We see and hear many articles in the media about data breaches and talk of millions of records being stolen by faceless cybercriminals. But once this data is stolen and obtained by the individual or criminal organisation, what do they do with it? How do they make money and why, as a small business does this affect you?
An organisation’s data can be stolen in many ways but is most commonly stolen by either a cybercriminal or malware. “Cybercriminals” or “hackers” using the skill of remaining undetected or conversely by brute force, penetrate a company’s network and exfiltrate the data manually.
Malicious software known as malware can be programmed to penetrate systems and exfiltrate data to a host server which is then accessed by the cybercriminal. Malware can be spread in many ways but is most commonly spread by unsuspecting employees being duped into downloading it through a process known as “phishing.”
Phishing is the practice of a hacker attempting to fool an unsuspecting user into accessing a malicious link or downloading an infected file through the practice of Social Engineering. A Hacker will send an email to an employee pertaining to be from a legitimate business with offers via “The Link Below” or in “The Attachment.” The unsuspecting employee clicks the link or downloads the attachment which then installs or activates malware or ransomware.
Once the data is secured
So what happens to this data once stolen? The cybercriminal will either a) exploit the data for profit themselves, or b) sell the data on the dark web to someone who will then in turn, exploit the data for profit.
The dark web, as the name suggests is the dark side of the internet – a series of encrypted networks hidden from view that can only be accessed via special software.
Users can surf the dark web with anonymity, meaning the buying and selling of illegally obtained data can take place.
So how does the cash flow?
So how do those in possession of stolen data make a profit? That depends on the type of information stolen. Once obtained, cybercriminals will often sort it into various categories, which are then more attractive to buyers.
Personally Identifiable Information (PII)
PII is defined as any information that can be used to identify a person, such as their name, address, email address, date of birth etc. The Court of Justice of the European Union recently ruled that IP addresses are also considered PII and subject to the EU data protection law.
This type of data can be leveraged by cybercriminals in many different ways. Using personal details, cybercriminals can commit a variety of fraudulent activities, such as spamming and nuisance marketing campaigns. Phone scams/vishing are also common, ranging from cybercriminals calling to ask for access to your computer to; “fix a virus” to simply tricking you into ringing back and then charging a premium rate.
Data considered to be of a personal sensitive nature, can also be used for blackmail or extortion, such as in the Ashley Madison hack where users of a website that facilitated adultery were blackmailed by up to $100,000 in order to prevent their details going public.
Below is a breakdown of how this information can be used.
Names & address
- Apply for loans/credit cards
- File fraudulent tax returns
- Transfer money illegally
- Gain access to online accounts
- Send spam or unwanted marketing mails
- Target with phishing attacks to hit with Ransomware or gain access to company/personal devices
- Phone scams
- Nuisance marketing
Many small businesses hold this type of information on their systems – consider your newsletter mailing list, or customer contact details stored on your company machines. This information should be appropriately secured.
User credentials are the information that is used to verify a user’s identity. This can include passwords, or any information used to login to an online account.
Once a cybercriminal has this information, it is very easy to begin profiting from it. Many people reuse passwords for different accounts, so if they have your email address password, they can easily gain access to your Amazon or eBay account for example, meaning they can fraudulently purchase goods or change the delivery address.
Couple that with stored credit card information on an account and the cybercriminal has full access to your funds.
As a small business, you need to consider how you manage, store and handle your passwords. Ensure your organisation does not reuse passwords, never send passwords to external sources and ensure to change them often.
Payment Card Information
If a cybercriminal has access to payment card information, this is one of the quickest ways they can profit by being able to fraudulently purchase goods. Fraudsters will often use the credit cards to purchase pre-paid cards or gift cards for sites like Amazon to help mask their trail.
Credit card numbers can be stolen by keylogging software. This is malicious software that records the keystrokes a user puts into their keyboard over a period of time, meaning when a user types in their credit card number into a device, the data is captured.
However, more commonly, numbers are stolen simply by people recording, communicating or storing them in an insecure manner.
No organisation should store their customer’s credit card information, when not-in-use, in an unencrypted format as this is an immediate red flag for cybercriminals. When the number is in-use and has to be unencrypted, it’s imperative you ensure the handling of this information is done in a safe and secure manner.
