Personal Cybersecurity - Part 1: Pull up your breaches

This is part one of our "Personal Cybersecurity" series of informational articles designed to help people stay safe and secure in their everyday lives, with respect to information systems.

It's common knowledge that companies share your information, sometimes involuntarily, resulting in what is known as data breaches. Essentially, when you engage with an organization, you expect your data to be used appropriately. A breach occurs when an someone steals your data for unauthorized purposes. The alarming fact is that the frequency of these breaches is on the rise. In 2023, the reported number of data breaches increased by 78% compared to 2022, affecting an estimated 353,027,892 individuals. Ultimately, it's clear that malicious individuals are targeting your data.

Most security breaches can be attributed to groups known as Advanced Persistent Threats or APTs. These are skilled hacking groups, and the term "APT" is fitting. They are advanced due to their expertise and resources, enabling them to target organizations of any size. They are persistent because of their ongoing success, earning them intriguing names like Scattered Spider. Their persistence often involves operating from countries without extradition agreements or being good at not getting caught. The threat, should be fairly obvious.

While not every breach is perpetrated by an APT, they do represent the top of the food chain - if we ignore state-sponsored and nation-state threats. Which we will in fact ignore, as they don't fit the purpose of this article.

By itself, your data is not that attractive. You're a small fish in a big pond. In nature, swimming as a school of fish serves to reduce risk. In data, the larger the group, the more attractive the target. In the case of your data, it's probably part of many schools of fish. Each electronic account you have represents another school of fish to which your data belongs. And unfortunately your data is often sold to other organizations, so add to that list an unknowable number of targets for those threats to go after. Your data is everywhere.

The truth is that your data has probably already been compromised. And it's very likely that you don't know about it. Data breach notification laws have been passed and continue to develop, but not every breach is even identified by the organization that was hit.

These APTs are most often motivated by greed, although in some cases there are other motivations. That might include attempting to force a business to shut down or just dumping the information for the heck of it. They've gotten good at monetizing their abilities in compromising systems and data. Those that compromise large quantities of data usually get paid in a couple of ways.

1. The most effective to way to turn data into money is ransomware. Instead of breaking in and attempting to run with the bag (large quantities of marketable data), instead they encrypt it. Or, they make the data unusable without first unlocking it with a key only they possess.

2. The second way a threat will make money of your data is by breaching your data.

There is also the increasingly common intersection of the two, where the data is copied and breached and then the original copy is encrypted, allowing them to double dip.

When data is held for ransom, the organization that owns the data becomes the target of the extortion. Essentially, your data becomes a hostage in this situation. The organization can either attempt to recover the data internally or opt to pay the attacker. If, by any chance, the organization chooses not to take either of these actions, you may be requested to provide your information again. Your direct risk level is minimal unless it impacts the services you rely on from the organization, as the data is well-protected. The attacker has essentially locked your data in a secure safe that even authorized personnel cannot access, unless they managed to copy and steal it beforehand.

Regardless of whether your data was part of a ransomware attack or not, if it was copied and breached then you (or your identity) is the target.

Your data is valuable because it can be used to commit fraud. This could be insurance fraud, tax fraud, credit/loan fraud, and a million other ways to use someone's identity to commit crime. With that said, those that pull off the data breach aren't always the ones to take the next step and fraudulently use your data. Sometimes its just easier to sell data in bulk, and let others buy and criminally misuse it.

If you've heard of the deep web, then you can probably imagine deep web marketplaces. The deep web consists of places you can access across the internet that are not indexed, meaning they won't show up on a conventional search, and often don't have a URL. Deep web marketplaces are places where people sell things in secret. This could be drugs, illicit services, and - you guessed it, personal data.

Stolen data is categorized based on its origin, type, or industry relevance and sold using crypto currency to help hide the transactions from scrutiny. If you've seen the movie Emily the Criminal, you've seen a perfect example of credit card information being turned into profit. Social security numbers could be bought for a variety of reasons including opening a bank account, registering for a drivers license, and - well just imagine all the things you do with your social. You get the picture. Credentials, often your email or login along with the password that you used at the time of the breach are also bought and sold. Attackers will attempt to use those credentials for other applications and services to see if they can't continue to breach your data. If they steal your login and password for Facebook, they might attempt to use that combination for your bank account, as an example.

If you are concerned about a potential data breach and want to find out if your information has been compromised, there are several steps you can take to protect yourself. One of the first things you should do is check if any of the websites or online services you use have reported a breach. Many companies will notify their users if there has been a security incident that may have exposed personal data.

In addition to checking with individual companies, you can also use online tools and services that track data breaches and provide information on whether your data has been compromised. Websites like Have I Been Pwned or DataBreaches.net can help you search for your email address or username to see if they have appeared in any known data breaches.

You should already be monitoring your financial accounts and credit reports regularly for any suspicious activity. If you notice any unauthorized transactions or accounts opened in your name, it could be a sign that your data has been compromised. Also in terms of monitoring, Have I Been Pwned also offers a monitoring service where they will let you know if your email shows up in any breaches that they identify.

If you do know or suspect that your data has been breached, you should work to identify whether or not the password for that account was used elsewhere. For instance, if your cell phone service provider notifies you that your data was breached, you should see what your password is for that account, change it, then change any other account where you re-used that password or used a similar password. Then you should reach out to the organization involved in the breach to determine what risks remain and what steps they are taking to remediate the issue and mitigate further harm.

Lastly, consider taking proactive steps to secure your online accounts, such as using strong, unique passwords for each account (through a password manager), enabling two-factor authentication whenever possible, and being cautious about sharing personal information online. By staying vigilant and informed, you can better protect yourself against the risks of data breaches and cyber threats.