US mortgage service provider Mr. Cooper has disclosed a breach to the U.S. Securities and Exchange Commission (SEC) affecting over 14.5 million people. Breached data includes names, addresses, phone numbers, social security numbers, dates of birth, and bank account numbers. The Mr Cooper breach is indicative of several trends likely to shape the cybersecurity industry in 2024.
The new obligation to report material cyber breaches within four days that came into effect last week on December 15 is widely expected to reveal a huge iceberg of what might have previously been unreported and, therefore, uncounted cyber breaches. The obligation to detail the loss and those affected also puts a big onus on organizations in all sectors to implement systems capable of identifying and tracking any intrusions into their network.
The Mr. Cooper filing also points to another cybersecurity issue set to dominate 2024 – securing personal data. Although the details of the Mr. Cooper breach are still hazy at the time of writing, most of those affected are not among the mortgage services provider’s current customers. Financial services organizations, for example, are frequently legally obliged to keep copies of customer details for years, creating a treasure trove for hackers. Often, the individuals whose data is being held are unaware of its existence or that securing it is beyond their control.
The financial world is composed of a network of companies that frequently share customer data with one another in order to provide customized financial services. This means that individuals are often unaware that their personal financial details are also frequently retained by third-party organizations, even if they have legally consented while ticking an online box.
In the case of senior staff members or key employees, poorly secured personal data can also provide an entry point into the company network for determined hackers, particularly when staff frequently use the same devices to access the corporate network and manage their personal affairs. Advising key staff on how to safeguard their own personal data as well as company information is likely to be prioritized in 2024 as companies find their employees increasingly targeted by highly professional hackers bent on breaking into the corporate network by any means that can.
Cybercriminal gangs that increasingly behave like mini-corporations are constantly developing new ways of ‘social engineering’, trawling social networks and websites to find all they can about a targeted individual, frequently a senior employee working in finance or IT. The key staff member may then become the subject of anything from a ‘spear-phishing” attack starting with an innocent-looking weaponized email to full-scale blackmail.
