Information stored in the cloud is vulnerable.
Yet, it’s inevitable.
The issues of keeping sensitive information in remote infrastructures go beyond our personal cloud storage solutions.
Vendors that offer services online used by many people and social media companies use scalable and cost-effective cloud computing technology to run their businesses.
Those are the same organizations to which we trust our information.
The latest WhatsApp and Twitter data breaches compromised the sensitive information of millions of users. They’re yet another reminder of how any gaps in security can compromise the data we give to enterprises.
Threat actors that targeted WhatsApp have been selling the breached data of almost 500 million users to hacking forums — mostly phone numbers.
Twitter, on the other hand, admitted that the information of over 5 million users has been leaked in the latest breach. Cybercriminals obtained mobile phone numbers and emails.
Could those incidents have been avoided with stronger cloud security?
What are the key threats and challenges for cloud data protection, what can both users and businesses do to prevent incidents, and whose responsibility is protecting the information anyway?
Let’s find out.
Table Of Contents
Common Cloud Security Incidents
The most likely pathways that threat actors use to breach data within the cloud are:
- Phishing — a scam that is mostly performed via email
- Account compromises — following phishing or stolen passwords
- Ransomware — the attack that locks files and can obtain user data, withholding the information and the access to critical documents until the ransom is paid
- Targeted attacks on the cloud infrastructure
- Accidental data leakage — losing the hard drives, USB, or laptop on which the critical data is stored
The listed are attacks and vulnerabilities that hackers have been using the most when targeting the cloud. Therefore, they’re likely to rely on similar techniques in the future as well.
Whether they target the information in the cloud directly or not, most cybercriminals use different techniques to obtain the data and leak or sell it to either damage the company’s reputation or to make a profit.
According to Statista, phishing is the most prominent threat to the cloud infrastructure. More than 73% of the research participants have stated that their company has been the victim of such hacking attempts.
Other criminal activity can lead to phishing and compromised data in the cloud as well.
For example, although the WhatsApp data leak is linked to data scraping, both WhatsApp and Twitter breach victims are vulnerable to phishing scams and are advised not to open any emails or answer phone calls from unknown numbers.
During phishing schemes, the victim can be urged to reveal their password or wire money to the criminal in question.
This is activity that can let the attacker gain a pathway to various user accounts and get deeper access into the organization that enables them to acquire more sensitive information.
User-Based Cloud Security Techniques
What can users do to guard their sensitive information — regardless if it’s stored in their personal cloud or handled by third-party vendors?
As an individual, start with:
- Stronger passwords
- Avoid storing personal information in the cloud
- Backing up your data
- Utilize multi-factor authentication
- Install an anti-malware solution to your devices
Strengthening your credentials is the easiest fix and it makes a major difference.
That means setting up passwords that have at least 10 versatile characters and don’t contain personal information. Also, that it’s not reused for multiple accounts and is changed every couple of months.
Instead of keeping sensitive information in public cloud storage that is not completely hacker-proof, use local servers instead.
Make sure you have data backups. If the cloud on which you store your data is compromised and threat actors lock you out, this could mean that you can’t do your work, since you lost access to important documents.
Most services that you use (e.g. social media) now have the option of creating a multi-factor authentication that can warn you if someone else is attempting to use your credentials to access cloud storage or versatile personal accounts.
Malware is the common way hackers use to compromise cloud infrastructures — have the tools that can remove them early.
Preventing Breaches With Cloud Security Protection
When it comes to companies, they need to add more thorough and robust cybersecurity measures to prevent data breaches.
- Regular audits of data that is stored in the cloud — having an overview of the information and cataloging it at all times enables more visibility and control
- Encryption of information — even if cybercriminals obtain data, they can’t read it
- Applying the zero-trust methodology — not allowing anyone into the system and assuming that anyone could be a criminal who is after the company’s and user’s data
- Proper cloud management — to discover any of the misconfigured components that can be exploited by hackers
- Backing up information
Ultimately, social media companies and online businesses are the ones responsible for cloud data protection. They need to have a strong security architecture built to identify, encrypt, and back up the information.
But the recent data breaches that occurred in companies such as Twitter and WhatsApp are a reminder that users should also actively participate in protecting their personal information that is being stored in the cloud.
There is no telling whether those incidents could have been avoided with different tools, protocols, and cybersecurity strategies.
However, each additional layer of protection applied by both users and companies makes the hacker’s job more difficult. Every stronger password and multi-factor authentication counts.
Also, it’s not too late to apply security measures now because the data that has been leaked by WhatsApp hackers (mobile phone numbers), as well as Twitter (user IDs), can lead to further criminal activity.
That is to say, if you’re one of the affected users, you might be the target of phishing or other types of online fraud.