The year 2017 will be remembered by a series of serious data breaches. One of the most noteworthy events of the second half of the year is an attack on one of the three major US credit bureaus - Equifax.
The organisation kept silence for several months. Finally, Equifax reported the data theft that influenced more than 140 million people. Equifax responsibility and its initial silence are still being discussed. For now, American authorities do not have any regulations in this regard and only recommend companies to notify customers about data leaks.
However, this situation may change soon. In January a bill was introduced, which sets fines for companies that have allowed data leaks. According to the bill, data breaches similar to Equifax hack would cost more than $1.5 billion in fines. Even if such a law is approved, it will not abolish the fact that the stolen data has already fallen into the hands of bad actors.
In this article, we will look at how leaked information is used by hackers and what measures can be taken to reduce huge damages.
What happens to leaked data
In 2016, the security company Bitglass presented the results of its study "Where is your data?" To track how stolen personal information gets into the hands of fraudsters, the company simulated a data leak in a fictional bank. According to Bitglass scenario, an employee made a mistake that allowed to leak an internal corporate document containing 1500 employees’ accounts. False information that leaked into the dark web was marked by Bitglass. It allowed them to determine IP addresses and the country of residence of a potential buyer.
The company found that within just several days following the leak, the data spread to more than 20 countries on different continents. 10 per cent of new owners of the "stolen" information tried to log into the Google services using passwords listed in the fake document. Within the first week, intruders made on average five daily attempts to enter the fictitious bank's internal portal. Thus, this experiment once again confirmed: personal and corporate data is in high demand among the cyber crooks and there is an extensive international market trading such data.
The Equifax case is called "the worst leakage of all times". It included all the basic documents that people use: social security numbers, credit cards, and driving licenses. In the wake of the incident, it was predicted that the data would soon appear on the dark web. Sometimes, information gets to the market within several months after the leak.
The first reports from the victims of the leak started to arrive not so long ago. Hundreds of victims are going to sue Equifax. One woman interviewed by CBS News told that she was receiving several bank notifications about her credit card spendings, which she did not even use. The bad guys were extensively shopping on behalf of the victim, and she had to deal with blocking the purchases and requesting refunds. Her bank was very slow in compensating the lost money.
Leaked data prices
In the language of hackers, records leaked from Equifax are called "Fullz", that is, a complete set of data. Approximate cost of the data base exceeds $32 million. At the same time, the cost of personal information of a specific person may differ depending on such factors as credit history and bank account balance.
Brian Krebs, an investigative journalist, describes the way hackers sell stolen information. He says he found several huge underground forums that attackers use to trade stolen credentials and passwords. Anyone registered with these forums may buy someone else’s personal information for the relatively small amount of money paid in cryptocurrency. But not all people are allowed. You need an invite.
One of the members of the popular underground forum, discovered by Krebs, earned $288,000 in the first seven months of 2017, selling accounts on average $8.19 per ID to roughly 9,000 customers. At the same time, forum admins collected half of all revenues in commissions. Thus, the average cost of credentials on that forum equals approximately $15. As Krebs found out, the service rates each set of credentials based on victim’s credit rating. Information on people with a good credit history costs up to $150.
According to Quartz data, similar credentials were priced at $20 in 2015. So, after three years, the price of personal private data as a commodity has decreased by 25 per cent. Experts are sure this drop was caused by the competition between sellers.
What do we have in the end?
Soon after the data breach, Equifax created a separate portal where clients may check whether their data was compromised. To do this, you need to enter your last name and last six digits of the social security number.
The company also cancelled credit freezing fees and offered free credit monitoring for one year. This step should prevent the use of information by crooks for a year.
In December 2017, Umpqua Bank, which has about 300 branches in five western states, arranged a "Credit Freeze Day" in connection with the Equifax hack. Thus, it encourages clients to freeze their files. Freezes do not allow hackers to open new accounts in the name of victims. However, it will not help if someone tries to file a tax refund on behalf of the victim or tries to use someone else's health insurance without the knowledge of the owner.
It is worth noting that 2017 was the record year for the number of stopped cyberattacks. Nevertheless, no individual or legal entity is fully insured against leaks. According to the US Department of Justice, personal data theft costs each victim about $1,343. Someone really has to be responsible and pay for it.
For now, it takes a long time to get the reimbursement of expenses from a bank or a company that allowed your data to get leaked. Therefore, we hear about tightening the liability for data leaks more and more.
New measures to protect users from the consequences of data breaches should be taken. For example, it is planned to introduce corporate insurance plans that will cover possible losses.
Either way, insurance does not stop the intruders from trying to use stolen data. I recommend each person to take care of his own protection. It is important to implement two-factor authentication, use password managers and avoid reusing the same passwords on different sites and services. It is good to use a separate email address solely for financial needs. The Equifax website also has a list of recommended actions. Including a regular check of bank statements, the physical destruction of all unused documents containing personal information, and safe storage of current documents.
Gaby Pobaschneg, owner, Macsecurity.net
Image source: Shutterstock/Carlos Amarillo