Fujitsu’s data breach: expert analysis from Chris Denbigh-White

Interview with Chris Denbigh-White: In a startling revelation, it has come to light that Fujitsu, a major player in the IT services industry, left crucial access keys and a LastPass vault brimming with sensitive data exposed in a public cloud bucket for nearly a year. Discovered by a diligent security researcher from the Dutch Institute for Vulnerability Disclosure, this oversight spanned from March 2022 to early 2023, leaving a trove of private information accessible to anyone with an internet connection.

Among the alarming contents unearthed were a comprehensive mailbox backup housing thousands of sensitive emails, detailed insights into client activities and team operations, a CSV file containing passwords extracted from the widely used password manager LastPass, and a plethora of Microsoft OneNote files purportedly containing extensive customer information.

Fujitsu’s clientele includes esteemed entities like the UK’s Post Office and Ministry of Defence, so the ramifications of such a breach are profound and far-reaching. We sought expert analysis from Chris Denbigh-White, Chief Security Officer at NextDLP, to delve deeper into this incident. Drawing from his extensive background, which includes over 14 years in cybersecurity, including pivotal roles at Deutsche Bank and cyber intelligence for the Metropolitan Police, Chris Denbigh-White offers invaluable insights into the implications and lessons to be learned from Fujitsu’s lapse in security protocols.

Recently, Fujitsu was the victim of a cyberattack that compromised several of its IT assets. What do you think about this hack?

The recent cyberattack on Fujitsu, compromising multiple IT assets, underscores organisations’ susceptibility to digital breaches. While this incident’s precise details and ramifications continue to unfold, it accentuates the urgent need for robust cybersecurity protocols to mitigate such threats. The unauthorized access to sensitive information, facilitated by the acquisition of administrative passwords and intricate network insights, poses substantial risks to Fujitsu and enterprises across diverse sectors. This development serves as a poignant reminder of the persistent challenges posed by cyber threats and the imperative of proactive measures to fortify critical data and infrastructure.

Given your extensive experience in corporate and law enforcement, how do you see the landscape of data protection evolving, especially in light of emerging technologies and evolving cyber threats?

The landscape of data breaches is continuously evolving, necessitating corresponding adaptations in the response strategies of information security teams. Ransomware is a useful example of this. Initially, ransomware attacks were straightforward, employing a single-stage approach: encrypting data and demanding payment for its release. In response, information security professionals advocated for robust backup systems to mitigate potential disruptions caused by widespread data encryption.

Subsequently, cybercriminals refined their tactics, orchestrating attacks where data was not only encrypted but also exfiltrated, transforming the nature of the threat into a dual-pronged “ransom and extortion attack.” This evolution introduced the ominous prospect of “pay us or we will release your data” ultimatums.

More recently, ransomware gangs have escalated their tactics further by engaging in multifaceted attacks involving encrypting and exfiltrating data and leveraging this information to coerce victims into compliance. This advanced attack level extends to disclosing the breach to victims’ customers and regulatory bodies if ransom demands are not met, thus extending the ultimatum to “pay us or we will release your data AND report you!”

Over the past few years, ransomware particularly has followed a “SaaS-like” model, which has seen a move from individual gangs conducting individual attacks to “criminal service providers” offering infrastructure, payment services, and software licensed to conduct multiple operations across many sectors.

In this sense, the trajectory of cyber criminality mirrors the broader evolution of technology.

Fujitsu's data breach: expert analysis from Chris Denbigh-White
Fujitsu’s data breach: expert analysis from Chris Denbigh-White

NextDLP specializes in data loss prevention solutions. Can you discuss some common vulnerabilities or blind spots that organizations often overlook when safeguarding their data and how NextDLP’s approach addresses these challenges?

When it comes to data loss prevention (DLP), organizations frequently disregard several common vulnerabilities and blind spots, leaving them susceptible to data breaches. These oversights often do not involve sophisticated nation-state-level techniques. Instead, they could be described as “a failure to understand and implement ‘the basics.’

One recurring blind spot lies in certain security teams’ inclination to focus on overly complex strategies and technologies.

The reality is that most data theft from organizations does not entail intricate and clandestine exfiltration tactics; instead, it often boils down to simple actions: “copy” and “paste.” Whether this involves transferring data to a USB device or cloud storage, the process of copying and pasting can lead to data loss. Meanwhile, security teams may find themselves immersed in scrutinizing logs to identify nation-state threats whilst completely missing the data leaving their control.

This oversight is frequently compounded by users’ lack of awareness or comprehension regarding the risks of their actions. Organizations often fail to establish guardrails around user activity, allowing individuals to conduct business operations without adequate safeguards or imposing such draconian controls that users shift to “shadow IT.”

Multinational technology giant Fujitsu confirmed a cyberattack in a statement, and warned that hackers may have stolen personal data and customer information.

In your role as Chief Security Officer at Next DLP, what key strategies or best practices do you recommend for organizations looking to enhance their data protection measures and mitigate potential security risks effectively?

I advocate for a comprehensive approach to bolstering data protection measures and mitigating security risks.

Firstly, fostering a culture of cybersecurity awareness among employees is paramount. Regular training sessions and simulated phishing exercises serve to educate staff in recognizing and effectively responding to cyber threats, thereby diminishing the likelihood of successful attacks.

Organizations should be proactive by continuously monitoring anomalous activities and unauthorized access endeavours. This entails harnessing advanced analytics to identify suspicious patterns indicative of potential security breaches.

Organizations must prioritize the establishment of resilient backup systems to counter the disruptive effects of ransomware attacks and ensure swift data restoration capabilities following breaches. Additionally, deploying data loss prevention (DLP) solutions is imperative for identifying and thwarting unauthorized data exfiltration attempts, particularly amidst the evolving cyber threat landscape.

Lastly, collaborating with industry counterparts and sharing threat intelligence can yield valuable insights into emerging threats and proactive defence strategies. By remaining informed and implementing these critical measures, organizations can fortify their data protection posture and effectively mitigate security risks in today’s dynamic threat environment.

Like in a fire scenario, where buildings equipped with fire marshals, evacuation plans, and sprinkler systems are better positioned to contain and minimize damage, proactive cybersecurity measures can limit the spread and impact of cyber attacks or data breaches, reducing potential harm and associated costs.

George Mavridis is a freelance journalist and writer based in Greece. His work primarily covers tech, innovation, social media, digital communication, and politics. He graduated from the Aristotle University of Thessaloniki with a BA in Journalism and Mass Communication. Also, he holds an MA in Media and Communication Studies from the Malmö University of Sweden and an MA in Digital Humanities from the Linnaeus University of Sweden.