If you feel as if there’s a new data breach in the news every day, it’s not just you. Breaches announced recently at Capital One, MoviePass, StockX, and others have exposed a variety of personal data across more than 100 million consumers. This has spurred lawsuits and generated thousands of headlines.
Other companies compromised this year include Citrix, which lost 6TB of sensitive data, First American Financial, (885 million records exposed), and Facebook (540 million records exposed). The attack vector or leaked data might vary, but these breaches all have one thing in common: the information exposed provides raw materials that fuel a complex cybercriminal ecosystem, and these headlines are just the tip of the iceberg.
Most victims don’t know how cybercriminals use their stolen data. One way to understand this is to consider the epidemic of copper theft that hit the country following the mortgage crisis. As buildings were left abandoned, thieves stole copper wiring and piping. The copper could then be sold for $3 a pound to buyers willing to not ask questions about where it came from. It’s a similar story with data, where the breach itself is rarely the end goal of cybercriminals but simply provides a means to obtain money through a multistage scheme. And unlike copper, the same data can be stolen, sold, and used, many times.
Copper thieves use crowbars and wrenches. Cybercriminals use programs that exploit software vulnerabilities and automatically test millions of passwords to opportunistically take over online accounts. Copper thieves find industrial middlemen to sell their wares, while cybercriminals find underground marketplaces to connect to other criminals who specialize in using stolen data in different ways. Addresses and birth dates are used in identity fraud, such as applying for loans. Stolen credit cards can be used to make fraudulent purchases, and stolen passwords are keys providing entry to other accounts, that when compromised, enable criminals to empty bank accounts or turn gift cards into cash.
Cutting Off the Supply
Curbing the trade of stolen copper is easier than cutting off the supply of stolen data. With copper, law enforcement goes after the resellers, fining them when stolen materials are found in their possession. For data, the mitigation options vary considerably depending on the type of information that is exposed.
With stolen credit cards, the damage can actually be somewhat contained. Increased EMV (chip-based) adoption and improved fraud-detection helps limit the impact of any given breach of credit card data.
Personal data being in the wrong hands is harder to mitigate. You can’t change your birth date. Your physical address is often publicly available information, accessible to cybercriminals with no data breach required. The fact that these data types, as well as “security questions” like mother’s maiden name, are still commonly relied on for authentication purposes reveals a systemic problem that must be addressed.
Credential theft (e.g., stolen email addresses and passwords) is the most pernicious and least understood type of breach. Most people have lost track of all of the different places where they have reused passwords. You can’t blame them: The average user has more than 100 accounts with various websites, apps, and services that they have created over time. This means that cybercriminals using automated fraud tools in credential stuffing attacks have a reliable rate of success when they try passwords from one site against another, often around 2%. With only 1 million stolen passwords from any one website, a criminal can quickly take over tens of thousands of accounts on a completely unrelated website and repeat this on other sites to ultimately breach more accounts than the original breach.
Protecting the Data
Governments are trying to address these problems. The EU’s General Data Protection Regulation prohibits some insecure data storage practices. The California Consumer Privacy Act grants consumers more control and insight into how their personal information is used online. The Digital Identity Guidelines from the US National Institute of Standards and Technology recommends that companies check passwords against lists of known stolen passwords. The US Federal Trade Commission settled its complaint against a company last year for having inadequate protection against credential stuffing, which led to compromised customer accounts. These efforts will all help over time.
The complexity of our online lives poses many challenges, and the global situation may get worse before it gets better. As long as there’s a market for copper or data, there will be criminals trying to steal them. But by improving corporate security standards, defending against the use of exposed information, and adopting better security practices, we can make it much harder for cybercriminals to turn stolen data into gold.
Shuman Ghosemajumder is CTO at Shape Security, which operates a global defense platform to protect web and mobile applications against sophisticated cybercriminal attacks. Shape is the primary application defense for the world’s largest banks, airlines, retailers, and … View Full Bio