BlackCloak: Credentials for 68% of top pharma executives are available on the dark web

The security credentials for executives with access to sensitive pharmaceutical research and financial information are readily available on the dark web, a reminder of the massive vulnerabilities facing critical industries despite years of security investment.

In a new report, cybersecurity startup BlackCloak found that 68% of the top executives from 30 leading pharmaceutical companies have had their emails exposed during a data breach over the past decade. Of that sample, 57% of the exposed credentials had their passwords broken, leaving them in plain text and easily viewable.

According to Dr. Chris Pierson, founder and CEO of BlackCloak, such security breaches are the result of fundamental carelessness such as reusing the same credentials as well as the need for many executives to work from home where their gadgets are outside their company’s security perimeter. While this dynamic can be seen across many major industries, it’s particularly worrisome when it involves health-care related companies.

The findings also hint at the deeper security disasters that are likely brewing as workers at all levels are being forced to work from home during the coronavirus lockdowns and using a combination of work and personal devices to access corporate networks.

“These are things that boards need to worry about,” Pierson said. “It’s become even more evident and thrust onto the front page of newspapers given the impacts of coronavirus.”

Founded 2017, BlackCloak is based in Orlando, Florida. The company has developed a security service that protects executives and high-net worth individuals. This “concierge” service includes features such as scouring the dark web for information related to a client, a cloud-based platform to protect all their devices, a “privacy hardening” feature that limits the kinds of data their devices are generating, and a scrubbing service that removes personal information from data broker sites.

The company also announced it had raised a $1.9 million round of venture capital from DataTribe, a firm that invests and “co-builds” cybersecurity and data science companies.

In creating the report, BlackCloak used the same tools to search the dark web that it deploys on behalf of clients. To start, the company compiled a list of 30 pharmaceutical companies and then copied the names of top executives whose names were publicly listed on their websites. In most cases, it was easy to determine both the work and personal emails of all the execs, which BlackCloak then used to search the dark web.

The 68% rate wasn’t entirely surprising, Pierson said. However, he was interested to discover that of those with credentials exposed, it appeared that 84% of them had been victims of the 2015 LinkedIn data breach. Despite the passing of time and the requirement to reset their LinkedIn passwords, the BlackCloak study found that many of these executives continued to reuse the same passwords for both home and work, even as they changed companies over the years. Indeed, 3% of the executives whose passwords could be read used the company’s name.

“We can see the same password over multiple years being used, sometimes with a little bit of addition like a capital letter or a number or exclamation point,” Pierson said.

Such repetition allows a hacker to preform “credential stuffing,” where they use the ID and password gained from one service to access multiple services such as a victim’s email and Dropbox accounts. But in the case of executives, it’s also quite likely those credentials will allow hackers to gain access to corporate networks.

“There are no boundaries here,” Pierson said. “They are sharing documents and emailing documents to themselves from work accounts to personal accounts, especially now with remote work. They are absolutely using personal devices, personal computers, even just to get the document moved over to a computer where they can print from their home printer.”

From there, hackers can spread malware, snatch intellectual property, and potentially infect other devices.

Unfortunately, tactics such as trying to obfuscate email information by generating complex addresses didn’t really seem to help. And because some of these weaknesses exist on the home front, it’s tough for a company to implement sufficient policies or technology solutions that will address the bad habits.

Instead, Pierson said the solution basically comes down to the most fundamental strategy: Massive education of executives and employees to get them to reform their bad security habits.

Source: Read Full Article