How to Reduce Risk After Sensitive Data is Leaked
Stolen secrets flood the modern world. Take, for example, one of the latest data breaches to make big waves: The attack on T-Mobile that allowed a 21-year-old cybercriminal to steal the personal data of more than 54 million customers, including names, birth dates, and Social Security numbers. Current customers weren’t the only ones at risk: many of the stolen records reportedly related to former or prospective customers.
The constant onslaught of data breaches is so exhausting that the term “breach fatigue” has emerged in recent years to describe the public’s growing sense of burnout. Unfortunately, the rising risk from breaches is still very real. Attackers often leverage stolen data to commit more crimes, by breaking into accounts, transferring funds, perpetrating fraud, and more. Often, data stolen from one organization is used to hack into another, as criminals target customer accounts across many platforms and vendors with access to many systems.
While the problem of data breaches can seem overwhelming, the good news is that there are steps every organization can take to reduce risks to their community, even after a breach. In this article, we’ll discuss how criminals use stolen data, and provide practical tips for reducing risk when—not if—sensitive information is leaked to the world.
How Criminals Leverage Stolen Data
According to the 2021 Verizon Data Breach Investigations Report, the vast majority of criminals—around 90%—are motivated by financial gain. Only a very small percentage of cyber criminals are focused on espionage or other motives. For example, recently a well-known cybercriminal gang, ShinyHunters, auctioned off a database which they claimed was stolen from AT&T. Supposedly, the database contained the personal information of roughly 70 million AT&T customers and was peddled at a starting price of $200,000. When AT&T denied that the data had come from them, ShinyHunters told BleepingComputer, “I don’t care if they don’t admit. I’m just selling.”
Let’s take a look at common types of stolen data and what criminals can do with it:
- Passwords: Attackers use stolen passwords to conduct credential stuffing attacks, in which they “stuff” credentials into the login forms of many different unrelated cloud services. Since many people re-use the same password for different sites, often the password for one service will work on another. For example, on the dark web, attackers can buy lists of stolen LinkedIn passwords and then use automated tools to try these passwords in popular e-commerce, banking, email hosting, and other services. Attackers may also use stolen passwords to gain access to an organization’s environment so they can carry out more advanced attacks, such as ransomware, and hold the whole organization hostage.
- PIN Numbers: Think back to our T-Mobile and AT&T examples from earlier on. In the case of both, account PIN numbers and passwords were exposed, which poses a real threat to any impacted customer. These two pieces of data can allow a scammer to have the SIM card linked to a user’s phone number changed to a new SIM card and device, effectively allowing them to take over phone numbers. This attack, known as SIMjacking, can enable criminals to hijack your phone line, log into your online accounts, and steal two-factor authentication codes sent via SMS or phone. In addition, many people re-use the same PIN for other purposes (including debit card withdrawals, credit card account access, and bank security codes), which means they are valuable for criminals seeking access to other accounts as well.
- Social Security Numbers (SSNs) and Tax IDs: Criminals use stolen SSNs to facilitate a wide range of fraud. For example, a criminal might telephone a bank and use a stolen SSN to gain access to account information or make a transfer. Since millions of SSNs have been breached and cannot be changed, organizations are moving away from relying on them as a sole form of authentication—but often, the SSN is used in combination with other information to verify a customer’s identity. Today, criminals use stolen SSNs as leverage in extortion attacks, threatening to publish them unless the targeted organization pays their demand.
- Employee W-2 Forms: Stolen W-2s are gold for cybercriminals, who can use this information to file for unemployment, open credit cards in a victim’s name, collect tax refunds, and more. You’d be surprised how many organizations will fail to notice fraudulent unemployment claims related to people who are still working for them. The larger the company, the easier it is for a few fraudulent claims to fly under the radar.
- Payment Card Information: Payment card numbers often sell for anywhere from $25 – $240 each. These are a quick source of cash for criminals, who can sell them in bulk on the dark web or monetize them by making fraudulent purchases or withdrawing cash. When paired with a matching stolen identity, it can be a big payday!
- Medical Records: Stolen medical records can be worth up to $250 per record on the dark web (we’ve also seen them listed for more). These are considered very valuable since they often include extensive personal details that can be used for financial fraud, prescription drug fraud, identity theft, insurance fraud, extortion, and more.
Tips to Reduce Risk to Your Community
Once confidential data is released, the genie can’t be put back in the bottle—the information is out. However, there are effective steps that your organization can take to minimize the impact of stolen data.
- Shift Away from Knowledge-Based Authentication: Organizations routinely verify the identity of individuals using secrets. You type your password into a login form, provide your Social Security Number over the phone, share your first pet’s name with call centers. All of these are examples of knowledge-based authentication (KBA). While these systems are easy to set up, they can easily be subverted by criminals with access to the right stolen secrets. Instead, explore alternatives for authentication that don’t rely on static secrets. For example, you can have customers set up authenticator apps on their phones which you can use to verify their identity over the phone or online. Many organizations now issue hardware fobs such as the Yubikey for authenticating employees or set up biometric authentication using fingerprints or facial recognition. While it can take time and training for your community to get used to a new form of authentication, these alternatives are growing in popularity.
- Use Multifactor Authentication (MFA): Instead of relying on one form of authentication, consider combining multiple methods to reduce the risk of an attack. A password may be stolen, but if the user is additionally required to confirm a login request via an app, then this adds an extra layer of defense.
- Deploy a Password Manager: In this day and age, we need passwords for everything, and our brains can only store so much of that information by itself. Implementing a secure password manager can be a cost-efficient way to help your community resist attacks. With a password manager in place, your team can choose unique, strong passwords, without having to remember them all.
- Conduct Regular Phishing Training and Simulations: Criminals often leverage stolen information in their scams. Make sure that your staff are prepared to recognize and resist attacks, even when criminals are armed with powerful information. Be sure to include vishing (voice phishing) training in these simulations. Voice can be tricky, especially when criminals have more information than you might think, allowing them to be particularly convincing.
“Information wants to be free,” wrote writer Stewart Brand. Unfortunately, data breaches can have devastating consequences and perpetuate even more cybercrime. The good news is that by relying less on secrets, and more on strong security technologies, you can protect your organization and your community.
This blog is distributed with the permission of LMG Security. LMG Security is a proud partner of Technium.
At LMG, our singular focus is on providing outstanding cybersecurity consulting, technical testing, training, and incident response services. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.