Rich and famous turn to ‘personal cyber security’ to protect phones
Wealthy individuals are scrambling to lock down their privacy in the wake of the alleged hack of Jeff Bezos’ iPhone, as personal cyber security experts warn that the rich and famous are increasingly becoming the target of sophisticated cyber criminals.
Several groups offering bespoke cyber security services to wealthy individuals told the Financial Times that they had received calls from panicked clients seeking advice, after a report last week alleged that Amazon founder Mr Bezos was hacked by Saudi Crown Prince Mohammed bin Salman in 2018 through messaging service WhatsApp.
Where traditionally hackers have tended to attempt to steal sensitive data from big corporations, experts note a “significant” rise in costly and disruptive cyber attacks on celebrities, executives and politicians over the past year.
It comes as geopolitical tensions are rising, with many nations investing heavily in cyber warfare, while the overlap in use of work and personal devices mean that VIPs — and their family or inner circle — are considered softer targets.
“Cyber security has been [traditionally] focused on BlackRock and JPMorgan — that’s not the world any more,” said Roderick Jones, founder of Concentric Advisors, which offers bodyguard services as well as online security protection to billionaires.
Mr Jones, who also founded Rubica, a company that provides more affordable digital protection for families, added that had he received “lots of inbound” inquiries last week from clients about how to better protect themselves from adversaries following the Bezos revelations.
“The new cyber warfare is going after your kids’ iPad, not your executively controlled phone, he said.
While the market for enterprise cyber security is mature, attracting a record $5bn dollars in venture capital funding in 2018,a brisk business is now springing up to cater specifically for individuals.
“This most recent case brings to the forefront what many of our clients have been concerned about recently,” said Mike White, who heads the private client and family offices division of security risk management group Hillard Heintze, and is a former US secret service operative charged with protecting presidents including Donald Trump and Barack Obama.
The nascent personal security marketplace spans tech start-ups that offer services to consumers such as secure password managers and virtual private networks for anonymous browsing, to covert outfits that act as clandestine “cyber bodyguards”, monitoring and flagging up any unusual activity on a person’s devices in real time.
Some outfits are building “threat intelligence” databases for sharing information on attacks on groups such as royals, for example, according to some with knowledge of the situation.
Mike Waters, director in the cyber security practice of Control Risks, said his firm was increasingly providing “executive threat exposure reviews” — scanning the web for any personal information that may have found its way on to social media sites and erasing it.
“This can be used . . . to create customised phishing . . . that will look very plausible,” he said, referencing when cyber criminals try to trick users into downloading malicious software by opening an attachment, a so-called “social engineering” tactic that may have been used by Mr Bezos’ attackers according to the recent report.
Motivations for attacks can be financial — criminals looking to access funds, or to extort money from a deep-pocketed individual — as well as political, where a perpetrator seeks leverage if a high-profile person is criticising a regime or doing a deal in a particular region, for example.
According to Mr Jones, many attacks on his high-profile clients over the past year appear to have been launched by Middle Eastern proxies —typically third-party groups who lurk on the dark web and aim to do the bidding of a nation state — rather than undertaken directly by the government.
“A lot of the states that do cyber capabilities have a history of proxies using physical warfare, and it’s fairly controllable. In a digital space, that is uncontrollable — it goes faster and further,” he said.
This is only expected to worsen as the US remains on high alert for retaliatory cyber attacks from Iran, after a US drone strike killed the country’s top military commander Qassem Soleimani earlier this year. In addition, relations between the west and Saudi Arabia have also been fraught after the kingdom was accused of the 2018 murder of Saudi dissident and Washington Post newspaper columnist Jamal Khashoggi.
In the event of successful hacks on clients, “most people end up paying a quarter of a million or higher to remediate”, Mr Jones said.
The rise in breaches also comes as new technologies and ways of working — such as remote working or ‘‘bring your own device” policies — can inadvertently expose the sensitive information of an individual and their workplace without their knowledge.
Meanwhile, the market for malware — malicious software that includes spyware, for the surveillance of targets without their knowledge, and ransomware, where hackers disable a victims’ files or systems until they pay a ransom — has been ballooning and is being increasingly used to attack smartphones.
According to data compiled by RSA Security, 70 per cent of fraudulent transactions in 2019 originated on mobiles.
“The cache of data on these devices is just growing,” said Marc Rogers, vice-president of cyber security at Okta, who runs the security team for the world’s largest hacking conference, Def Con.
“[We’ve] seen a massive escalation of theft [from] mobile devices because criminals are realising that people are storing immense amounts of personal and financial information,” he added.
It is not just security experts who are giving guidance. Bankers and wealth advisers have been warning wealthy clients about the risk of personal cyber attacks with increasing urgency in recent years.
One European bank’s wealth management arm recently hosted a secret cyber security roundtable for clients at which the dangers were graphically illustrated by the live hacking of the phone of a European bank employee sitting in the audience. A specialist passed a small handheld device over the phone which extracted data in seconds.
“Cyber attacks on our clients are going to be a real problem. The weaknesses are internal [in client offices] — people, systems and processes,” said Oliver Gregson, head of UK private banking at JPMorgan, the US bank. “The sophistication and speed of these attacks is increasing month by month and year by year.”
In many cases, common sense is the best proactive defence, experts said. “People being curious or lazy is the biggest threat factor . . . not whether software or hardware has vulnerabilities,” said Petros Efstathopoulos, global head of research at NortonLifeLock Research Group. “That is a fact of life.”