Most of the recent data breaches involve customer information such as user names and passwords, credit card numbers, and medical histories. The companies hacked are hurt -- they have to contact victims, pay for credit monitoring services and fines, and may lose customers, brand reputation, and market value -- but that is collateral damage.
Or it has been.
Increasingly, attackers are using data leaks to target the companies themselves, going after proprietary or embarrassing information and releasing it in such a way as to do the most harm.
That's a change that companies need to be aware of, said Andrew Serwin, co-chair of the global privacy and data security group at San Francisco-based law firm Morrison & Foerster.
"I believe that we are moving into a space where the attacks will be less B-to-C centric, in terms of the data targeted, and be both B-to-B and B-to-C focused," he said.
Data-loss prevention strategies that just focus on the personally identifiable data are no longer enough, he said.
"Companies need to view this issue as a governance issue and make sure they take a holistic view of the issue," he said.
And the need for action is urgent, as both the hacking tools and the leak channels increase in sophistication.
"It's a combination of a lot of things that we've seen for a lot of years coming together," said Ric Messier, head of the cybersecurity program at Burlington, Vt.,-based Champlain College. "The fact that it's so easy to do this leaking and be able to manipulate people in this way certainly suggests that we're probably just starting to see the beginning of these sorts of activities or attacks."
Businesses have been slow to pick up on this, he added.
"The monetary motivation across the world of attack space has changed," he said. "It used to be kids on Internet Relay Chat channels outing someone else that they didn't like -- that's been around for ages. But we've taken it to a different level, leaking information to potentially manipulate stock prices, or for blackmail or extortion.
As long as there's money to be made in leaking information, we're absolutely going to see it continue to increase."
And the potential for damages is much larger than in leaks of personally identifiable information such as credit card numbers.
"There are mechanisms in our existing financial infrastructure that help companies recover from the losses that sometimes occur," said Ray Rothrock, chairman and CEO at security firm RedSeal. "But you can't recover from the trust factor."
Or ask St. Jude. This summer, the medical device maker saw its stock price drop when a security report was released claiming vulnerabilities in the company's pacemakers -- while the company that released the report made money short-selling the stock.
"When this report hit the wire, St. Jude's stock went down 5 percent in the same day," Rothrock said.
"And there are rumors that sometimes companies are attacked by nation states that are playing a financial game," he added. "Or what if oil companies got after each other and started putting out bad cyberrumors as a competitive weapon n a contract negotiation or a supply chain negotiation -- that would be huge."
There's a lot of money that could potentially be made here.
"It's probably going to get worse before it gets better," he said.
Another recent example is that of the Dark Overlord hackers, who used the threat of disclosing private information to try to extort money from companies.
They made the threats in connection with a ransomware attack, said Sean Mason, director of threat management and incident response at Cisco Systems.
"They went through and locked up all of the critical assets and data -- after ensuring that they copied everything," he said.
When one of the victims, investment firm WestPark Capital, refused to pay, the hackers released non-disclosure agreements, contracts and other documents.
The hackers also published a note claiming that the firm's CEO "spat in our face after making our signature and quite frankly, handsome, business proposal."
"It is becoming a growth industry on the criminal side of things," said Mason. And while some companies take a hard-line stance and will not be blackmailed, others will consider the price a drop in the bucket and pay up.
The current season of USA Network's Mr. Robot had it as a plot device, he added. "It's become mainstream enough that it's in TV shows."
But paying the ransom is no guarantee that the data won't come out.
Sure, releasing the data right away will harm their reputations and make other victims less likely to comply. But there's also no reason for them to delete something that they might use at some point down the line."
[ RELATED: The history of ransomware ]
"Data can have a long half-life depending on whom it affects," said Wendy Nather, advisory board member to RSA Conference and research director at the Washington, DC-based Retail Cyber Intelligence Sharing Center.
A wider view of risk
Public leaks of proprietary information is changing the way that some companies look at core data protection.
"Most enterprises have focused their efforts on PII," said Kennet Westby, president at security firm Coalfire Systems. "Executive emails, human resources, communications about deal structures -- that kind of information has not traditionally been incorporated into the risk assessment for most enterprises."
But that has "changed tremendously," he said, and now the enterprises that his company works with are looking beyond data that can be easily sold on the black market, to data that can damage corporate reputations, trade negotiations, and market value.
"That could be a much more significant impact to the enterprise than a PII data breach, which can be managed trough a financial program and a good incident response plan," he said.
The nature of the attackers has changed as well. The threats are coming from ordinary criminals, as well as from market manipulators, hacktivists, disgruntled employees or customers with a vendetta, business rivals, and even nation-states.
"If you're not doing the data discovery, somebody else is going to be doing it for you," he added.
But not in a good way.
It doesn't help that more and more communications are going digital, he added, and are vulnerable to discovery.
"We'd rather text people than talk to them, or send an email on a subject that might be much more appropriate to a private conversation," he said. "That culture has extended to executives and other key members of teams using Twitter or social media, and communicating through their own email servers or Yahoo or wherever."
"My prediction, based on the Russian playbook, is that they'll go after media," said Adam Meyers, vice president of intelligence at CrowdStrike.
The FBI recently investigated a hack of the New York Times that was connected back to Russia, he said.
"There was not anything disclosed at the time, but the fact of the Russian intrusion at a media organization is certainly significant," he said.
A leak of embarrassing information, or which would potentially be seen in a negative light, could cast doubts on the legitimacy of the press.
"What they need to do, in order to really cause a mess in the U.S., is to get us to question the electoral process and the result of the election," he said. "We'll be paralyzed for months if that happens. We're already doing it by ourselves, but if we're on the edge of the cliff, they can do a lot to push us over the edge of the cliff."
And the information doesn't even have to be accurate, he added.
A Russian news organization aired a story that said that a hard-core, right-wing candidate had won an election in the Ukraine based on supposedly leaked information from the Ukrainian election authorities -- but the hackers had not actually succeeded in breaking in, and the leaked information was completely fictitious.
The emergence of platforms like Wikileaks, which earned their reputation based on whistle-blowers like Edward Snowden, can provide a cover for these kinds of attacks.