(Spoiler Alert: Laundering and Money Mules!)
By JP Johnson on 25 Feb 2019
According to the latest figures for cyber security threats from theGemalto Breach Level Index, 4.5 billion data records were compromised by cyber-criminals in the first six months of 2018. Join us as we discuss how attacks against HR departments are playing into this worrying picture, and how you can plan to reduce the risk to your own team’s information.
Why are cyber criminals targeting HR Managers?
The reason HR Managers and their colleagues are a potential goldmine for cyber-criminals is simple: they process large volumes of information that could potentially be used for crime.
Firstly, there’s the extensive personally identifiable information (PII) held on each job applicant and employee, including their bank details, personal information and identity documents. Every item of data involved in processing applications and payments is potentially useful to criminals.
Secondly, the HR Manager’s own details and identity can be co-opted for fraudulent activities.
Every HR team needs to store information of these types, regardless of the level of cyber-attack risk traditionally associated with their industry. This has led some cyber-criminals to target new industries in search of under-protected data.
How are HR Managers being affected by cybercrime trends?
In June this year, The Guardian reported that the Australian job application software provider PageUp had been hacked, leaving at risk the PII of thousands of people applying for jobs with PageUp’s clients, which included Aldi, Lindt, Wesfarmers and the Reserve Bank of Australia.
Now, we don’t know what happened to the PII that was potentially exposed in this case – but we do know that whoever was behind the hack could have used the information in any of several ways.
At the more straightforward end of the spectrum, some hackers sell large sets of stolen employee/applicant data via forums or the Deep & Dark Web (DDW). The information, which may include details such as national insurance numbers and tax information, can then be used by other criminals to commit offences like tax fraud and identity theft.
Some cyber-criminals are using far more elaborate ploys to profit from employee/job applicant PII. In one such scheme, hackers use PII from HR recruitment databases to create a hit list of targets – many of whom will be job-seekers looking for any work they can get – to use as “money mules.”
Money mule schemes involve the transfer of illicit funds from a criminal’s account into the mule’s account, and then on to a destination account. The fraudster presents the activity as legitimate work; and oftentimes the job applicant believes them.
Employee PII potentially makes this process especially easy for fraudsters, as the employee bank details they require may already be in that dataset. Add to that the high volume of personal identity documents HR Managers store on workers and applicants – three documents per person appears to be the average figure for PlanetVerify clients – and it’s clear that a compromised HR database could give criminals all the tools they need to enable a wide range of fraudulent activities.
And it’s not just employees that data cybercriminals are out to exploit – HR account information is also being used for criminal ends. According to Flashpoint, hackers operating on job portals can adopt the identity of a legitimate business, and then use its account to post illicit job ads and recruit trusting job-seekers to take part in money laundering schemes. Such ads are all the more convincing for being posted in the name of a respected company.
What can HR Managers do to protect employee information (PII) from cyber-criminals?
The steps required to protect PII from cyber-criminals will vary depending on an HR team’s unique situation.
One recommended safeguard is to use an asset protection framework called vulnerability-threat-control to focus your thinking about which cyber threats apply to you and how to counter them:
- Vulnerability: first, identify a weakness in your system that could be exploited to facilitate data theft.
- Threat: is there a set of circumstances involving the weakness you have identified that could cause loss or harm to employee PII?
- Control: identify an action, device, procedure or technique that could eliminate or reduce the threat stemming from your vulnerability.
Here are two examples of how the vulnerability-threat-control framework could apply to an HR context:
Employee PII is held on HR Manager’s personal email and SMS.
Some HR team members with high level PII access have not been fully checked for criminal record.
If a HR Manager’s phone is lost or their email is hacked, employee PII could come into the possession of criminals.
Potential for a team member to sell employee PII to criminal third parties.
Consolidate all employee-HR data transfer and storage onto a single secure channel.
Restrict access permission to criminal record checked team members.
The vulnerability-threat-control framework is outlined in-full by cybersecurity expert, Dr Daniel Soper, in his video lecture, Introduction to Computer Security.
This isn’t just about money
As the British Minister of State for Security and Economic Crime, Ben Wallace, writes in his foreword to the UK Government’s report, The Cyber Aware Perception Gap, “For many businesses affected by cyber-crime, the impact goes far beyond the immediate financial cost, weakening business reputation and damaging trust in both individual businesses and business as a whole.”
The stakes for HR teams are high, and the dangers are real. Our advice is to use the vulnerability-threat-control framework to assess and counter the threats facing your employee data. No organisation can make its data completely safe from cyber-criminals, but there’s a lot that can be done to reduce the risk.