Photos by Tessa Marie Images
How can we protect our families, businesses and ourselves from data privacy attacks? A few of the Main Line’s top experts weigh in.
Jordan Fischer’s clients received an email that their grandson had been injured and needed emergency treatment while on vacation.
They didn’t hesitate to wire money to a Mexican hospital. Then they called their grandson’s parents. He was safe at home—and their money was gone.
“The criminals used their grandson’s correct name in the email, so they thought it was real,” says Fischer, a global data privacy practice group leader for Beckage Law Firm in Bala Cynywd. “It used to be ‘The Prince of Nigeria’ needs your help. Now, the criminals know the names of your loved ones and use them.”
At the same time, there’s a distinct uptick in the frequency and scope of cybercrimes against large companies like Colonial Pipeline Co., SolarWinds Inc. and JBS S.A. (the world’s largest meat producer). Infrastructure attacks are becoming more common. “It’s not that the attackers are getting better at it—it’s that software is hard to write in a way that’s unhackable,” says Richard Golberg, partner and vice chair of the data privacy and cybersecurity practice at the Manhattan-based Lewis Brisbois Bisgaard & Smith, which has an office in Wayne. “You could have tremendous security at any company, a lot of malware is delivered via fishing emails. Employees click on the wrong things, and the malware gets into the system.”
Those scenarios have become more common. “I think there’s an objectively measured increase in incidents of cybercrime,” says Samuel Sica III, a partner at Devon’s Mullen Coughlin, a firm devoted to data privacy and security. “There is also a related awakening in public consciousness of large-scale compromises at companies and utilities. It’s a combination of those two.”
The pandemic poured digital gasoline on an already dangerous situation. “This was an unprecedented shift in the American workforce, with executives and staff shifting to remote work postures,” Sica says. “Going online from home has vastly expanded network exposure. Bad actors can exploit those vulnerabilities.”
Goldberg has a different opinion about the link between the pandemic and an increase in data attacks.
“It’s not who’s being attacked but what the hack is going after. Usually, it’s not personal. The criminals go after whatever is most valuable.”—Jordan Fischer, Beckage Law Firm
“It’s not because ordinary people are home—It’s because the cybercriminals are working at home,” he says. “It’s been hard for people to make money all over the world. In some places, they’ve found a way to make money. That way is through cybercrime.”
Means, opportunity and motive have clearly increased during the past 17 months. “Yes, but it was going to happen anyway,” says Fischer. “Increasingly, our lives are dependent on technology. It was trending that way before the pandemic, then escalated because we were stuck at home.”
Most companies didn’t have the time or technology to secure their employees’ networks and devices. “It’s not that corporations are lagging behind in security, because most are vigilant,” Fischer says. “Rather, it’s the very nature of technology and the speed at which it evolves. As soon as something exists, someone wants to hack it.”
“There’s a belief that the attackers are master criminals. They’re not.”—Richard Goldberg, Lewis Brisbois Bisgaard & Smith
That’s why even multinational companies with a lot of security are susceptible to attacks. In fact, bigger companies are bigger targets. According to Goldberg, a former federal prosecutor, modern criminals chose hacking victims based on the vulnerability of their digital systems and the privacy of the data they hold. “The more private the data, the bigger potential payday,” he says.
Fischer concurs. “It’s not who’s being attacked but what the hack is going after,” she says. “Usually, it’s not personal. The criminals go after whatever is most valuable.”
Banking information, Social Security numbers and other client data can be targeted. But cybercriminals also target MSPs, or managed service providers. Rather than going after the company that manufactures widgets, they go after whoever makes software for the widget company. That one attack can disable all of the software company’s clients.
While the hacks have been called terrorist attacks, cyber criminals don’t typically have political or religious agendas. “In my experience, the motive has been money 100 percent of the time,” Goldberg says. “When a state actor gets into your system, you don’t know it. That’s espionage.”
Another important fact: Companies don’t always pay ransom to recover their data or operations. In fact, the federal government recently figured out how to counter-hack the digital wallet into which ransom money is paid to a cybercriminal. “There’s a belief that the attackers are master criminals. They’re not,” Goldberg says. “They may encrypt part of the system, but not all of it. We have a number of strategies to recover data without paying ransom.”
Doing that requires resources that individuals may not have, and hacks on personal computers, bank accounts and even social media accounts can be devastating. Cybercriminals use what Fischer calls “social engineering” to target those victims. “They get you to sign up for personality tests, coupons and other things,” she says. “If you’re willing to share your personal information, you’re likely to have unsecured data that they can hack.”
Anyone on a social media or a dating app can be targeted. Criminals post fake accounts and create psychologically compelling relationships with the app’s users. Then, they ask for money or gift cards to help them through an illness, a car accident or any number of fictional situations. “It’s getting people to send money by attacking their loneliness,” says Fischer. “It’s manipulation through a manufactured relationship, but it feels real to the victim. It’s incredibly sad.”
Whether it’s stolen data or a stolen heart, victims do have legal options. Contact the company and report the incident, change your passwords, and contact the authorities. Local police, the FBI and the Federal Trade Commission have hotlines. Get in touch with all of them, Fischer says—there’s no such thing as too much reporting. “The authorities actually want your complaints,” she adds. “If they see a variety of trends, they can go after the attackers.”
More and more cybercriminals are being prosecuted. The federal government has data privacy legislation, but each state generally has primacy with its own laws. “If you run a company in Devon, your clients are all over the U.S. and you have an incident, it’s not just Pennsylvania law that applies, it’s the law in all 50 states,” Goldberg says. “There’s a legal difference between a big hack and a little hack. But, for victims, every hack is a crime.”