10 biggest data breaches in 2020-2021. Leakage protection.
Data breaches that have happened recently, recent trends, advice from an experienced hacker, new laws, and much more in a detailed article dedicated to personal data on the Internet.
The amount of information required for the operation of modern society is constantly growing. But do we stop to think about the fact that companies and government organizations store our digital copy? Are we sure that this data won’t fall into the hands of malicious actors? Are companies and individuals ready for personal information leaks and what to do if this happens?
In this article, I'll talk about the data breach threat that is on a whole new level.
Disappointing statistics.
Personal experience.
10 sensational examples of data breaches.
What are the responsibilities of companies?
How to protect against leaks?
You will be able to take a look at the other side of the Internet, where information stolen from us is traded. You will appreciate the scale of the problem and make sure that no company can 100% guarantee the safety of our data.
I will talk about why it is important not to leak your data and present a practical guide for those who want to maximize their personal security and that of their loved ones, or their company.
I was assisted in preparing the materials by a hacker who calls himself Irbis. He was arrested, collaborated with the special services, left his country, stopped criminal activities, and is now sharing his experience to educate others.
? Table of contents:
- Some statistics
- 10 examples of data breaches in 2020 and 2021
- How our data is being stolen?
- Main threats in 2021
- Responsibility of companies for safekeeping customer information
- Effective data protection
- Guide for users
- Guide for companies
- How do you know if your data has leaked?
- How to properly protect your data
Some statistics
Over the past 2020, according to IT Governance, 28,000,000 cases of data breaches were recorded out of more than 20 billion breaches.
Take a look at the map below. Countries with analyzed data breach costs are marked in purple . The lighter the color, the greater the losses companies incurred from data leaks.
Image source – ibm.com
The “leaders” in terms of costs of companies from data breaches in 2020 are the United States, Canada, and the countries of the Middle East. In these countries, the average cost ranged from $4.5M to $8.64M.
Further, we will analyze in more detail what this amount consists of. In the meantime, I would like to draw your attention to the industries that are most affected by the actions of cybercriminals stealing or illegally “leaking” data.
The video, based on information published by ibm.com, shows the change in costs for companies in various industries from 2015 to early 2021.
Healthcare companies traditionally get targeted the most. The following locations have changed over time. Thus, in 2015, leaks in the energy sector were in 10th place, which in monetary terms was more than 3 times less than in healthcare. In 2020, this indicator rose to 2nd place, almost equal to the leader.
The scale of leaks is conveniently determined in three ways:
- The amount of damage caused
- Number of data points of stolen databases (e.g. user accounts)
- The number of compromised organizations or departments (if we are talking about national attacks)
The most obvious indicator is statistics on stolen databases with the personal data of users.
Take a look at the following diagram:
Number of compromised data records (in millions)
Image source - statista.com
Most recently, there are cases of database leaks with more than 9 billion data points with information about 200 million contacts from 10 million companies.
Who is responsible for the data breach attacks?
According to the research results from a Verizon.com study, external actors are responsible for 70% of the leaks, 55% are committed by organized crime groups and 30% are caused by employees of companies:
Who’s behind the breaches?
The basic tactics of hackers change little over time. Most often (in 45% of cases) leaks occur as a result of hacking. The 2nd and 3rd places are occupied by various kinds of errors and attacks using social engineering (22% each).
What tactics are utilized? (Actions)
According to survey results published by gov.uk, up to 90% of all leaks are caused by phishing emails.
In general, according to experts, the number of data breaches in 2020 was less than in 2019. But, unfortunately, this isn’t due to effective counteraction or increasing the security of computer systems, but due to the temporary switching of the main forces of cybercriminals to another more profitable direction - ransomware.
Irbis also expressed a different view, according to which obtaining database dumps became an additional means of pressure on victims of such extortion. Previously, it was a more independent line of activity for hackers. As a result, many experts may not correctly calculate the number of data leaks without taking into account the numerous cases of leaks from ransomware attacks.
Below we will analyze 10 of the most significant data breaches in recent years and consider the latest high-profile cases of information leaks, which aren’t only striking in their scale but can also complicate relations between the United States and Russia.
10 examples of data breaches in 2020 and 2021
- Sunburst (SolarWinds hack)
- CAM4 Data Leak
- Parler
- EasyJet
- T-Mobile
- MGM Resorts
- Pixlr
- Destruction of Daniel's Hosting
- Zynga
- Friend Finder
Sunburst (SolarWinds hack)
In mid-December 2020, news spread around the world, affecting even people not directly involved in Internet security. The SolarWinds hack compromised hundreds of companies and government organizations around the world.
Particularly impactful was the news of the penetration of hackers into the Treasury Department and the US Internal Revenue Service.
Sunspot attack scheme:
The essence of the attack is as follows:
- Using the SUNSPOT Trojan, the hackers injected the SUNBURST backdoor into the update code of SolarWinds software installed in organizations of all sizes around the world and designed to monitor network performance (Orion platform). In total, about 18,000 clients received the infected update.
