Individually or as a business, many have fallen victim to a data breach and such security breaches hit the headlines regularly – Virgin Media large data breach; British Airways £20 data breach fine; EasyJet 9 million customer cyberattack. As we spend more time online, so does our personal information which we give away every day. Cybercriminals can make a decent living from stealing and selling such information.
Data breach violations can have lasting complications, financially and mentally. So, how much do you know about such security incidents? We’ll guide you through some of the more common questions and advise you on how to act if you fall victim .
A data breach occurs when private and confidential information is accessed, viewed, destructed, or stolen and potentially sold on, without authorisation from the relevant person or organisation. Data breaches can happen by cyber criminals hacking into a system; scams on businesses and individuals; using weak passwords; stealing hardware, such as a laptop that stores unencrypted data; searching rubbish for personally identifiable information such as a credit card bill not shredded; documents left in public places.
Data breaches can include information where you may or not be identifiable from that data - a person’s email address and password, account login details, passport or driving licence details, credit or debit cards, bank accounts and much more. From a data breach, documents can be forged to duplicate the stolen data such as a passport. In the worst scenario, as a result of a data breach your whole identity could be stolen and used by another person.
There are a number of ways that your data can be accessed, either accidentally or by targeted attacks.
With better access online, more people are working from home, cyber burglary opportunists are rife. At times, human error is the cause of a data breach, such as a mobile phone, laptop or documents left on a train, stolen from a car or home. If a stolen device isn’t password protected or encrypted, they can easily retrieve data. An email containing personal details sent to the wrong recipient(s) or an employee copying or altering data would also be considered a violation due to the recipient not having authorisation to view it.
Not all data breaches are through your data being access online, cyber criminals are resourceful in collecting information. Debit/Credit Card skimming (aka card cloning) happens when an electronic device is used to copy your card information. This happens predominantly at an ATM but also occasionally in-store if a device has been fitted to a card reader.
Cybercriminals can access databases by using malware. Malware can exploit out-of-date device security, allowing the hacker an ‘open window’ to a system. Viruses can be installed by clicking on a fraudulent link or visiting a compromised web page. This allows the hacker a ‘window’ to the network to steal data, money or identities and even create new accounts in the victim’s name.
Social engineering is a form of psychological manipulation, not unlike conmen. It works by dishonestly building trust with someone; humans are seen as an easier flaw to target compared to a computer system.
In the UK, companies are required to report certain security breaches to the relevant organisation, namely the ICO (Information Commissioner’s Office) within 72 hours of the discovery of the said breach.
Not all breaches need to be reported. Once the situation has been thoroughly assessed, if it poses no risk to people, their rights and freedoms, then the organisation may not need to inform the ICO (Information Commissioners Office). They and the FCA (Financial Conduct Authority) do, however, have the power to fine businesses that have not taken adequate steps.
The ICO has a brief bullet-point list, outlined below, on their site, along with further detailed actions should they be required:
Databases from large organisations are attractive to cybercriminals due to the volume of information they can obtain in one action. There have been some prominent attacks on well-known organisations over the last few years.
In November 2019, 1.2 billion records were discovered by dark web researcher Vinny Troia. Listed were people’s names, email addresses, linked social media accounts, and job titles. Troia said the data was said easy to find and easily accessible and he could not confirm if others had viewed or downloaded it before his discovery. Indications showed one of the sources that the information had come from was PDL (People Data Labs), but they stated they did not own the server and researchers confirmed subsequently that this was likely true.
The Virgin media data breach happened after a marketing database was left accessible from April 2019 to their announcement in March 2020. Up to 900,000 people were affected by the data leak. Virgin Media said the leak was not due to a cyberattack, but an ‘incorrectly configured’ database.
A catastrophic and sophisticated cyberattack, in January 2020, saw nine million customer records stolen in an EasyJet data breach. Detailed personal information was taken in this instance, such as names, addresses, travel dates, destinations and even credit card details in some cases.
British Airways suffered an attack which saw 420,000 personal details taken. Between August and September 2018, names, addresses, and credit and debit card details (including the CVV) were amassed. The ICO later fined British Airways £20 million for ‘poor security arrangements.
Morrisons is another prominent organisation to have suffered a data leak. In 2014, a disgruntled employee leaked payroll details of approximately 100,000 members of staff and simultaneously notified the newspapers. The employee had initially held legitimate access to the data but bore a grudge against his employer and wished to seek revenge for a verbal disciplinary. The employee was jailed for his role.
Selling stolen data on the dark web is a lucrative business for cybercriminals. Data can fetch from as little as a few cents to hundreds of dollars. Estimations of costs can vary significantly, not only due to the importance some details hold over others, e.g. a set of full banking details over a Netflix account, but also ease of monetary gain.
Researchers from Privacy Affairs conducted a dark web mission to see what various pieces of information are for sale and for what price.
|Hacked Facebook account||$74.50|
|Hacked Gmail account||$155.73|
|Stolen PayPal details||$198.56|
|Driving licence (US) dependent on quality||$70 - $550|
|Passport (US, Canada, Europe)||$1500|
|Full medical record||$1000|
|1,000 followers/likes on Instagram||$7|
|Cloned Visa card with PIN||$25|
|Bank account logins, min $100 balance||$35|
|Malware||$70 - $6000|
The above table doesn’t specify everything that can, and will, be sold on the dark web, but serves to show a small selection of how valuable a portion of your data can be.
As an individual, you would not be able to prevent a large scale cyber attack on an organisation, but you can help step up your personal security. Be aware, if you use any type of device and are connected to the internet, from your children to your business, you are at risk from hackers. Checking to see if your personal information is for sale is the best way to protect yourself.
If a company has suffered a data breach, and the data is at high-risk of exploitation, they have a duty to inform the ICO and any individuals, immediately, that may be affected by the breach. If organisations fail to do so, the ICO has the power to fine companies up to £8.7 million or 2% of global turnover.
Act quickly ! If a company contacts you to say they have had a data leak, there are a number of things you should do:
If you have been a victim of a data breach, your personal information could be used for years by cyber criminals. Ongoing monitoring is the best way to know if you are and what information is still at risk.
Your FREE Notty Account helps you Find, Protect and Profile your online self.