What Is A Data Breach?
Individually or as a business, many have fallen victim to a data breach and such security
breaches hit the headlines regularly –
Virgin Media large data breach; British
Airways £20
data breach fine;
EasyJet 9 million customer cyberattack. As
we spend more time online, so
does our personal information which we give away every day. Cybercriminals can make a decent
living from stealing and selling such information.
Data breach violations can have lasting complications, financially and mentally. So, how
much do you know about such security incidents? We’ll guide you through some of the more
common questions and advise you on how to act if you
fall victim.
Data breaches explained
A data breach occurs when private and confidential information is accessed, viewed,
destructed, or stolen and potentially sold on, without authorisation from the relevant
person or organisation. Data breaches can happen by cyber criminals hacking into a system;
scams on businesses and individuals; using weak passwords; stealing hardware, such as a
laptop that stores unencrypted data; searching rubbish for personally identifiable
information such as a credit card bill not shredded; documents left in public places.
Data breaches can include information where you may or not be identifiable from that data -
a person’s email address and password, account login details, passport or driving licence
details, credit or debit cards, bank accounts and much more. From a data breach, documents
can be forged to duplicate the stolen data such as a passport. In the worst scenario, as a
result of a data breach your whole identity could be stolen and used by another person.
How is a breach accomplished?
There are a number of ways that your data can be accessed, either accidentally or by
targeted attacks.
With better access online, more people are working from home, cyber burglary opportunists
are rife. At times, human error is the cause of a data breach, such as a mobile phone,
laptop or documents left on a train, stolen from a car or home. If a stolen device isn’t
password protected or encrypted, they can
easily retrieve data. An email containing personal
details sent to the wrong recipient(s) or an employee copying or altering data would also be
considered a violation due to the recipient not having authorisation to view it.
Not all data breaches are through your data being access online,
cyber criminals are
resourceful in collecting information. Debit/Credit Card skimming (aka card cloning) happens
when an electronic device is used to copy your card information. This happens predominantly
at an ATM but also occasionally in-store if a device has been fitted to a card reader.
Cybercriminals can access databases by using malware.
Malware can exploit out-of-date device
security, allowing the hacker an ‘open window’ to a system. Viruses can be installed by
clicking on a fraudulent link or visiting a compromised web page. This allows the hacker a
‘window’ to the network to steal data, money or identities and even create new accounts in
the victim’s name.
Social engineering is a form of psychological manipulation, not unlike conmen. It works by
dishonestly building trust with someone; humans are seen as an easier flaw to target
compared to a computer system.
Our FraudWeb searches
DATA BREACHES
and
MORE...
-
Emails
-
Postal address
-
Bank accounts
-
Credit card
-
Phone number
-
Online logins
-
National insurance number
-
Passport number
-
Driving licence
What do companies need to do if they discover a security breach?
In the UK, companies are required to report
certain security breaches
to the relevant
organisation, namely the ICO (Information Commissioner’s Office) within 72 hours of the
discovery of the said breach.
Not all breaches need to be reported. Once the situation has been thoroughly assessed, if it
poses no risk to people, their rights and freedoms, then the organisation may not need to
inform the ICO (Information Commissioners Office). They and the FCA (Financial Conduct
Authority) do, however, have the power to fine businesses that have not taken adequate
steps.
The ICO has a brief bullet-point list, outlined below, on their site, along with
further detailed actions
should they be required:
-
The UK GDPR introduces a duty on all organisations to report certain personal data
breaches to the relevant supervisory authority. You must do this within 72 hours of
becoming aware of the breach, where feasible.
-
If the breach is likely to result in a high risk of adversely affecting
individuals’ rights and freedoms, you must also inform those individuals without
undue delay.
-
You should ensure you have robust breach detection, investigation and internal
reporting procedures in place. This will facilitate decision-making about whether or
not you need to notify the relevant supervisory authority or the affected
individuals or both.
-
You must also keep a record of any personal data breaches, regardless of whether you
are required to notify.
Data breach examples
Databases from large organisations are attractive to cybercriminals due to the volume of
information they can obtain in one action. There have been some prominent attacks on
well-known organisations over the last few years.
In November 2019, 1.2 billion records were discovered by dark web
researcher Vinny Troia.
Listed were people’s names, email addresses, linked social media accounts, and job titles.
Troia said the data was said easy to find and easily accessible and he could not confirm if
others had viewed or downloaded it before his discovery. Indications showed one of the
sources that the information had come from was PDL (People Data Labs), but they stated they
did not own the server and researchers confirmed subsequently that this was likely true.
The Virgin media data breach
happened after a marketing database was left accessible from
April 2019 to their announcement in March 2020. Up to 900,000 people were affected by the
data leak. Virgin Media said the leak was not due to a cyberattack, but an ‘incorrectly
configured’ database.
A catastrophic and sophisticated cyberattack, in January 2020, saw nine million customer
records stolen in an EasyJet data breach.
Detailed personal information was taken in this
instance, such as names, addresses, travel dates, destinations and even credit card details
in some cases.
