The security credentials for executives with access to sensitive pharmaceutical research and financial information are readily available on the dark web, a reminder of the massive vulnerabilities facing critical industries despite years of security investment.
In a new report, cybersecurity startup BlackCloak found that 68% of the top executives from 30 leading pharmaceutical companies have had their emails exposed during a data breach over the past decade. Of that sample, 57% of the exposed credentials had their passwords broken, leaving them in plain text and easily viewable.
According to Dr. Chris Pierson, founder and CEO of BlackCloak, such security breaches are the result of fundamental carelessness, such as reusing the same credentials, as well as many executives now having to work from home, where their gadgets are outside the company’s security perimeter. While this dynamic can be seen across many major industries, it’s particularly worrisome when it involves health care-related companies.
The findings also hint at the deeper security disasters likely brewing as workers at all levels are forced to work from home during the coronavirus lockdowns and are using a combination of work and personal devices to access corporate networks.
“These are things that boards need to worry about,” Pierson said. “It’s become even more evident and thrust onto the front page of newspapers, given the impacts of coronavirus.”
Founded in 2017, BlackCloak is based in Orlando, Florida. The company has developed a security service that protects executives and high net worth individuals. This “concierge” service includes features such as scouring the dark web for information related to a client, a cloud-based platform to protect all of their devices, a “privacy hardening” feature that limits the kinds of data their devices are generating, and a scrubbing service that removes personal information from data broker sites.
The company also announced it had raised a $1.9 million round of venture capital from DataTribe, a firm that invests in and “co-builds” cybersecurity and data science companies.
In creating the report, BlackCloak used the same tools to search the dark web that it deploys on behalf of clients. To start, the company compiled a list of 30 pharmaceutical companies and then copied the names of top executives who were publicly listed on their websites. In most cases, it was easy to find both the professional and personal emails of the execs, which BlackCloak then used to search the dark web.
The 68% rate wasn’t entirely surprising, Pierson said. However, he was interested to discover that of those with credentials exposed, 84% of them appeared to have been victims of the 2015 LinkedIn data breach. The BlackCloak study found that despite the passing of time and the requirement to reset their LinkedIn passwords, many of these executives continued to reuse the same passwords for both home and work, even as they changed companies over the years. And 3% of the executives whose passwords could be read used the company’s name.
“We can see the same password over multiple years being used, sometimes with a little bit of addition, like a capital letter or a number or exclamation point,” Pierson said.
Such repetition allows a hacker to perform “credential stuffing,” using the ID and password gained from one service to access multiple services, such as a victim’s email and Dropbox accounts. But in the case of executives, it’s also quite likely those credentials will allow hackers to gain access to corporate networks.
“There are no boundaries here,” Pierson said. “They are sharing documents and emailing documents to themselves from work accounts to personal accounts, especially now with remote work. They are absolutely using personal devices, personal computers, even just to get the document moved over to a computer where they can print from their home printer.”
From there, hackers can spread malware, snatch intellectual property, and potentially infect other devices.
Unfortunately, tactics such as trying to obfuscate email information by generating complex addresses didn’t really seem to help. And because some of these weaknesses exist on the home front, it’s tough for a company to implement sufficient policies or technology solutions to address the bad habits.
Instead, Pierson said the solution basically comes down to the most fundamental strategy: Massive education of executives and employees to get them to reform their poor security hygiene.