- The installed backdoor could carry different loads. One such load was the hard-to-detect downloader TEARDROP. It is specially designed for the Cobalt Strike BEACON installation. This is perhaps the strongest hacking framework to date for stealthily compromising corporate networks.
- An alternative to Teardrop was the malware RAINDROP. It also loaded Cobalt Strike, but using anotherprotocol and had some other differences:
Image source – bleepstatic.com
- The attacker gained privileged access to the infected network and, using the lateral movement method, was able to infect any computers at his discretion.
The ultimate intention of cybercriminals is currently unknown. So far, one can only speculate about the scale of the leak. But they can be incredibly large and significant, as the previously considered impregnable major US organizations have been compromised. And these are only the known facts. The real picture ma even be worse since it isn’t known who the stolen data got to and what it will be used for.
Of particular concern is the fact that such an unprecedented large-scale hack would still not have been known if it were not for the risky actions of cybercriminals. They gave themselves away, trying to increase their privileges to access highly protected information. According to experts, this could have been done deliberately, as a justified risk. If not for this, we might still not know about the data leaks that are taking place.
As for the organizers of this attack, today there is no consensus on who is behind it. Many experts, as well as the Washington Post, citing their sources, believe that this is the work of the Cozy Bear hacker group controlled by the Russian government. This group is believed to be responsible for hacking into government mail servers during the Obama administration.
In December 2020, the then-future president of the U.S. Joe Biden said that after taking office, he will deal with issues of improving the security of US government agencies and will consider several options for Russia's response. These may be new sanctions or other means that will lead to large economic, financial, or technological costs for the organizers of this attack.
CAM4 Data Leak
In the spring of 2020, one of the largest adult streaming sites, CAM4, leaked more than 10.8 billion database records, which contained detailed information on members and users. The leak occurred due to the incorrect configuration of the Elasticsearch analytics service.
The data contained a wide range of PII users - names, IP addresses, letters, correspondence between users, sexual orientation, amounts paid, password hashes, and more.
Hackers can brute-force passwords quickly and efficiently. Therefore, hashing can only protect long and complex passwords. Read more about effective methods of protecting personal information at the end of the article.
More than 6.5 million CAM4 user accounts from the open database were owned by Americans, more than 10 million, by Europeans and about 6 million by Brazilians.
It is worth noting that CAM4 broadcasts content created by ordinary people who want to make money in the adult industry. The leakage of their personal data can seriously compromise them in everyday life, up to the loss of their job and the need to change their place of residence.
Moreover, tragic cases are also known. So, after the leak of 33 million accounts from the Canadian dating site Ashley Madison, at least two cases of suicide caused by the disclosure of personal data came to light.
Parler
We all remember well the events of early January 2021 in the U.S. Capitol. It is known that the main stage of preparation of the attempt to seize power was carried out with the help of the Parler social network. After the failed assault, some users deleted their accounts in an attempt to hide the evidence of their participation.
But on January 11, a vigilante hacker made public more than 70 TB of data with all published and unpublished videos, including materials and personal data of users who deleted their accounts.
Thus, the hacker provided, albeit illegal, but significant assistance to law enforcement agencies working to disclose all the circumstances of the attack on the Capitol, as a result of which 5 people died, including 1 policeman.
The attacker is believed to have stolen 99.9% of all Parler content, which became possible after Twilio, which previously performed user ID verification, refused to cooperate with the social network.
EasyJet
9 million customers. This is how many people were affected by the attack on the British low-cost airline EasyJet.
The peculiarity of this is that not only e-mail addresses and travel data were stolen, but also information about bank cards. In particular, CVV codes of credit cards. Thankfully, this affected only a little over 2,200 people.
Even though the company informed its customers and, despite the relatively insignificant amount of stolen payment card data, more than 10,000 lawsuits were filed against EasyJet. The plaintiffs claim that they were not informed in time (the delay was 4 months).
Victims can be compensated with up to $2,500 (£ 2,000) by law. Also, the airline faced a huge fine of up to 4% of the total turnover.
A special website has even been set up where clients of the company can apply to join a class-action lawsuit.
Against the backdrop of a pandemic and a decrease in revenues, additional costs may be the beginning of the collapse of a large airline. And the reason for this is the activities of cybercriminals, the danger of which is still underestimated by many.
T-Mobile
Data leaks can be very different. It all depends on the specifics of the company's activities. The previous examples described the most common types of data that hackers can use for their purposes.
There is also specific data that isn’t interesting to most “classic” cybercriminals. But at the same time, the leakage of such data can cause no less or even more harm to the clients of compromised companies.
One of these examples is another leak of data about calls and geolocation of customers of the mobile operator T-Mobile.
This is the fourth such incident since 2018. This time, 200,000 customer data was stolen. The stolen database contains information about customer calls, their duration, base stations (coordinates), and other data related to customer proprietary network information (CPNI). The Federal Communications Commission (FCC) considers it "some of the most sensitive information that carriers and providers have about their customers."
