Snap out of it: despite reports of cyber fatigue, there’s no such thing as “only data” 

There’s a new term arising in discussions around cybersecurity that should be of concern to everyone: data breach fatigue. And […]

There’s a new term arising in discussions around cybersecurity that should be of concern to everyone: data breach fatigue.

And sure, it’s easy for the average person to look at the numerous stories arising on a daily basis and resort to the posture of “well, breaches are inevitable so why bother?” but this could be very dangerous.

There are so many stories about breaches … or risks of breaches … or how to prevent breaches … or the need to report breaches that we stop seeing them. We have forgotten about the importance of the data, why it is being stolen and how it could be used. And we need to remind ourselves not only just how valuable our data is, but how easily it can be used for criminal purposes.

Take our phone services – no doubt everyone reading this article will have at some point called up their Telco seeking technical support or inquiring about a bill. To verify yourself to the operator, you need to provide your name, address, date of birth and/or email address, or some combination of these. From there, you can usually change your billing address, email, password and have all of the data sent to your new address from then on.

There are no biometric details or two-factor support that comes with dealing with the Telco over the phone; if you sound like the gender you say you are and provide those details, you’re in. Put this information in the wrong hands, and the criminal can access your phone records, your billing details, your address and any number of personally identifiable information. From there, that criminal can use this utility bill as evidence of place of residence to sign up for several services with which they can carry on the process of assuming someone else’s identity.

This data is what often becomes available in a breach, yet the organisation involved will regularly report “no financial data was stolen” as if that’s the only data of importance. But health data is worth more than financial data on the black market and the average cyber-criminal today does not need much data at all to do some real harm.

There were reports earlier this year of a scam in which people were being blackmailed via email with the subject line simply a password that they either once had or perhaps continue to use.

The hackers claimed that they’d inserted malware on the recipient’s system and they’d been recording their online habits using a remote desktop client to film from the victim’s webcam as well as by tracking their key strokes. It asked for a bitcoin payment to the tune of several thousand dollars and the victim had a day to pay or a video of their online habits would be shared to the address book and social media accounts of the victim’s friends and colleagues.

The email did not identify the reader in any way, nor did it provide any evidence of its accusations. All the criminals possessed were the email addresses and a password once used by the victim.

That’s it. But it was enough for some people fearing harm to their reputation to pay the bounty to have the incriminating video deleted forever. The victims saw their old/current password in the subject line, and panicked.

But no videos existed. It was a scam. The scammers sent out thousands of these emails en masse in the off chance of reaping a windfall from a panic pay – and they scored big. According to one report, the criminals in this case amassed a $250,000 windfall from just 150 people.  And they likely scored these passwords from major database breaches in the past five years involving LinkedIn, Yahoo, and eBay, to cite three examples.

Sure, there needs to be some personal responsibility for potential victims to educate themselves and better see a scam coming. But a lot of damage can be done from the attaining of two bits of fairly innocuous data, and it isn’t the victims losing that data; it’s people entrusted to protect it.

So when you read reports of major breaches and they say “emails and passwords were stolen, but not financial records” that doesn’t lessen the blow. Or at least it shouldn’t.

Now, given the propensity of breaches these days and how easy it is for people to access systems using basic data, or blackmail people using nothing but an old password, is it unreasonable to assume that criminals can do much more damage when they have, say, details which can provide domain access to an organisation’s network?

Yes, breaches are inevitable. And yes, the stories are numerous. But they’re numerous because they’re important, and we need to wake up, listen and take note of these breaches when they happen.

The majority of us won’t change our primary personal email our whole lives, nor will we change our phone numbers. We cannot change our date of birth and we rarely change our passwords unless there is a breach… and then we get tired of hearing the same stories every day so we stop that too.

But we need to re-educate ourselves on how easily data can be used to cause financial or reputational harm to ourselves, our families or our businesses. There is no such thing as an unimportant piece of data when it can be used to identify us, and we need to take steps to protect ourselves from having it stolen.

Organisations need to improve their systems and ensure their customers are as protected as possible. They need to educate their employees about how breaches occur and what they can do to mitigate threats. And in the event of a breach, they need an incident response which investigates what was stolen and how, and they need to disclose whatever information they can in a timely manner so their customers and stakeholders can make an informed decision about what to do next.

Data-breach fatigue may be on the rise, but we need to wake up from this slumber.

Cameron Wells

Senior Consultant