News broke recently that 700 million users have had their data taken from LinkedIn and advertised for sale online. The earliest report we can find is at Restore Privacy .

So what happened?

A malicious actor appears to have scraped the data of 700 million users. Most of it appears to be from LinkedIn and likely padded out with data from elsewhere.

The leaked data includes the following:

  • Email addresses
  • Full names
  • Phone numbers
  • Physical addresses
  • Geolocation records
  • LinkedIn username and profile URL
  • Personal and professional experience/background
  • Genders
  • Other social media accounts and usernames

Why do we care?

LinkedIn profiles are mostly public anyway, why does it matter? However, many people customise their profiles to be only visible to either direct connections or their network. The data leak appears to have all public information regardless of privacy settings. Additionally to this, the leak includes internal information such as their personal email addresses, phone numbers and geolocation data.

This means that your employees could be targeted directly on a personal level with phishing scams and even identity theft attempts. For the UK any attempts should be reported to ActionFraud immediately.

Most LinkedIn users publicly declare their current employer. It’s a fair assumption that an employee’s email address will be firstname.lastname@companyname so it’s likely that the buyers of the leak will have nearly 700 million active business email addresses.

What’s the risk to my business?

Expect an increase in spam, generic phishing and malware/ransomware attempts as is usual whenever a leak like this occurs.

The bigger risk is for spear phishing where a targeted attack against an individual is made. Let’s take an example where the director of a company and one of the accounting team are targeted. Given the information from LinkedIn, a bad actor could send an email direct to the accountant posing as the director that a payment needs to be made with the details. Most scams like this incur a sense of urgency to the request to try and distract from thinking through the nature of the request properly (“does the boss usually sign off on their emails like that?") such as the payment being overdue and it’s the last day to pay before there will be solicitors involved.

This is just one common example of what can be done with that kind of data. When listing job experience, people often list which technologies & business processes they work with day to day. This is a treasure trove for a more complex social engineering attack.

What can we do about it?

Appropriately managed technology can help reduce your risk significantly. Email security gateways to perform spam and malware filtering will stop a lot of attacks at the door. A layered approach is best as no system is 100% effective. Multi-Factor Authentication (MFA) is strongly recommended wherever it is possible so that in the event that a member of staff does click on a malicious email and enter their login details they still can’t be used without the code from the mobile phone.

Behind this, a strong antivirus solution on the employee PCs, Laptops and business mobiles is essential as everyone can make a mistake at some point.

Lastly, a robust data backup and restore plan to protect against loss and ransomware is a must.

Technology is only one side of the coin. To further reduce risk to the business you should look at clearly defining business processes. In our example above is an email enough to send the usual £10,000 owed to the supplier to a different bank account than normal? One common improvement here is to make all payment requests over x value need to be followed up with a phone call to the person requesting it at a known phone number for them (not the one in the odd looking email!) to validate that it is legitimate.

Businesses are starting to get cyber insurance to cover these specific scenarios in case the worst does happen and the standard business insurance doesn’t cover these situations.

Finally, as it’s the staff themselves that are often targeted, training is always a strong investment. An aware workforce will act as your gatekeepers and protect the business from risk.