Such data can be used by the special services of any country to compile sufficiently detailed information on the movement and contacts of people from this database.
The T-Mobile situation shows that even the largest companies (in 2020, T-Mobile completed a $26 billion merger with Sprint Corporation) cannot guarantee 100% data safety. Moreover, in this case, it wasn’t even possible to secure yourself in advance. The only way to do it is to stop using a mobile phone.
I also want to remind readers that cellular operators “know” everything about us. When we sleep, where we go, where we order food, and much more. The more data about our activity enters their databases, the more accurately and more fully they can model our life in detail. That is why the leak of seemingly useless data can be a very strong tool in the hands of ill-wishers or fraudsters.
MGM Resorts
Leaks often occur that don’t pose a direct threat to users but allow interested parties to infringe on the privacy of personal life. This rarely applies to ordinary people, but it can be important for public figures and politicians.
In the winter of 2020, a dump of the database of the MGM Resort hotel chain appeared on one of the hacker forums on the darknet. It contained data on over 10,000,000 guests. Quite predictably, there were also personal data of celebrities, top managers, reporters, bloggers, and government officials.
What data has become publicly available?
- Full names
- Numbers of documents (passports, driving licenses, military certificates)
- Home addresses
- Dates of birth
- Phone numbers
- Emails
The journalist of the ZDNet portal Catalin Cimpanu was one of the first to conduct a study of the compromised data and found there the names of some famous and high-ranking persons.
- Justin Bieber
- Jack Dorsey
- Lots of Twitter employees
- Microsoft staffers
- FBI agents
- DHS/TSA officials
- Bunch of other .gov’s
But MGM Resorts did not make it in my list of top leaks 2020-2021 because of this incident. The fact is that a few months later, the second part of the stolen database dump appeared on the same hacker forum. More than 142 million new accounts were added to the original 10 million accounts. The dump also contains information about MGM Grand guests.
Although MGM Resorts knew about the real scale of the attack and warned all its customers, people can feel the real consequences of data loss only now, when anyone could buy a full database dump for $2,939 (the price is indicated as of the end of 2020, now the dump isn’t for sale).
Thus, more than 150,000,000 people at any time can become the victim of a targeted phishing attack that intercepts an SMS with two-factor authentication codes. To do this, hackers need to have everything - email, full name, address, and phone number.
I asked Irbis to share more details about how any victim's account could be compromised with this information.
There are two ways to compromise a confirmation SMS. If we know the location of the victim and his phone number, then we can implement radio interception. To do this, you will need special equipment that allows you to listen to a 3G / 4G signal (RTL-SDR receivers), a special OS SigintOS, a 3G / 4G signal jammer, and a phone with direct access to a modem to obtain a 2G network decryption key.
The second method is suitable for cases when the victim, for example, makes a transfer of funds. In this case, the victim's traffic is passed through a special proxy, in which the details are replaced. In this case, you don’t need to intercept the confirmation SMS message. But it is desirable to somehow distract the victim so that he doesn’t pay attention to the new numbers in the transfer amount.
In this way, professional cybercriminals can use such information for technically sophisticated but effective attacks. This is a laborious, costly, and time-consuming method, but it is justified in cases when the end goal is r very valuable information.
Pixlr
Recently we learned of a large-scale data leak from Pixlr, which has developed a free graphic editor of the same name used by millions of designers around the world.
Hackers, allegedly working with the ShinyHunters group, have published nearly 2,000,000 user entries in the public domain.
According to the CyberSecreport website, the stolen data contains the following information:
- E-mail address
- login names
- SHA-512 hashed passwords
- geographic location of the user
- PayPal email
As in the case of the CAM4 leak, there is a real danger of breaking encrypted passwords (hashes) using the brute-force method (enumerating all possible combinations of characters to obtain the same hash). This method is similar to cryptocurrency mining. The stronger the equipment, the less time it takes to crack a password.
One of the effective methods of secure login is SSO (Single Sign-On) - using one password to access multiple applications or sites. The peculiarity of the method is that the target site doesn’t need to store passwords, and the user doesn’t need to come up with and remember complex secure passwords. This technology is used, for example, in Google and Facebook services.
Until this technology becomes widespread, I strongly recommend using long and complex passwords or passphrases over 8 characters. For more information on how to protect your accounts, read the article below.
Destruction of Daniel's Hosting
Image source – zdnet.com
An illustrative case occurred with hosting provider DH, which was forced to close its business after a hacker attack. Indicative because Daniel Winzen, the owner of the service, was himself indirectly involved in the activities of "dark" sites. Daniel's Hosting provided anonymous hosting services, which hackers themselves often used.
The essence of the attack was that the attacker gained access to all DH servers. First, he "merged" all databases, and then erased all data from all servers.
