Mobile data leaks – the hidden dangers to organisations

Most CIOs are not so naïve to think that work-assigned devices are used exclusively for professional purposes. The reality is that some of the most popular uses of corporate devices are for video, news, entertainment and social media. Despite the differences between perception and reality, where and how data allowances are being consumed shouldn’t always be the principle focus for organisations. Mobile data security risks and data leaks should be front of mind too.   

A data leak involves the unauthorised or unintentional transfer of sensitive information from an enterprise mobile device to an internet service. If an app or web developer fails to properly protect data, they are essentially making data – including sensitive company data - available to anyone who utilises the same network as the device.   

Research from Ponemon has revealed that the average total cost of a traditional breach is more than $7million. Delving further into this, Wandera recently explored where security risks and data leaks are coming from, and why. After sampling 3.9billion requests from the mobile devices of over 500 enterprises, the findings revealed more than 200 mobile websites and apps that were exposing sensitive consumer and enterprise information over the past year. 

The findings from the report highlight how varied threat vectors are, and the sheer number of apps and websites in regular use by employees that are affected. Understanding the mobile data security risks in the context of how heavily these services are used is critical to comprehending the extent of data leak threats in 2017, and how to avoid them. 

Know the leak and its implications

Not all data leaks are equal. While of course no data leak is desirable, those that expose financial information could be considered more of a threat than those that leak email addresses. However, all personal identifiable information (PII) leaks are extremely dangerous, and all forms of exposed data may be used as part of a wider attack.   

While Wandera’s research revealed that only 2.3% of leaked data included credit card details, there were other factors that weren’t as securely protected - email addresses were included in a staggering 90% of leaks. Passwords were equally unprotected in 85.5% of leaks. It is clear from these findings that the more sensitive the data is perceived to be, the more security measures are put in place – hence credit card data being typically more rigorously protected. This is largely driven by the threat of fines for regulatory non-compliance and the spectre of legal liability for identified leaks.   

For many attackers, the data leaked from apps and mobile websites on enterprise devices are the ‘keys to the kingdom’. In most cases, usernames and passwords are sufficient to provide full access to a user’s online account. Wandera discovered that the online music streaming service, Deezer, was leaking sensitive information from both its app and mobile website. Customer’s names, passwords, date of birth and gender could all be identified. But even if other elements of information did not leak, an attacker with access to these credentials could bypass any protections that are put in place and gain full access to the account.   

A CIO hit list - three main categories to be aware of 

News & sports, shopping and business & industry services are used on a regular basis by employees on enterprise devices – they are also the origin of an alarming number of PII leaks. Accounting for more than 59% of all leaks identified in the report, organisations should be aware of what their employees are exposing their details to. Worryingly, media websites and apps across these three sectors face widespread competition for visitors and users, meaning that the developers’ focus is typically placed on rapid and expansive content production rather than security. The more dynamic and competitive the sector, the less attention is paid to securing the user’s data, and therefore the greater the risk to enterprise devices.   

Wandera’s report findings highlight that news & sports is the seventh highest category for data consumption, putting it in the top third, but also accounts for the highest proportion of leaks. For example, Fox Sports Australia was leaking users’ full names, email addresses and passwords. With the combination of a high volume of expensive data consumption plus the high likelihood of personal data being leaked, this is a less than perfect blend for CIOs and other security leaders in organisations.   

Similarly, shopping apps and sites typically require a great deal of personal information due to the nature of the content. In order to make purchases, users must hand over PII including credit card information and physical addresses. Wandera’s research team found a troubling 11.4% data leak rate for this category, highlighting a need for concern when it comes to staff purchases on work devices. 

Encourage password & username individuality

Many enterprises use third party applications and tools for a variety of internal and external tasks and functions. These range from collaboration and communication all the way through to industry or department-specific requirements, such as online HR and finance services or online databases and information services. The chosen platforms will almost always require log-in details, which concerningly will often be identical to details used to access other far more sensitive information.   

During its research, Wandera found a leak in the website and app of a meeting room software provider. On the face of it, the dangers were limited – only usernames and passwords were leaked making it possible to log into the website, find available rooms and book them unnecessarily. However, this particular software tool was often deployed with the security system of the entire business. Now, using the meeting tool, an attacker could not only reserve the room, but also have visitor credentials printed, thus allowing the attacker to gain physical access to the enterprise. Similarly, the Royal Mail’s website was spotted transmitting customers’ full names, passwords, addresses, and landline/mobile numbers unencrypted. As identified with the software tool, these details can allow access to far wider services if captured by unlawful actors.   

The warning of an enterprise’s security only being as strong as the weakest link has never been more applicable than in this research. The exposure of log-in details may seem minimally concerning, but the protection of personal details needs to be handled more efficiently. Employees should also be encouraged to make their passwords and usernames more unique throughout every tool they use within their organisation. 

Stay secure & minimise the cost of a data breach

As Wandera’s report shows, data leaks are a credible and widespread threat that have increased in both frequency and severity since the advent of corporate mobility. Most data breaches continue to be caused by criminal and malicious attacks - these breaches also take the most time to detect and contain the threat and have the highest cost per record.   

Of course, just because the information identified was leaked ‘in the clear’ does not imply that an attacker was on the same network capturing the communication session. But what makes data leaks so difficult to quantify for organisations is the fact that they happen outside of the device. As mobile devices communicate over the network wirelessly, there is no way to know if an attacker was capturing that communication for nefarious purposes.   

The most practical response for executive teams is to routinely monitor the data that flows to and from each individual device, identify potential security gaps and dynamically respond through policy actions that help to manage the risk while simultaneously ensuring that employees stay productive. 

Image Credit: Wk1003mike / Shutterstock