It’s highly recommended to apply an Information Security Policy across your organisation to set out clear rules and boundaries for staff with access to this sensitive data (see more below).
Other background Information
Other less obvious information can be used to increase the chances of successfully profiting from a hack. Information about an individual’s employment, educational background and even their medical history can be used to increase the chances of a successful exploitation.
For example, if a cybercriminal gains an individual’s email address and then combines that with information about their workplace, they can then compose a more credible phishing email that is more likely to be believed by the recipient.
Consider the following emails:
Figure 1 Email with no information on recipient
Figure 2 Email with information obtained on recipient
As you will see from the above emails, they contain the same malicious link. However Figure 2 has much more personal information. This email is far more likely to trick the recipient into clicking the malicious link as on first glance it appears genuinely from the recipient’s boss.
As the cybercriminal had information about the recipient’s work details, company and boss’ name, they had the tools to compose a much more credible mail and increase their chances of a successful phish.
Putting this into practice:
Below is an example of how this process can work in practice:
- Cybercriminals hack a social media platform and get a bulk list of email addresses
- They send phishing emails to that bulk list
- A certain percentage will click the malicious link
- The consequences vary, but in this example, the link extracts the entire contents of the user’s device
- A search by the skilled cybercriminal reveals a document where a password for an online account was recorded
- The user reuses this password for their email address and online shopping accounts. The cybercriminal now has access to both
- On one of the accounts, the user has their credit card information stored to checkout easier
- The cybercriminal purchases goods via the account
- As they have access to the user’s email address, they can delete any security warnings or emails that come in
- The cybercriminal searches the email account for any further PII or financial information that can be leveraged.
As you can see, the processes whereby criminals can profit from stolen information are plentiful and lucrative. As a small business, you need to consider the information you hold on your customers and employees and how you manage your own data, in order to stay secure.
Our blog The evolution of the cybercriminal means small businesses need to adapt covers the value of data and the importance of protecting your information as a small business.
Some important first steps you can take as a small business are as follows:
Map and understand your data
Understanding what information you hold and store is an important first step as a small business to protecting it.
As part of an exercise for data protection/GDPR, make an inventory of your information which includes;
- What type of personal data (name, address) you hold
- Where you are holding it (in a database)
- The source of the information (the individual themselves)
- The legal basis for processing it (individual’s consent, performance of a contract)
- How long you intend to hold it (1 year)
- Finally, how you are protecting it (encryption).
It’s also a good idea to categorise what data you have and apply safeguards against it (secret data is encrypted and stored offline). Ask yourself the question: do we need it? If you don’t need it, don’t store it, delete it and reduce your risk.
Apply an Information Security (IS) Policy
Introducing an IS policy is a great first step to protecting yours and your customer’s data. The policy should detail how you process, store and transmit your data and applies rules to the handling of sensitive data. It should be circulated throughout your organisation, signed by all staff who access the data and made available at all times.
Awareness and education
Ensuring you and your staff are aware of the common risks and threats is a major step towards protecting your organisation.
Establish other policies such as acceptable use including the use of personal mobile phones, use of email, and on the use of work computers for personal internet browsing to limit risks.
Provide training on how to recognise phishing emails and scams.
Your staff are often your first line of defence against scams, phishing, ransomware and malicious websites. Raising their cyber security awareness is one of the most effective ways to prevent data loss and cyber-attacks against your business.
An incident response plan (IRP) should be in-place to help your business react quickly in the event of a data breach to minimise the potentially damaging impact. An IRP provides detailed instructions on how to react to a range of incident scenarios such as data breaches, ransomware, denial of service attacks, virus outbreaks, etc.
Your IRP should consider those incidents that could impact your valuable data and hinder your ability to operate your business. Planning ahead will help your organisation respond and recover as quickly and as safely as possible.
There are many ways in which you can protect your business from a data breach, these are just some measures.
Our paper It’s time for small businesses to take cybersecurity seriously covers the subject of data loss and the threats posed to small businesses by cybersecurity in more detail.
In this paper, we outline why small businesses need to consider themselves a potential victim, why you need to take data loss seriously – whatever the data and why common malware symptoms such as system downtime and intermittent device crashes are a real threat.
If you are a merchant that requires technical or PCI DSS help, please click here