It all happened at night while Daniel slept. In the morning when he went online, all 7,600 hosting-based sites were destroyed.
After 3 months, a hacker with the pseudonym KingNull posted a dump of the database used by DH on a file sharing service. It contained emails of service users, clear-text passwords, and private keys for .onion domains located in the Tor network.
The leak could be the key to solving crimes committed using resources hosted on the darknet. This can be made possible by three methods:
- Comparison of the email addresses of the owners of compromised sites with an extensive database collected from various other sources. Often, hackers use the same emails in criminal activities and everyday life. According to Andrey Masalovich, an expert in competitive intelligence and creator of the Avalanche program, it is the human factor that is most often the reason for the deanonymization of hackers. For example, one of the most wanted cybercriminals was arrested for using his old “work” email to order a baby carriage from an online store.
- Using a compromised password to access other resources or email. Here, too, the human factor plays a major role. Both ordinary people and hackers often use the same passwords for several resources.
- Comparison of the password with the database of known nicknames and logins. There is a high probability that people will use logins or slightly modified nicknames from social networks or forums for passwords.
The peculiarity of DH's business was that the service did not make site backups to ensure the principle of anonymity. This was a strong factor in attracting a large number of customers and creating dark sites, but at the same time, it became the Achilles heel of the service.
DH's case is also revealing because it wasn't the first attack. At least one more case of hacking of the provider is known to have happened 16 months before. Moreover, the case was identical - the attacker destroyed all client sites, clearing the provider's servers.
Despite the obvious risk of being hacked again, Daniel has not taken sufficient steps to protect user data.
Zynga
The rapidly developing field of online games cannot be ignored. One of the largest episodes of data breaches for social games companies was a series of user data breaches at Zynga, which has a capitalization of more than $5 billion.
More than 200 million users were affected- this is how many accounts were stolen by the international hacker group GnosticPlayers.
According to The Hacker News, the hackers gained access to the following information:
- Names
- E-mail address
- Login IDs
- Hashed passwords
- Password reset token (if requested)
- Phone numbers (if any)
- Facebook ID (if connected)
- Zynga Account ID
The hackers also claimed to have gained access to over 7,000,000 open passwords.
In total, about 1 billion game accounts were compromised by hackers GnosticPlayers, and stolen from 32 sites. In all cases, the data went to dark sites for sale.
Previously, it was mistakenly believed that GnosticPlayers were based in Pakistan. In 2020, conflicting information appeared about the arrest of three members of this criminal group. Cybersecurity company Night Lion Security, attacked in Q1 2020, identified 5 names allegedly behind the leaked Zynga, Canva, and other services. The well-known WatchGuard company subsequently criticized the Night Lion's claims, claiming that they could not be trusted.
Friend Finder
Image source - theguardian.com
Last on my list of the biggest data breaches in recent years, I want to talk about the massive incident with the famous adult content dating site Adult Friend Finder.
This is one of the oldest such websites. To date, Adult Friend Finder is ranked 702 in the world in terms of attendance according to SimilarWeb and 14 in the Adult category, with main audiences from the United States, Canada, and Australia.
In 2016, FriendFinder Networks' server was hacked by an unknown attacker, and the login details of 412,214,295 accounts were stolen.
The following data was stolen:
- Usernames
- Email addresses
- Passwords
- Date of joining
- Date of the last visit
The leak affected not only AdultFriendFinder but also Cams.com, iCams.com, Stripshow.com.
The researchers counted 5,650 registrations using domains in the .gov zone and 78,301 registrations using military email addresses in the stolen database.
The AdultFriendFinder leak remains one of the largest to date. More accounts were stolen only three times - from Yahoo in 2013 (3 billion) and Marriott International in 2014 (500 million), and Sina Weibo in 2020 (538 million, but there were no passwords in the stolen data).
How our data is being stolen?
To assess in practice the scale of the activities of cybercriminals involved in stealing databases, I contacted Irbis and asked him to share the information he had on this topic.
Not only did I manage to find out some details of how hackers and other cybercriminals operate, but also how and where in 2020 it was possible to buy databases with personal data of users of compromised sites.
Take a look at the screenshot I took on leakcheck.net.
Here you can see that there are database dumps in the public domain, which I talked about above. In this case, it is a data validation service. It was created based on materials taken from open sources.
It isn’t difficult to find leaked databases on the Internet, but it is much more important to make sure that your data isn’t compromised. This can be done in two ways:
- Free
- Paid J
In most cases, it is enough to check your email against the current databases in the public domain. The easiest way to do this is with a special service. For example, haveibeenpwned.com. Just enter your email and the site will show if it is found in compromised databases.
To test the effectiveness of the service, I decided to check my old email, which was stolen 10 years ago. The result of the check confirmed the effectiveness of such a check.
If you want to know more, or if you need to check other data, for example, a phone number or the name of a game character, then you will have to use paid services such as leakcheck.net.
