Inside a Cyberattack: How Hackers Steal Data

Dave Gray, the VP of Sales at EMEA for Protegrity, provides insight into how hackers steal company data. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

The truth about cybersecurity is that it’s almost impossible to keep hackers outside of an organization, particularly as the cyber-crime industry becomes increasingly sophisticated and their technology more advanced. Furthermore, once a hacker has broken through an organization’s defenses, it is relatively easy to move within the network and access information without being detected for days or months. This is a significant concern for Banking and Financial Services organizations, which house valuable sensitive and Personally Identifiable Information (PII). The goal of cybersecurity is to minimize the risk and impact of a breach. Understanding the adversary’s mindset and activity is central to this.

A Hacker’s Motivation

Recently breached Black Basta chat logs provide a realistic insight into hackers’ structure and day-to-day life. Cybercrime is a business with targets, quotas, and call templates. While the motivations for hacking can range from purely financial to nation-state and hacktivism, for many, hacking is simply a day job.

The valuable intelligence here is that hackers seek the path of least resistance, the same as with any day job. This means hackers seek opportunities to minimize effort and maximize output, including recceing a site and jumping onto the guest Wi-Fi or simply walking into an organization and plugging straight into an ethernet cable. There is also an opportunistic element to their strategy, such as randomly checking for easily exploitable weaknesses or seeking low-hanging fruit—which is often employees.

A new troubling development that achieves efficiency and simplicity is Ransomware-as-a-Service (RaaS), which is like a marketplace for buying access to compromised systems or custom ransomware, which you can simply deploy onto systems. This development is democratizing hacking and expanding the cyber-crime industry. For many organizations that process valuable data and essential services, a breach is a case of when, not if.

Inside a Hack

Often, a simple, mundane scenario grants hackers access to an organization’s system. For example, a hacker could search for an employee on LinkedIn, generate their email, and contact HR with a message they’ve been overpaid with a fake statement attached. If HR clicks the attachment, the hacker can access the system or deploy malware. Another example is parking outside an organization and finding weak spots, such as a server an intern previously set up for a test or a software vulnerability. Cybersecurity measures such as Zero Trust Network Access (ZTNA) and firewalls delay a hacker’s ability to breach the network; however, when they get inside, the organization is relatively vulnerable.

Once a hacker breaches the perimeter, the standard practice is to beachhead (dig down) and then move laterally to find the organization’s crown jewels: their most valuable data. Within a financial or banking organization, there is likely a database on its server containing sensitive customer information. A database is essentially a complicated spreadsheet wherein a hacker can click SELECT and copy everything. In this instance, data security is essential. However, many organizations confuse data security with cybersecurity.

Organizations often rely on encryption to protect sensitive data, but encryption alone isn’t enough if the decryption keys are poorly managed. If an attacker gains access to the decryption key, they can instantly decrypt the data, rendering the encryption useless. Many organizations also mistakenly believe that encryption protects against all forms of data exposure, but weak key management, improper implementation, or side-channel attacks can still lead to compromise.

To truly safeguard data, businesses must combine strong encryption with secure key management, access controls, and techniques like tokenization or format-preserving encryption to minimize the impact of a breach. A database protected by Privacy Enhancing Technologies (PETs), such as tokenization, becomes unreadable to hackers if the decryption key is stored offsite. An attacker cannot decrypt the data without breaching the organization’s data protection vendor to access the key, making the process significantly more complicated. This can be a major deterrent to hackers.

How to Outsmart a Hacker

Another reality for organizations is that it’s relatively easy for hackers to evade detection. According to IBM, it takes organizations an average of 258 days to identify and contain a breach. This may not even be through an organization learning of the breach themselves. They may be notified by the hacker or by a competitor to who the hacker is trying to sell the stolen data. IBM’s findings indicate that the window of detection is closing at 258 days, which is a 7-year low. However, this is still a significant amount of time for a hacker to become comfortable within an organization’s system. This can mean the hacker is constantly accessing fresh customer data and learning who’s within the ecosystem to breach the organization’s supply chain.

Organizations should focus on making attacks more difficult and less rewarding to deter hackers. If the effort and risk outweigh the potential gain, attackers are more likely to move on to an easier target. Implementing layered cybersecurity measures and a Zero-Trust framework strengthens defenses. However, banking and financial institutions hold such valuable data that hackers will be more determined. To counter this, investing in robust data protection is a must rather than relying solely on perimeter cybersecurity. Organizations should ensure that even if an attacker breaches their systems, sensitive data remains secure—effectively rendering it useless to cyber-criminals.