We’re only two months into a new year and already hundreds of millions
of personal records have been compromised, including 123 million employee
and customer records from sporting retailer Decathlon and another 10.6
million records of former guests of MGM Resorts hotels.
These announcements followed fuel and convenience chain Wawa’s revelation that it was the victim of a nine-month-long breach of
its payment card systems at 850 locations nationwide.
In addition, Microsoft earlier this month said a data breach
spanning 14 years exposed 250 million of its customer records.
Data breaches have become so common that experts agree it isn’t a
matter of if, but rather when a company will become a victim. A recovery
plan therefore should focus on how to deal with a breach of
employee/customer/client data, how to handle a ransomware attack, and what to do to make sure exploits are plugged so that additional hackers don’t use the same ones again.
In the case of the Wawa breach, hackers claimed on dark websites such as fraud bazaar Joker’s Stash that they had 30 million records for sale. Whether that was true or not highlights the likelihood that there may be far more exposed data than even hackers can handle.
Big Data Haul
The data that typically is stolen can vary, but in the case of the
MGM the breach included full names, home addresses, phone numbers, emails
and even dates of birth. For the Decathlon breach the information
included unencrypted passwords, employment contract information,
Social Security Numbers and working hours.
The MGM breach did not include credit card data, however.
“It’s important to realize that no payments data was involved in this
particular incident,” said Gary Roboff, senior advisor at
The Santa Fe Group.
However, “the effects of this hotel data leak may be even more
insidious than some expect,” warned Mike Jordan, vice president of
research at risk management firm
Shared Assessments.
The last big breach of a hotel occurred in 2018 when Marriott was
compromised, but that wasn’t really a profit-driven breach.
“It was attributed to alleged China-sponsored attackers for the
purposes of intelligence and perhaps ultimately coercion,” Jordan told
TechNewsWorld.
State Actors
One other factor contributing to the sheer number of breaches is that they aren’t
always conducted by cybercriminals, as in the Marriott example.
“Statecraft by intelligence organizations often relies on basic
information such as how and where to find people,” explained Jordan.
“Getting this information in bulk or using it to verify existing data
is a key component to building an effective intelligence program,” he
added.
“This information leak would be quite useful for those purposes,
considering there are some particularly wealthy patrons on that list,”
noted Jordan.
Because the MGM information was posted to a public forum, it is
very unlikely that the perpetrators were the same as those responsible
for the Marriott breach.
“However, this information could be just as useful to malicious
parties, and more of them now have access to it,” suggested Jordan.
Supply and Demand
As a result of these breaches, it seems that a vast amount of data is being
offered for sale on the dark Web — almost to the point that the big
data is getting too big for cybercrooks to handle.
“Based solely on the law of supply and demand, the cost of a record
has dropped significantly,” said Matt Keil, director of product
marketing at
Cequence Security.
“There are huge breaches still being revealed regularly,” warned Jim
Purtilo, associate professor of computer science at the
University of
Maryland.
“Remember that just because your data are exposed once doesn’t mean
every miscreant has it. More breaches place your data in more hands,
meaning there are just that many more opportunities for some criminal
mind to do something with it,” he told TechNewsWorld.
The issue is what the data contains, said James McQuiggan, security
awareness advocate at
KnowBe4.
“People need to consider that their information is out there, like
Social Security Numbers, names, emails and passwords and addresses,”
he told TechNewsWorld.
“It’s important for folks to monitor their credit and accounts, along
with being vigilant towards emails they receive,” McQuiggan added.
“While they can’t ignore all of their emails, they need to verify if
something is too good to be true or suspicious.”
Cybercriminals tend to be highly inventive when it comes to finding profitable ways to use stolen data.
“In the hands of a motivated bad actor, this data can be used in an
account takeover attack against MGM itself and — based on the
propensity to reuse passwords — against other resorts,” Keil told
TechNewsWorld.
“If successful, the value then becomes significantly greater because
the bad actor will then be able to steal or use reward points,” he
added. “The resultant fraud is an added expense to MGM, and longer
term, impacts their users negatively. Statistics show that customers
are far more likely to use a different vendor when their personal
information is stolen.”
The Evil Lottery
Following the breaches at Equifax, the government’s Office of Personnel
Management and Target, as well as countless other cyberattacks, it is very likely
that most Americans have had some personal data exposed in recent
years. The good news is that in many cases there is so much data that
much of it won’t be used by the bad guys.