The main threats in 2021
Coronavirus
According to many security experts, the main threat associated with the data breach topic in 2021 is ... the coronavirus.
The main problems are associated with it, further aggravating the situation faced by many medical institutions around the world.
According to the latest report from Experian, the COVID-19 pandemic is driving people to work remotely. This is exposing vulnerabilities in the systems of many companies. Also, the exchange of medical data and telemedicine has significantly increased. Hackers are increasingly exploiting vulnerabilities in the storage and transmission systems of medical databases, stealing large amounts of personal information.
The imperfection of the organization of vaccination causes great concern among specialists. This is inevitably associated with the creation, storage, and exchange of data on vaccinated people. There are many vulnerabilities in the chain of movement of this information. It is practically impossible to prevent leaks if hundreds or thousands of medical and other institutions have access to the same database.
Hackers will find weak links in the chain if strict data protection standards aren’t introduced and effective work is organized to control access to medical data.
So far, telemedicine services are unsafe. So, according to Michael Bruemmer, vice president of Data Breach Resolution and Consumer Protection at Experian, such applications often don’t encrypt transmitted data, even though these are PHI and PII.
5G
What is 5G? This isn’t only faster internet, but also huge bandwidth. With 5G, the Internet of Things is becoming a reality.
Let's dive into some technical details. This will help understand one of the main problems of the Internet of Things - data exchange vulnerabilities.
Connecting devices to the Internet allows you to make them more functional, useful, and customized for a specific user. For example, voice assistants can make it easier to control household appliances or a car. Biometric scanners can alert people with poor health to see a doctor and even call emergency services.
Such devices will need to exchange personal data with control servers in real-time. And the more individual the settings are, the more detailed data will need to be transmitted through the 5G network.
At the same time, hundreds and thousands of start-ups will begin to appear, which, in the race for customers, will hastily implement the functions of protecting this data. Until someone generally decides not to waste time and money on this.
Hackers will be able to steal very detailed information without much difficulty. Until now, the main information available about their victims has been their email address and, at best, their phone number or credit card details. With the development of 5G, cybercriminals may (and will certainly appear, it's only a matter of time) the ability to influence the operation of vehicles, surveillance cameras, household appliances, medical gadgets, and more.
Taking into account the trends in recent years, it can be assumed that devices connected to the Internet of Things will be blocked to obtain a ransom.
Such cases are already happening. So far, this is not causing serious disruptions, but with the development of technology and the number of such gadgets, this can lead to huge losses.
It is also important to understand that any personalized data can be used for spear phishing.
Given that the introduction of laws obliging companies to make every effort to protect PII and PHI will take more than one year (and in many countries, decades), then with the development of 5G and the Internet of Things, we will inevitably face a sharp increase in data breaches.
Responsibility of companies for the safety of customer information
To motivate companies to improve the protection of user data, as well as to prevent concealment of the facts of their leakage, developed countries have adopted relevant laws.
European Union
For Europe, it is GDPR (The General Data Protection Regulation).
The GDPR came into force on May 25, 2018, replacing the directive 95/46 / EC in force for 20 years. The new law establishes a new standard for data protection and also outlines the responsibilities of companies.
So, for example, for gross violation of the regulations, resulting in the leakage of user data, a fine of up to 10,000,000 euros or up to 2-4% of the annual turnover for the previous financial year is provided. Especially strict attitude towards cases when data leakage led to problems for users.
I described one of these cases above when I talked about the data breach that happened at the EasyJet airline.
According to statistics published by the international law firm DLA Piper, at the beginning of 2021, EU companies paid EUR 272.5 million for various violations in data storage and protection. This is more than double the amount of fines for the beginning of 2020 (EUR114 million).
Today, the GDPR is the strongest legislative tool in the world that is designed to prevent data breaches.
United States
In the US, they use a similar regulation to the GDPR. This is the CCPA (California Consumer Privacy Act), which came into force on January 1, 2020. However, it only applies to companies operating in California.
Other states are also gradually introducing data protection regulations. Laws similar to the CCPA have appeared in Nevada (SB220) and the state of Man.
The rest of the world
Other countries also have laws that govern data protection. In Australia, this is APP (Australia's Privacy Principles), in Canada - PIPEDA (Personal Information Protection and Electronic Documents Act).
Countries in Asia, New Zealand, Russia, South Korea, Malaysia, Indonesia, India, and others also have data protection laws in place.
I want to note that in most cases they are much inferior to GDPR and CCPA, which is why their effectiveness (impact on increasing the security of user data) is lower. Most often, these laws and directives were created 10 or more years ago and don’t take into account all the specifics of modern technologies.
Practical application of GDPR and CCPA
British Airways faced one of the largest fines since the entry into force of the GDPR law. In 2018, passengers of this airline suffered from two data breaches. A total of 564,000 customers (185,000 customers with bonus bookings and 380,000 users of the airline's website) were notified of their identity being compromised. Some of the stolen information contained credit card details, including CVV numbers.
