The U.S. Customs and Border Protection said this week that travelers’ images and personal data such as driver’s license info were compromised in a breach. While the threat of identity theft is very real, the real-world implications of one or more data breaches like this one will likely far exceed this expectation.

Critical Start’s Callie Guenther

“It does no good to have people well-trained in the technical aspects of security if they forget that their clients are real feeling people who are fearful in a world of the unknown,” said Callie Guenther, cybersecurity expert at Critical Start.

There’s more to fear than fear itself in data-breach implications.

“If [traveler] images were stolen [in the US Customs and Border Protection breach], they could easily be sold. This is especially concerning if images of government officials, diplomats, military members, members of Congress, and or known criminals were compromised and subsequently forged. This could provide access across a border, to classified spaces, or facilitate a number of other unauthorized activities,” added Guenther.

These threats are not far-fetched.

“Keep in mind that espionage and criminal activity are nothing new,” said Mark Trinidad, senior technical evangelist with Varonis.

Even so, knowledge is power, and these days that knowledge comes in the form of digitalized data. There are many ways to wield that power against a government, organization or an individual. Below are just a few, but they are also among the most common physical implications.

1. Blackmail. “Breach data can be used to blackmail people. This is common technique used to manipulate people with clearances to disclose classified info,” explained Jeff Williams, CTO and co-founder at Contrast Security.

2. Deepfake information. From deepfake videos like the one of Facebook’s Mark Zuckerberg, to falsified identity documents to fool TSA and other agencies, manipulating information is a serious threat on many levels.

“The long-term consequences to the travel and tourism industry could be catastrophic,” said Guenther.

3. Assassination by medical records. “Stolen information facilitates and perpetuates fraud, but an even bigger threat involved changing or deleting critical information. Medical records could be changed or deleted to dupe doctors into giving the wrong care to patients in an emergency when time is short, for example,” warned Trinidad.

Point B’s Steven Weil

4. Outing spies and informants. “Data breaches that enable unauthorized access to sensitive personal information, such as the 2015 Office of Personnel Management breach, could be used by sophisticated attackers, such as a nation state, to identify spies or blackmail employees,” explained Steven Weil, cybersecurity consultant with Point B. “A breach that revealed spies or other undercover government employees could result in the employees being denied entry to a country, being detained or being covertly monitored while they travel.”

5. Kidnapping of executives and key personnel. “A breach that revealed the detailed travel plans of senior executives could enable criminals to kidnap the executives and hold them for ransom,” said Weil.

6. Development of war and bioweapons. “Certain private organizations, such as RAND, and government laboratories, for example the U.S. Army Medical Research Institute of Infectious Diseases [USAMRIID] likely have data, that if breached by a nation state, could be used to …

… help develop bioweapons or find vulnerabilities in military equipment. Such data could also be illegally obtained by criminals or hackers then sold to a nation-state,” warned Weil.

7. Enablement of corporate espionage. Forbes reported a data breach that exposed the physical security systems of major hotel chains across the globe. Hotel guests around the world are now vulnerable due to the exposure in that breach of electronic in-room safes, multiple devices that control room locks and elevator access, and other physical security management systems.

“In this latest U.S. Customs and Border Protection Breach, cybersecurity flaws exposed critical facial recognition and license plate data as well as access to (and through) physical security systems that ensure national security and traveler safety,” said ReconaSense co-founder and CTO John Carter, who is a former NASA engineer, SIA board member and Homeland Security Advisory Group chair.

Where MSSPs Come In

The days of treating cyber and physical threats as separate issues are long gone; indeed, there never was a time when information didn’t affect the real world. But as digitalization became a driving force, finding specialized talent capable of protecting that data became a single, intense business focus. Today, it’s smart to reunify the digital and physical realms and treat them as a single attack surface.

“Security teams at high security organizations – such as defense contractors, large financial institutions, government intelligence agencies – consider the above impacts as part of their vulnerability assessments,” says Weil.

“Aside from high security organizations, most organizations don’t consider such impacts. During my 22 years in cybersecurity, it’s been rare for me to see an organization consider such impacts,” Weil added. 

MSSPs that do offer a comprehensive approach to security in both the physical and digital worlds offer greater value to their customers; and in turn, realize greater revenue for their own companies. But what specifically should MSSPs consider providing for their clients?

“Educate clients about the increasingly serious physical-world implications that are caused by data breaches. Use real world examples, like the above breaches, to get security teams and executives to think and care about impacts such as blackmail and kidnapping,” advises Weil.

“When performing risk and vulnerability assessments or creating tools used for such assessments, include detailed analysis of vulnerabilities that could result in real world, physical impacts like those discussed above,” Weil added.

MSSPs should also look at using tools capable of creating and maintaining comprehensive situational awareness.

“AI-powered solutions can detect anomalies and identify threats across an entire security infrastructure – IT and physical – before a breach occurs, enabling teams to go beyond managing siloed data and alerts to achieving true situational awareness and rapid response capabilities,” said Carter.