That doesn’t mean we shouldn’t be worried.
“We have become immune to the regularity of data breaches,” suggested Keil.
“No longer do we see the outrage and backlash that occurred with the
breaches of yesteryear — aka Target.”
Right now it isn’t a question of if or really even a question of when,
but more likely how frequently our data could be exposed. We all could be participants in an “evil lottery.” Instead of winning a jackpot, we’re singled out for the unpleasantness that comes with our data actually being used by the bad guys.
That’s unfortunately true, said Shared Assessments’ Jordan.
“Our data is of value for targeting individuals using currently legal
and illegal means — data is a raw material commodity like copper or
soybeans that needs refining,” he explained.
Due to changes to our information over time, data has a shelf life, Jordan noted, “so new breaches are needed to keep their data valuable.”
Breach and Repeat
Many security breaches occur because they are easy to pull off. All
too often companies see data theft as an added cost of doing business. Even
seemingly “public” information can have value.
“It isn’t my intention to draw a road map for how to do this, but
exposing just an address and DOB can be problematic enough,” explained
University of Maryland’s Purtilo.
“Someone who acquires those in a smash and grab on some site can flip
them for some trivial amount per record and move on — it’s not quite
free money, but close to it,” he said.
A harsher impact occurs when the data is aggregated in the hands of someone with patience.
“One’s address and DOB are sufficient to open all sorts of innocuous
accounts in someone’s name, which creates a thin backdrop of
credibility for when the hacker goes “pretexting” or pretending to be
that person for purposes of persuading a utility company, financial
firm or medical provider to reset an account for the identity thief,”
Purtilo explained.
The result is that in very short order a legitimate data owner will
find himself locked out of services while the hacker picks him clean.
“The more data spilled in a breach, the less of a story must be
manufactured in order persuade firms to give away your goods, but even
a little data can be exploited when blended with patience,”
said Purtilo.
It is no small task for cybercriminals to pull this off either.
Unlike what movies and TV shows suggest, it isn’t a matter of instantly
turning the data into bitcoin — it takes real effort to make the data
worth something without alerting the authorities.
“Figuring out how to test the accuracy of pilfered identity
credentials but without triggering an alert at a credit reporting firm
becomes a real art,” said Purtilo. “An identity thief can work all
around the periphery of someone’s digital profile creating a backdrop
before going in for a more upscale breach at some financial firm.”
Beyond Breaches
There are other significant cyberthreats that are unlikely to stop,
so recovery unfortunately has become the next best course of action.
“There is so much money being made in ransomware attacks that the
attackers can afford to creatively develop and test new ways to attack
organizations,” said Erich Kron, security awareness advocate at
KnowBe4.
“The costs of phishing attacks — about (US)$65 to send 50,000 phishing
emails from Dark Web operators — is so low, has such a low risk of
being caught, and has such a high payout, that it is nearly impossible
for cybercriminals to resist,” he told TechNewsWorld.
These attacks have proven themselves over decades and have mastered
the ability to manipulate human behavior, added Kron.
“The key to avoiding these attacks is training people how to spot them
and report them within the organization,” he suggested. “They also
need to monitor traffic in and out of the network, looking for
sensitive data or unusual traffic patterns. In addition, data at rest
should be encrypted wherever possible to minimize the risk of
sensitive data that is being leaked, even if it is exfiltrated.”
Technology Fighting Back
Fortunately there are now simple, yet effective, methods to help make
some of the data worth less to hackers, if not exactly worthless. Two-factor authentication can render many of the exposed passwords
useless, while security features are being added to payment solutions.
“Since chip cards were finally introduced in this country, we’ve
seen a sharp decrease in the amount of useable credit and debit card
information captured at the physical point of sale,” The Santa Fe Group’s Roboff told
TechNewsWorld.
“The use of dynamic payments data generated by EMV-compliant cards and
the increased use of payments tokens online — and biometrics to
authenticate users initiating token-based payments on Apple and
Android devices — has helped reduce payments fraud,” he added.
However, the best solution may be better practices on the part of individuals.
“Users need to take more control, paying closer attention to their
password hygiene. Move to using a password manager for all uses, not just
the important ones,” added Cequence Security’s Keil, “and wherever
possible, two-factor authentication should be enabled.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.