The ICO (Information Commissioner's Office) published a notice of intent to fine the airline a record £ 183 million. After about a year of litigation, British Airways was able to reduce the amount of the fine to £20 million.
The amount of payments to the affected clients has not yet been determined.
As for the application of CCPA, there are currently no real cases associated with it. This is because the first 6 months of the law were set aside for the elimination of shortcomings and adaptation. After that, not enough time has passed. Also, the CCPA only operates in California.
Effective data protection
- Guide for users
- Guide for companies
- How do you know if your data has leaked?
- How to properly protect your data
After comparing all the facts about data breaches, forecasts for the near future, as well as taking into account the recommendations that Irbis gave me, I have prepared two guides to keep personal data safe.
The guides take into account:
- GDPR and CCPA requirements
- Vulnerabilities
- Technologies used by hackers
- Ability to work remotely
- Budget constraintsия GDPR и CCPA
The first guide is for the users. . It will talk about how to behave correctly on the Internet to minimize risks and so that hackers cannot harm you, even if they get a hold of your data.
The second guide is for companies. It lists all the steps you need to take to effectively protect the data you collect from your users.
User Guide
Most often, an ordinary user finds out that his personal information has been compromised when it is too late to take any action. We'll look at two data breach cases:
- Spear phishing followed by blackmail.
- Hacking a company that stores personal data.
Both cases are widespread and can cause a lot of trouble.
We will also look at the main approaches that significantly increase security and allow you to overcome the possible consequences of an attack or fraud with minimal consequences.
Additionally, you can use special software that professional hackers use to protect their computers from being tracked.
Actions for targeted attacks using the example of ransomware
Fraudsters and cybercriminals can take possession of the victim's data by deceiving, using special software, or by combining both methods.
Often, hackers operate where users may have vulnerable information that they can make money from.
For example, dating sites. Fraudsters create profiles of women, enter into correspondence with potential victims, lure them into sharing candid photos and spicy details of their personal lives. After that, according to the data received, they search for accounts in social networks, collect a list of contacts with whom the victim communicates, and start blackmailing. The criminals threaten to send incriminating information to all contacts and demand a ransom.
This is just one example. There are many types of spear phishing, but they are all based on acquiring personal information.
The sequence of actions for countering extortion:
- Try to calm down. Do not take any action until you have a sober assessment of the situation. Criminals are likely to rush you, not giving you time to think. It's important to focus.
- If appropriate, contact the police.
- Think about what could really happen to you if the attacker carries out the threat.
- Imagine yourself a week, a month, a year after that. It is important to set aside fear and assess the threat. For example, if an attacker threatens to send your nude photos or shameful fantasies to all contacts and publish them on some sites, is it really that scary in the long run? It is unlikely that your friends are interested in how you spend your time alone.
- Remember that it isn’t profitable for a hacker to carry out a threat. First, it is laborious and time-consuming. Secondly, it will make his crime worse in case he is caught. Third, he won’t receive benefits.
- Ignore the fraudster or bombard him with inquiries. Show no fear. It will be good if you lead as an investigative cop. The victim's unpredictable or bizarre actions are likely to scare the offender.
- Don't pay money. Compliance with the ransomware requirements won’t give any guarantee that they will delete your data. On the contrary, it will most likely lead to a new round of blackmail. The extortionists “milk” the victim until they run out of money or until the scale of the loss exceeds the fear of being “exposed”.
Hacking a third-party company
If hackers break into a private company or government organization and steal the personal information of a large number of people, then the consequences greatly depend on what kind of data fell into their hands.
For international companies, there are rules according to which they are required to notify their users about the leak. This allows users to take steps to minimize the impact of a breach.
What should be done?
- Request information about what kind of data could have been stolen.
- Change the password in the compromised service.
- Change passwords wherever the same or similar password is configured.
- Connect two-factor authentication.
- Request a credit report. This will allow you to file a fraud report if unauthorized transactions are found.
- It is advisable to activate the credit notification (credit flag) in the special service (Transunion, Experian, Equifax, or other similar). This is especially true in the case of leakage of passport data.
Additional steps may be required in each case. For example, in the event of a leak of data containing a mobile phone number and residential address, it is advisable to change the confirmation number for bank transactions. This will exclude the possibility of interception or spoofing of confirmation messages.
If you have incurred losses and it is proven that the compromised company did not take all steps to protect customer data or did not inform you immediately after it learned about the hack, then you are entitled to a refund under the GDPR and CCPA.
Guide for companies
Below are basic guidelines to help you significantly reduce the chances of data breaches in companies. I recommend that you pay attention to each item since there is no one simple way to protect your data. It is always a set of measures. Ignoring any of them significantly reduces data protection in general.
- Conducting briefings and practical training of personnel. It is necessary to be as suspicious of any links in emails as possible. Before opening attachments, you need to contact the sender by phone or any other alternative method and make sure that he really sent the files. Read more in our dedicated anti-phishing guide.
