Hacking: An Industry-Wide Review from the Summer of 2024

2024/08/14

Jason Frocht

The current onslaught of hacking incidents in the United States continues unabated. While law firms and legal practitioners may represent the proverbial “low-hanging fruit” for malicious actors looking for proprietary information, they are not the biggest target. The victims of these large-scale hacking attacks run the gamut from Government agencies to private healthcare providers, to even the campaign organizations of presidential candidates. Even when hacking cannot be substantiated, DDoS attacks and phishing schemes have become so widespread that analysts and pundits from across the political spectrum will conclude that slowdowns or delays on social media sites are a direct consequence of malicious actors. As the summer of 2024 winds down, the picture of the technological landscape continues to worsen as public announcements of new information leaks, hacking efforts, and exploitations of vulnerabilities continue to make the news. These failures throughout the country’s cyber infrastructure demonstrate the common missteps and miscalculations that have led to such a fractious security environment for information online.

Social Security Number Deluge

The breach of National Public Data, a public records data provider specializing in background checks and fraud prevention company, is one of the most consequential hacks of 2024.1  In April of this year, a known cybercriminal group known as USDoD claimed to have access to the personal information of 2.9 billion people, with each record allegedly containing an individual’s name, mailing address, SSN, and in some cases, the names of relatives.2  These records are not limited to U.S. citizens, but also to those of the U.K. and Canada.3  The group initially posted on X (formerly known as Twitter) to “sell the data for $3.5 million and claimed it contained records for every person in the three countries.”4  Dissemination of some of this data has already reached the public domain, where other threat actors have released partial copies of the data, with each leak sharing a different number of records.5 An element of this data breach that is particularly concerning is that the inciting incident occurred in April of this year, yet public disclosure of the incident occurred four months after the fact. The precise means of the incursion into National Public Data remains unknown, but a likely method of intrusion in this case was through some kind of exploitation into the company’s servers, leading to application-level access to its information holdings In a recent class action lawsuit initiated by representative members of the exposed parties, the complaint alleges that “National Public data Defendant failed to adequately protect Plaintiff’s and Class Members PII—and failed to even encrypt or redact this highly sensitive information.”6  The breach of National Public Data and the disclosure of 2.9 billion records represents a catastrophic failure of effective cybersecurity policy, internal controls, and reasonable internal security governance. As of writing, the court case that has been filed is still pending on the docket, but further analysis of the breach and the duties of National Public Data will be discussed in the upcoming CLR blog post.

“Robert” and the Presidential Campaign Hack

On August 11th, Microsoft released a report declaring that a hacking group run by the intelligence unit of Iran’s Islamic Revolutionary Guard Corps had successfully breached the account of a “former senior adviser” to a presidential campaign.7  The report claims that the group engaged in a “spear phishing attack”, whereby the threat actors sent fake email messages to an official working on the presidential campaign of Donald Trump and then managed to gain access to a trove of proprietary data.8  Soon after, an individual or group, “who identified themself only as “Robert,” sent a trove of private documents from inside Donald Trump’s campaign operation to journalists at Politico, The New York Times and The Washington Post.”9  While the content of the data has not been published by any major news organization,10  the disclosed method of the breach is telling. Spear phishing is simply a targeted attack using an email or other fraudulent scenario to trick the victim into revealing information and potentially access credentials.11 The fact that a high-level official of an active presidential campaign allowed access to propriety information to what is potentially a hostile foreign power indicates a general lack of security standards, training, or response policy. While foreign intelligence actors and cyber-criminals are growing more sophisticated, the lack of proper security training or policy to deal with common threats such as phishing emails during a Presidential election is concerning. Many of these targeted phishing attacks are easily preventable with a training course for people who have privileged access to confidential information.

Crowdstrike: The Worst Outage in History

On July 18, 2024, CrowdStrike, an independent cybersecurity company, released a software update that began impacting IT systems globally due to a glitch present in the software’s code. In technical terms, the glitch caused a memory-read issue on Falcon sensor software—which runs on Windows PCs and servers—causing all machines running that software to enter a boot loop or boot into recovery mode.12  In other words, 8.5 million PC-related systems crashed and were unable to properly restart in “the largest outage in the history of information technology.”13  The crash caused multiple systemic issues across the world from flight delays, banking services, Governmental functions, healthcare providers, and the stock market. All told the damage in insurance claims and litigation could reach over 10 billion dollars over the next few years.14  In this instance, no agency or pundit, or even Microsoft or Crowdstrike itself has pointed to malicious actors at play. No evidence has pointed to a hacking event or penetration. The incident was simply a technical error from a major software service provider that had dire consequences for multiple businesses and governments around the world. However, there is a common factor between the other hacking events of 2024 and the Crowdstrike outage: the computer systems that bind the world together are fragile. Security missteps, poor redundancy measures and a lackadaisical attitude towards general cybersecurity standards binds these incidents together. The summer of 2024 should serve as a warning to the Government and industry alike that computer systems and the data they hold demand vigilance at all levels.

Image Citation: Rogers, W. A. (William Allen). Harpers Weekly Cartoon “American Editors II. Joseph Pulitzer”. 28-Dec-01. Periodicals illustration. Rare Book & Manuscript Library, Columbia University. Columbia Digital Library Collections. 15 Aug 2024

  1. Lawrence Abrams, ‘Hackers leak 2.7 billion data records with Social Security numbers’, Bleeping Computer, August 11, 2024 ↩︎

  2. Fiona Jackson, ‘National Public Data Breach: 2.7bn Records Leaked on Dark Web,’ Tech Republic, August 13, 2024 ↩︎

  3. Id. The fact that certain victims of this data breach are nationals from the U.K. may implicated the provisions of the GDPR, as the regulation may impact an organization that fails to keep the PII of individuals in its database anonymous. Any action by an EU regulatory body or consequence of GDPR enforcement and its impact on both individual EU citizens who are residents of the U.S. is beyond the scope of this post. The status of any individual foreign nationals implicated by this data breach has yet to be substantiated. ↩︎

  4. Abrams, August 11, 2024 ↩︎

  5. Id. ↩︎

  6. Hofmann v. Jerico Pictures, Inc., Docket No. 0:24-cv-61383 (S.D. Fla. Aug 01, 2024), Court Docket ↩︎

  7. David E. Sanger, Michael Gold, “The Hacking of Presidential Campaigns Begins, With the Usual Fog of Motives,” NY Times, August 11th 2024 ↩︎

  8. Id. ↩︎

  9. Jon Passantino and Liam Reilly, “News outlets were sent leaked Trump campaign files. They chose not to publish them,” CNN, August 11th, 2024 ↩︎

  10. Id. ↩︎

  11. Matthew Kosinski, ‘What is Spear Phishing?’, IBM, June 6th, 2024 ↩︎

  12. Guru Baran, “CrowdStrike Update Pushing Windows Machines Into a BSOD Loop”. Cyber Security News, 19th July 2024 ↩︎

  13. Dan Milmo et al., ‘Largest IT outage in history’ hits Microsoft Windows and causes global chaos,’ The Guardian, July 19th 2024 ↩︎

  14. Lian Kit Wee, ‘Here comes the wave of insurance claims for the CrowdStrike outage’, Business Insuder, July 22nd 2024 ↩︎