On Demand Library
Created in partnership with
Who Engages in a Data Breach?
4:32
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Transcript

00:02
Adam Stofsky
Hey, Joe. How's it going? 


00:03

Joe Santiesteban
It is going well, thanks. Happy to be here. 


00:05

Adam Stofsky
Today I'm going to talk about who actually engages in a breach like who does this. I'm guessing it's important to know who is doing this and why to kind of get to the bottom of it and put a stop to it. 


00:18

Joe Santiesteban
Yeah, so that's exactly right. And I couldn't have said kind of the reason this is important any better myself, but yeah. So we can break threat actors up into a few different categories. The first category are going to be the financially motivated criminals. And those actors engage in a variety of kind of theft or destruction. But their goal at the end of the day is to monetize what they've done, usually as quickly as possible. So sometimes it's encrypting systems or taking down sites, other times it's stealing personal data or other kinds of sensitive data. But the goal at the end of the day is to get in, get something that's valuable or create some value and then get out. The second category of threat actors that's probably the most common are nation state actors. 


01:12

Joe Santiesteban
And while their techniques can sometimes be similar, they tend to be much more sophisticated and they're not necessarily financially motivated. Instead, we see them engage in activity that's either intelligence gathering kind of from a military perspective that would be valuable from a military perspective or kind of corporate espionage. So theft of information, that's valuable from businesses with the goal one day of being able to create competing products. 


01:46

Adam Stofsky
All right, so we've got your thieves and your spies. What's next? 


01:52

Joe Santiesteban
Thieves, spies. And we'd say hacktivists would be the next category. And these are actors that are not financially motivated, they're not spying, but what they are doing is looking to achieve usually some political end. So a lot of the work that you'd see taking down or attacking political parties or stealing information from sensitive sites with the goal of being able to publish the information to shame a politician or someone in public. But the idea being we're engaging in this activity to achieve some non financial end. 


02:30

Adam Stofsky
Does this include like these hacking collectives you always hear about who would just want to sow chaos? 


02:35

Joe Santiesteban
That would be its own fourth category. The hackers that are using that are really out there, like just for the lulls, if you will. And we have seen these threat actors be engaged in very sophisticated techniques, invest heavily in resources to be able to carry them out. And then at the end of the day, after they get kind of significant access to a business, what they do is just publish what they did. And so despite having the capability of being able to cause destruction or to steal important information, they're just not doing so. 


03:12

Adam Stofsky
Wow, that's interesting. All right, just to go back here, we got four categories. We got your thieves, your spies, your kind of activists or political activists, and then you're kind of just bringers of chaos or show offs, really, is what you were saying, right? 


03:30

Joe Santiesteban
For the Lulls, as the kids for the Lulls. 


03:33

Adam Stofsky
One final question. This is probably a huge question, but you can give me a quick summary. Is does the identity or the motivation of the threat actor actually change your legal obligations or legal responsibility, or is that kind of universal to all breaches? 


03:48

Joe Santiesteban
So none of the laws around cybersecurity turn necessarily on who the threat actor is. But a lot of what we're doing in response to a data breach is trying to conduct a reasonable investigation and assess the risk that results from that data breach. And who the threat actor is and how far along they were in their attack are relevant to both of those questions. So how far do we need to investigate? Where do we need to investigate, and then how do we assess the risk to other parties from our incident? 


04:26

Adam Stofsky
Well, thank you, Joe. That was super interesting and really helpful. Really appreciate it. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly