How the Goldcorp Hack can teach us to protect the data goldmine

31 July 2016 (Last Updated July 31st, 2016 18:30)

In April Goldcorp suffered a major data breach. Hackers leaked a raft of sensitive internal documents and promised to reveal even more, including examples of “corporate racism, sexism and greed.” Rod James looks at the damage done and what mining companies have to do to keep their computer systems secure.

How the Goldcorp Hack can teach us to protect the data goldmine

Though a technologically complex business, mining is in many ways a world away from the spreadsheets, memos and databases of industries like finance and retail. Occasionally, however, an event takes place that forces mining companies to think seriously about their internal files and the computer systems on which they are kept.

In April, one of the world’s largest gold producers Goldcorp discovered that its internal network had been infiltrated by hackers as part of an attempted act of extortion. Going undetected for months, the hackers were able to access 14.8GB of documents from the Vancouver-based company’s computer systems including payroll information, contracts agreements with other companies, budget documents and bank account details.

“Several more data dumps are being prepared,” the hackers wrote gleefully. “The next dump will include 14 months of company wide emails, emails containing some good old fashion corporate racism, sexism, and greed.”

Goldcorp reacted calmly, with CEO David Garofalo telling Bloomberg News Canada that he was relatively unconcerned from a disclosure standpoint: “Given that [we’re] a public company, any sensitive material information has to be in the public domain anyway,” he said. This may be so, and it’s also true that mining companies aren’t under the same regulatory or customer gaze as those in other industries. Still, it doesn’t look good if a company of Goldcorp’s size cannot protect its own internal files, let alone those that concern its business partners.

How hacks happen

To many, largely due to the influence of cinema, computer hacking evokes an image of a brainy individual typing fiendishly complex lines of code into the computer interface of NASA, the CIA or some other powerful organisation. But the reality is much more prosaic. A hacker is far more likely to take advantage of a weak password or, more likely, the repeat use of a password. For example, if your password was stolen during the 2011 Playstation network hack, in which 77 million gaming accounts were compromised, and you use the same password to log onto your work network, it gives a hacker the key to that door.

Regulated industries such as finance and healthcare are obligated to have strong data monitoring in place so even if that weakness is exploited, companies can identify the hack taking place and stop it. But industries such as manufacturing, education and mining are still some way behind.

"What happened at Goldcorp is not that surprising."

For Rob Sobers, director at software company Varonis Systems, what happened at Goldcorp is not that surprising. He sees similar examples every day, normally the result of simple human error.

“It just comes down to a fundamental lack of monitoring,” says Sobers. “So if there is a vulnerability or some sort of backdoor that a hacker discovers, they can take advantage. Getting on the network is usually the easy part nowadays. Where we see a lot of companies breaking down and having these breaches that don’t get discovered for sometimes years, they are not watching what users are doing.”

Spotting trends and deviations

Monitoring at a fundamental level involves looking at the files on a computer system and trying to spot irregular patterns of use. For example, if a file that hasn’t been touched in years is suddenly being copied or deleted, a member of staff should be alert to possible malicious intent. If an employee normally accesses 20 documents in a day and one day that number hits 5,000, this also should arouse suspicion.

Fortunately, you don’t need to hire huge numbers of people or buy expensive, soon-to-be-obsolete hardware to carry out effective monitoring. There are many types of software on the market, increasingly cloud-based, that log all actions associated with the files and emails on a system, allowing heads of department to see exactly when a file was copied, deleted or renamed – and by whom.

“In most companies these actions happen and they are never recorded,” Sobers says. “But with monitoring software each activity for each user is logged and analysed so not only can you go back and look at the record and ask ‘what did Bob do on January 15 with these files?’, but you can start to build patterns, baselines of someone’s normal behaviour…That’s how a lot of breaches are detected. If you don’t have something recording that and looking for anomalies you are reliant on someone noticing that a file was deleted or even worse having a breach reported by a customer whose data got leaked.”

Three steps to better computer security

For mining companies looking to strengthen the security of their computer systems, Sobers recommends three initial steps. First, use data classification software to trawl your servers and find exactly where your most sensitive documents are located so that you can give them extra protection. Then employ a monitoring system that logs every action related to the files on your network.

"You want to get to what we call a least privileged model, so each employee only has access to the things they need."

Finally, consult with departmental and human resources heads to come up with a framework that determines who should have access to which information.

“You want to get to what we call a ‘least privileged model’, so each employee only has access to the things they need to do their job,” he explains. “People change roles within a company, they accrue more and more access over the years and that excessive access often never gets revoked. If that person’s account gets compromised by a hacker then that hacker is going to get access to a lot more information than they should have. You can minimise the surface area of damage by ensuring only the right people have access to the right data.”

It is difficult to completely eliminate human error. It’s a pain to remember a lot of passwords so people will continue to repeat them, and stories about flash drives full of sensitive data being left on buses and trains continue to be reported on a weekly basis. But with decent monitoring, mining companies should be able to identify and repel attacks before they do severe operational and reputational damage.