- When working remotely, use a VPN. This will protect against MITM attacks.
- Employees with access to the corporate network must have work computers and smartphones. Such devices cannot be used for personal use. This is especially true for web surfing and email correspondence. Even if you strongly trust your employee, then don’t forget that he may have relatives, children.
- Configure the creation of backups. It is important not only to back up all important data regularly but also to store it securely. Hackersoften search for and destroy backups to get a ransom for data recovery. It is also important to check the backups that are being created. There are times when, after some work or software updates, copies are created with errors, and it is impossible to recover data from them.
- Assigning administrators a minimum set of rights sufficient to carry out their normal tasks. If you have several people serving the network, then for full access, choose the most experienced and reliable of them. For other administrators, disable the ability to run executable files, block the launch of cmd.exe and powershell. It is these shells that are most often used by hackers in the "lateral movement" when they need to navigate a compromised network and search for databases.
- Assign limited privileges to users. For example, so that they don’t have access to data that they don’t need to work. The rest of the data can be shared upon request.
- Implementation of two-factor authentication for remote access to services used by company employees. This includes email, analytics, database management, financial reporting, and more.
- Configure registration of employee actions on all servers. Every authorization, database access, file deletion, and other actions should be recorded in a log file.
- Configure blocking of the remote access session when the timeout is exceeded. For example, if an employee is inactive for more than 10 minutes, then he needs to re-authorize. Choose a timeout that is comfortable for work. You should not unnecessarily shorten this time.
- Develop an emergency response plan. Be sure to conduct exercises at least once a year to help avoid chaos in an emergency.
- How do you know if your data has leaked?
- If you are worried about your data and want to make sure that it has not been compromised, then use the following guidelines:
- Check your email (services haveibeenpwned.com, f-secure, Avast, and others).
- Study the list of compromised organizations (example mass.gov).
How do you know if your data has leaked?
If you are worried about your data and want to make sure that it has not been compromised, then use the following guidelines:
- Check your email (services haveibeenpwned.com, f-secure, Avast, and others).
- Study the list of compromised organizations (example mass.gov).
How to properly protect your data
No one can guarantee that our data won’t fall into the hands of intruders. But it is within our power to make it useless in their hands.
In this section, I will teach you how to effectively protect your accounts and be smart about publishing attacks on your personal information.
The guide is based on my personal work experience. My main activity is VPN research and configuration, internet security and anti-tracking. For more than 10 years, I have developed rules and steps that I will share with you. I also updated this information by consulting my consultant from the world of hacking Irbis.
Preparing for Registration (Computer Setup)
This step will be needed not only for those who create a new account on social networks, on dating sites, or in any other services, but also for everyone else who already has registered accounts.
- Installing the latest system updates. Be sure have all the latest OS updates installed. This is equally important for Windows, Mac, Android, iOS, and Linux.
- Checking the system for malware. First of all, you need to make sure that no spyware, adware, rat-trojans, or other malware is installed on your computer. Even if you have an antivirus installed, scan your system with one or both of the free Trojan search and removal utilities:
- Kaspersky Virus Removal Tool
- Dr.WEB CureIt (for local use only)
- Blocking unnecessary system connections. OS consists of dozens of different services that constantly or regularly exchange technical information with remote servers. Most often, this is an activity that is completely useless for users. In this case, each service becomes a point of weakening of security. There is always a chance that a vulnerability will be found in such services, and they will be able to compromise the entire system.
The most effective way to block unnecessary processes from running is to properly configure the firewall. It is quite difficult to do it manually. I recommend the special tool WindowsSpyBlocker, which will configure the Windows Firewall by itself according to the given preferences. Tulza is launched once.
Setting up WindowsSpyBlocker is very simple and doesn’t require advanced knowledge.- Install the latest version from the official site crazymax.dev;
- Run the program;
- In the menu that appears, select 1 and press Enter
- Then again 1 and Enter;
- In the appeared list of options for Windows Firewall settings, select option 2- Add spy rules (press 2 and Enter);
If desired, you can change the NCSI (Network Connectivity Status Indicator) settings. By default, this system service works with Microsoft servers. WindowsSpyBlocker allows you to change them to Debian or Firefox servers. This won’t provide additional protection, but it can be useful for those who want to be “paranoid” on the Internet.
- Installing additional protection against tracking in a web browser. An effective method of protection is the installation of special software that blocks the tracking of user activity. I am using the add-of Ghostery. It monitors the activity of sites in real-time and blocks everything unnecessary.
- Using VPN Today it is the most effective technology for protecting traffic and your location, available to absolutely everyone. Also, a VPN allows you to solve related problems, such as unlimited access to content on Netflix and other streaming sites with geo-restrictions (read more in the VPN for Netflix article) and maximize anonymity when torrenting (an overview of the best services in the VPN for Torrenting article).
Just install a VPN application and transfer any data securely, even on public WiFi.
