Have you ever wondered what would happen to your data after a Cyber-Attack?
How to move forward after being affected by a data leak.
by Geoff Green, Myntex Inc. President and CEO
If you have ever received an email saying your data has been leaked through a cyber-attack, or entered your name into a search engine like have I been pwned only to find you’ve been involved in a data breach (or several) — it’s chilling to imagine what this might mean? Typically, people think: Why would anyone want to target me? I don’t have anything to hide.
“Personally identifiable information (PII) is any data that can be used to identify a specific individual. Social Security numbers, mailing or email address, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII considerably. It can include an IP address, login IDs, social media posts, or digital images. Geolocation, biometric, and behavioral data can also be classified as PII.”
The Fate of Stolen Data
The value of your data isn’t worth much on its own. Hackers need large volumes of PII to make a profit. According to one cybersecurity researcher, this is a sample of the price for stolen financial data and social media data on the Dark Web in 2020 and 2021.
Cybercriminals want to make money with this information although some will just dump data online to improve their reputation. They may hijack your identity and take out a loan or new credit card in your name. They could charge your credit card later for a large amount of money after initially making only small, easy to overlook purchases.
Thieves could make a claim against your health insurance fraudulently. They could reach out to your contacts saying you are in a bind and need cash. Your login username and password could be sold to access your bank account.
The Digital Hostage Crisis
Companies are often held for ransom for tens of thousands of dollars. In 2020 the average payment made by organizations caught in a ransomware attack was $84,000 and the cost has likely escalated since then. Many such attacks unfortunately go unreported.
Norton warns against these five types of data breaches and suggests you file an Identify Theft Report if you are a victim:
- Healthcare data breach
- Financial data breach
- Government data breach
- Education data breach
- Entertainment data breach
As is the case globally, Canadian organizations are increasingly being held hostage through cyber incidents, estimated to have cost $2.3 billion in 2019. While writing this post the Newfoundland & Labrador Centre for Health Information, which handles the electronic records for the province, was apparently the target of cyber extortion (October 30, 2021.)
Thousands of appointments and procedures have had to be cancelled as a result. It could take months to get the health-care system there back on track. couldn’t confirm if it was indeed a ransomware attack or if patient privacy had been compromised but the Office of the Privacy Commissioner has been contacted.
Roughly half of the US population had their data compromised when Equifax was breached in 2017. It’s just a matter of time before you are a victim if you haven’t been affected by a hack yet. And most people are giving away information that affects their personal security daily. Google knows your location if you have it enabled on your phone. Where you work. What you watch on YouTube. Where you’re eating dinner and when. Run a Google takeout report to see yourself.
What happens to my data after it’s been leaked? As money is the motivating factor your data is stolen to be sold. There are instances of grudge attacks, mischief, ideology and espionage. One such example was the Guardians of Peace gang demands against Sony to remove the comedy film “The Interview” about a plot to assassinate North Korean leader Kim Jong-un. though these are not the usual reason for stealing personal information
Within a fairly short period of time, data obtained through a breach will likely spread to dozens of countries around the world via the Dark Web. There are thousands of cybercriminal buyers and sellers dealing in data; usually hiding behind Tor, an acronym for “The Onion Router,” which is an open source encrypted network where users can browse the internet anonymously.
The Motherlode
According to Dell, if someone can get the “fullz” on you — everything to assume your identity — it costs just $30 to $45 for your full name, date of birth, address, bank account information and banking credentials.
One of the first things hackers do with your data is scan it for important or valuable information. Then they may look for a broker. It’s more valuable if they obtain personal information from a government official or a celebrity than that of an average person.
Brokers buy credit card information and resell it to carders who max out accounts before they’re blocked. Credit cards are easier to track suspicious transactions than debit cards which makes the later extremely valuable on the dark web.
If your privacy has been stolen cyber-security experts suggest taking these steps:
- Determine what type of information was compromised in the breach
- Change all affected passwords immediately
- Contact your bank or credit card company if your payment information has been compromised
- Find out what assistance the breached company is offering and accept their help, this could be free credit reports or identity theft protection for example.
- Monitor all your accounts closely
- Be aware of scams
- Pay attention to your inbox and be careful what you click as you could be targeted with phishing emails post breach
- Use two-factor authentication when possible
Improving Your Security
Unfortunately, it is still a mystery as to what ultimately happens to your data once it is exposed.
Don’t wait until you learn you have been a victim of a data breach to protect your personal information. Put measures in place to lock thieves out from using that data.
Changes are being implemented already around the world. Banks are starting to add voice authentication. Germany and Spain have started using Video ID as part of a new measure called Know Your Customer which is a customer due diligence check. If you wanted to buy a SIM card while in Germany, for example, you would need to do a KYC video ID check, which varies depending on the country, requiring your PII such as your:
1. full name
2. email address
3. home address
4. phone number
5. copy of ID
6. ID number
7. ID expiration date
Forbes says the Web 3.0 is the future of data privacy, protecting users with blockchain.
IBM has a definitive guide to ransomware, which is an excellent resource for organizations.
Knowing how to head off attackers in the first place is far more effective than trying to track down what happened to your personal information, often in futility, after the fact.
