Data Breaches & Threats

May 27, 2019

At the weekend, an Australian graphic design company called Canva reported a data breach. At this stage, you’d be forgiven for thinking so what? Yet, this wasn’t just a typical data breach – it’s one of the largest privacy breaches of user information in history, on the league table just behind Equifax’s breach of 2017. In Canva’s case, the hacker claims to have stolen 139 million Canva users’ details, including names, postal addresses, email addresses and 70 million users’ password hashes. So how might this breach affect your business and is there anything you can do to protect yourself from the fallout?

External Privacy Breaches Could Impact Your Business

The reality security teams face every day is that their users reuse the same usernames and passwords all over the Internet. It doesn’t matter how many times you tell them to not use their company details outside, some will use their business account when they sign up to external online services; rest assured a fair majority of your users will have signed up to services like Canva with their business email, and a portion of those will have reused their business password.

Canva is one of the biggest technology companies on the planet and its meteoric rise to fame and fortune is a good-news story for the Australian start-up scene, showing that perseverance and a great idea can quickly succeed. However, fame rapidly paints a target on your back and any company operation on this kind of international scale will undoubtedly be in the sights of one or more hackers. As a result, there is a good chance that someone in your business has a Canva account, since it offers free of charge services for anyone wanting to design basic graphics or document templates, such as their Facebook banners or profile pictures.

There are two aspects of this breach that every Australian business needs to consider. If anyone in the organisation has a Canva account (even a personal one), they should change their Canva password immediately. If they have reused that username and password elsewhere, good practice suggests they should also change those passwords (to something different to the new Canva one).

In response to ZDnet informing Canva about the breach, Canva stated, “We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised.” Bcrypt is certainly a respected password hashing algorithm, so there are no issues with it being used here and that provides some assurance that users’ accounts are safe, but as good practice users are still urged to log in and change it since things can quickly change in the world of encryption.

More troubling for end users are the private details associated each account, such as email addresses, postal addresses, name, age, etc. which are useful attributes for use in an online identity fraud attack. If the email address the user signed up to Canva with is the same as your organisation’s external DNS domain, then any fraudster has the potential to use social engineering to dupe your IT team into resetting their business password over the phone. In this case, you should be warning your users, as well as your IT team, of this possibility. Security awareness is often the best course of action.

Detecting Account Hijacking

You might think there is little you can do to protect yourself if a hacker has the account details of someone in your business, yet a Security Information and Event Management (SIEM) platform can help in this case.

The core function of a SIEM is to collect security event logs and look for patterns of attack. Furthermore, some SIEM systems also use behavioural analytics, to learn what normal activity looks like, recording patterns of activity over time.  They will then alert on anomalies against that baseline.

If a user’s account is stolen or compromised using the afore mentioned social engineering technique, any abnormal behaviour will be detected and reported. In this case, the threat we are trying to protect against could be classified as insider threat, since the account being used is trusted and has a level of internal access and privilege that other legitimate users have.

How Behaviour Anomaly Detection Works

This is where user behaviour is important. Huntsman Security’s Next Gen SIEM has built-in behavioural profiling, called Behavioural Anomaly Detection (BAD), which learns what normal looks like (both from a user and system point of view). If an attacker takes over a user’s account, they will likely not follow the same patterns of usage as the user, as their motivation is different – their intent is to locate private company information, exfiltrate it and sell it to the highest bidder. This means that normal user accounts logging into, or trying to access, information they would normally not try to access could be an indication that the account is up to no good (and it’s worth investigating).

Manage Insider Threats

Security teams can build special detection rules using the SIEM, based on collecting security information from every log source in the enterprise, matching groups of user accounts with targets  on your network, and alerting when any user accesses a sensitive system or accesses sensitive company information. For instance, if a user in the commercial team is trying to access IT configuration information, this could be indicative of an attack.

Prepare for Identity Fraud Detection

This attack on Canva is just one of a long line of enormous privacy breaches companies all around the world are coming to terms with. The fact is, almost every active Internet user now has their email address appearing in one of these breaches.

Whether you are a cautious person and have different passwords for every account, or reuse the same one everywhere, you are at risk, since in many cases identity fraud is the interim goal before financial gain. Security awareness training should be the first line of defence, since good operational security helps everyone, both at work and at home.

Organisations need to consider the risk of malicious insiders not always being the real user, as account hijacking via social engineering is on the rise. There are things you can do to mitigate these risks, but without some aspect of behavioural monitoring, even in its most basic form, all bets are off once the attacker has access to a user’s credentials.


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.