British Airways suffered an attack which saw 420,000 personal details taken. Between August
and September 2018, names, addresses, and credit and debit card details (including the CVV)
were amassed. The ICO later fined British Airways £20 million for ‘poor security
arrangements.
Morrisons is another prominent organisation to have suffered a data leak. In 2014, a
disgruntled employee leaked payroll details of approximately 100,000 members of staff and
simultaneously notified the newspapers. The employee had initially held legitimate access to
the data but bore a grudge against his employer and wished to seek revenge for a verbal
disciplinary. The employee was jailed for his role.
What could happen to my stolen data?
Selling stolen data on the dark web is a lucrative business for
cybercriminals.
Data can fetch from as little as a few cents to hundreds of dollars. Estimations of costs
can vary significantly, not only due to the importance some details hold over others, e.g. a
set of full banking details over a Netflix account, but also ease of monetary gain.
Researchers from Privacy Affairs conducted a
dark web mission
to see what various pieces of information are for sale and for what price.
Netflix account
|
$0.50
|
Hacked Facebook account
|
$74.50
|
Hacked Gmail account
|
$155.73
|
Stolen PayPal details
|
$198.56
|
Driving licence (US) dependent on quality
|
$70 - $550
|
Passport (US, Canada, Europe)
|
$1500
|
Full medical record
|
$1000
|
1,000 followers/likes on Instagram
|
$7
|
Cloned Visa card with PIN
|
$25
|
Bank account logins, min $100 balance
|
$35
|
Malware
|
$70 - $6000
|
The above table doesn’t specify everything that can, and will, be sold on the dark web, but
serves to show a small selection of how valuable a portion of your data can be.
Can I prevent a data breach?
As an individual, you would not be able to prevent a large scale cyber attack on an
organisation, but you can help step up your personal security. Be aware, if you use any type
of device and are connected to the internet, from your children to your business, you are at
risk from hackers.
Checking to
see
if your personal information is for sale is the best way to protect yourself.
-
Use a safe and secure way of monitoring for your details being available to Cyber
Criminals with our
Fraudweb Lite
or
Fraudweb Full
-
Ensure all software is up-to-date. Many updates contain new security patches which are
necessary.
-
Download
McAfee Total Protection
onto your devices with your Notty account. This helps to protect
your devices against all types of malware.
-
Use different passwords for each site and/or account you use. Combine upper and lower
case letters, numbers and special characters and the longer the better. It is thought
that every 8 character passcode has now already been cracked! McAfee Total Protection
has a password manager that stores all the passwords for you, saving you having to rely
on memory!
-
Where possible, utilise two-factor authentication (also known as multi-factor
authentication). This adds another layer of security, such as a fingerprint or facial
ID, when signing into accounts.
-
Monitor bank statements and credit reports regularly for any unusual activity or
unfamiliar transactions that you have not made.
-
Ascertain the security of a site by acknowledging whether it has an ‘S’ after ‘HTTP’,
ie. ‘HTTPS’. That ‘S’ is integral to it being secure!
-
With your Notty account, take advantage of the
free dark web searches
that we perform to see if any of your details are for sale on there. We do not
put your details on there during the process of searching, and if your details are
found, we will notify you and inform you about what to do next.
-
Never click any suspicious links contained in emails, or give out any details over the
phone. Reputable companies will not ask for such details via email or over the
telephone.
Don’t be a Victim! Stay
ahead, don’t be tangled in a Notty!
What should I do if I’m a victim of a breach?
If a company has suffered a data breach, and the data is at high-risk of exploitation, they
have a duty to inform the ICO and any individuals, immediately, that may be affected by the
breach. If organisations fail to do so, the ICO has the power to fine companies up to £8.7
million or 2% of global turnover.
Act quickly
! If a company contacts you to say they have had a data leak, there are a number of things
you should do:
-
The main action needed is being aware of what is happening with your data after a
leak, it is available for cyber criminals to use.
Fraudweb Full
monitors a full range of your personal information, including credit/debit cards,
passport details, driving licence, logins, passwords, bank accounts plus more. Ongoing
searches, looking for any sign your information is being used and giving you alerts if
anything is found.
-
Monitor bank accounts etc. and credit reports for a few months. If there are any
suspicious transactions on your bank or credit card statement, contact the bank
immediately.
-
If you begin to receive cold calls, ask them to confirm details about your account,
such as monthly cost for a service, or the date of the direct debit. If necessary,
terminate the call and search for the company’s number rather than use one they supply.
Where possible, use a different phone too.
-
If the data loss causes anguish or financial distress, you may have a case for
compensation. You can lodge a complaint with the company that suffered the breach and
you can also inform the ICO. They are not able to give compensation but by lodging a
grievance with them, it may add weight to your case.
If you have been a victim of a data breach, your personal information could be used for
years by cyber criminals.
Ongoing monitoring
is the best way to know if you are and what information is still at risk.
Your FREE Notty Account helps you Find, Protect and Profile your
online self.