnel Management (OPM) ― over 20 million people affected
  • JP Morgan — 83 million customers impacted
  • Anthem ― over 80 million Social Security records, etc.

What seems to be underreported by the press is that in each case, when you peel back the proverbial onion, all of these breaches had one common theme — compromised credentials.

Security experts have actually known this for a while. The Verizon Data Breach Investigations Report of 2013 highlighted that 75% of breaches came from compromised stolen user IDs and passwords. The 2014 edition of the Verizon report played the same song with notable quotes including:

“As always, compromised credentials, whether they were obtained through phishing, spyware or brute-force methods, played a major role in many data breaches.”


“While we have tried to refrain from best practices advice this year, there’s no getting around the fact that credentials are literally the keys to the digital kingdom.”

In other words, users’ identity is what the bad guys are really after, and stolen digital identities are the means by which data breaches occur. While Verizon says that well over 50% of breaches are caused by compromised credentials, the Mandiant division of FireEye (who is the firm that is increasingly called on when hacked companies need help after the fact) actually says that the number is 100%.   I created this graphic below with some killer quotes from articles about the above breaches that highlight the role of identity in data breaches.

Recent breaches

[Sources: OPM; Anthem; JP Morgan; and Mandiant]

And while details of Ashley Madison are still coming to light, screenshots from the Ashley Madison data dump show the /etc/passwd files of Linux systems, meaning the hackers had unencumbered “root” access which gave them the keys to the proverbial kingdom.

Ashley Madison Data Dump

[Source: artstechnica and TrustedSec]

I think all of us as end users have gotten a “phishy” email that looked to come from a friend or a financial institution. As the Verizon report notes, a common sequence is “phish customer = get credentials = abuse web application = empty bank/bitcoin account.”

But hackers realize that some usernames and passwords are better than others. Namely the passwords of privileged accounts. Privileged accounts are the credentials that have “root” and/or “admin” privileges on critical infrastructure, apps and data. These accounts are the built-in “superuser” accounts associated with servers and apps that are not directly tied to humans per se, but are often shared by IT staff.   So the thinking is no doubt that hacking one regular user’s email account is nice, but if you can hack the account of the email admin for an entire organization, you now get access to all users’ email accounts.   [I wrote about this in more detail in a recent blog on Forbes.]

So in some sense the hackers are targeting all end users at a corporation or government agency…

Hackers go through end users

…with the hope that some of those users will eventually login and access privileged accounts to key systems, databases, etc.

To get to the privileged users and accounts

So it is not surprising that when you look at the nature of most of the hacks, they are in fact going after either end and/or privileged users’ identities, with the stealing of passwords for privileged accounts — which are often generic accounts that are shared by IT personnel— having deadlier consequences.   This has led to growth in a very hot market within security called Privileged Access Management (PAM) ― also known as Privileged Identity Management (PIM) — which Gartner says will be a $1 billion market by itself in a few years.

The bottom line is that as customers become more aware that identity is at the root of data breaches, I think you will see a major shift in focus and spending from trying to secure an increasingly dissolving perimeter with firewalls, AV etc., to focusing on how to best secure users (e.g. layering on multi-factor authentication (MFA) to ensure it is really the employee logging on vs. a hacker). So it is not surprising that people are increasingly thinking that identity has now become the new perimeter.