Password creation
The weakest point in data protection is the password. Until now, many users didn’t contribute much importance to its complexity.
And in vain.
Below, for clarity, I will give examples of different passwords and the time it takes to crack them. You will be surprised how quickly a regular password can be cracked if necessary. For the demonstration, I used the Kaspersky Password Checker service for checking passwords.
Comparison of the complexity of different passwords
Password | Length (characters) | Estimated guessing time |
1q2w3e4r | 8 | 2 seconds |
password2021 | 12 | 3 hours |
BHhbYTgyg_4724^3 | 16 | 10,000+ centuries |
Is my password the hardest in the universe? Yes! | 48 | 10,000+ centuries |
As you can see in the table, two factors significantly influence the time of password guessing:
- Length,
- Complexity
All passwords like “old school” presented in the first two lines cannot be used to protect data. Hackers have long been using not only a simple selection of combinations but also passwords that have been compromised over the past 20-30 years. These are incredibly extensive databases containing billions of invented password variations. The probability that the password you invented is already in these databases is extremely high.
Therefore, today there are only two effective ways to create strong passwords:
- Generation of random sequences of letters, numbers, special characters, and punctuation marks. The disadvantage is that it is impossible to remember.
- Passphrases. Disadvantage - long length
Both options must take into account the minimum password length. Today it is 8 characters. But I recommend configuring passwords with a length of 9 characters or more. I only use long passwords over 12-15 characters. And passwords of the administrator access level are over 20-30 characters.
I would like to stop separately on the second option - passphrases.
They have the same reliability as random sequences, but they are easy to remember. It is important to make such phrases long, use upper and lower case letters, punctuation marks.
Several years ago, US intelligence agencies arrested a Russian hacker who was stealing credit card data. But they were never able to crack his encrypted container. In the course of the investigation, the hacker began to confess and gave out the password. It turned out to be a strange sequence of characters and spaces longer than 150 characters. Surprisingly, the hacker typed this password on the keyboard from memory. The specialists inquired about how this password was created. It turned out to be a short rhyme written in Russian (in Cyrillic) but in “qwerty” (English) keyboard layout.
Reasonable use of personal information
Very often, users don’t think that filling in most of the fields of information about themselves is optional. But, despite this, they are filled with detailed data. The less often you leave personal information, the better.
Of course, there are resources where you need to leave a lot of personal data. But do we use dozens of online shopping, food delivery, and other services? Should you trust them, for example, with your address?
Artur Hachuian, one of the developers of Big Data systems, once said that he orders food to the address of an apartment in the next entrance. And when they deliver and call him, he goes out to meet the courier.
You need to be scrupulous about publishing information about yourself on the Internet. My advice is to make it a rule to ask yourself three questions every time a form asks for more information about you than your email address:
- What if I don't fill this line of information?
- What happens if I give false data?
- What happens if this data is stolen?
By asking these questions, you will significantly increase your awareness and save yourself from taking unnecessary risks.
Account protection
There are various ways to protect your account login:
- Multifactor authentication,
- Incognito mode when using someone else's computer,
- Using a security key instead of a password (suitable for Remote Desktop and some other services).
The simplest and most widely used is two-factor authentication. The most convenient way is to install a special authenticator program on your smartphone and register your services to it. For example, this can be done with a Gmail account.
Each time you log into it from a new device (if you wish, you can configure login verification from a trusted device), you will need to enter the code taken from the mobile application.
Registration using other accounts
More and more websites offer to register with existing accounts on Google, Twitter, Facebook, and others. This is a safer way to register and login than the classic login and password.
With this method, only an encrypted identifier will be transmitted and stored to the site, which cannot be used from another device on which you have not logged into your “parent” account.
The only drawback is that the service will gain access to your data and will be able to store it on its servers. To get around this, I recommend setting up a special Google account with safe and concise information.
Conclusion
The digital world is based on the storage and transmission of data. That is why the Data Breach problem will always be relevant.
Recent statistics show that health information is the most damaging to data breaches. The situation was aggravated by the coronavirus pandemic, forcing millions of people to use telemedicine services.
The ransomware trend is is also accompanied by the theft of databases.
Attacks on mobile operators, social networks, and other services will continue.
We need to do everything we can to protect ourselves even before our data gets into the hands of attackers:
- Protect accounts with strong passwords;
- Use two-factor authentication or key login;
- Reasonably publish information about yourself on the Internet;
- Be suspicious of correspondence with strangers;
- Regularly check your account password for leaks;
- Monitor your credit history
- Monitor lists of compromised companies;
- Be prepared to respond quickly.
If you have your own business or company, then pay special attention to how you store user data. Thanks to the new laws, users are entitled to compensation for the damages they will incur if they prove your guilt in mishandling or not securing their information. Additionally, there are heavy fines.
If you have experience with data breaches or any questions on the topic of the article, then leave a comment below. I will be happy to help with advice and answer your questions.
Dean Chester.
Your email address will not be published. Required fields are marked