Face it… Cyber-attacks are happening and no one is absolutely safe from it. With more and more online transactions, (commercial or not), cyber attackers are going about trying their best to hack into databases everywhere and retrieve personal data of unsuspecting people. With the recent cyber attacks that happen locally in Singapore, (Singhealth and Securities Investors Association Singapore), proves to reiterate the point that cyber attacks can happen to anyone and at any time.
Having conversations to many people through casual and professional conversations after the recent attacks, it struck me that many are reacting nonchalantly and are pretty oblivious on how bad your data having stolen is.
“I am a nobody and having my data makes no difference”, “There is no credit card records, so no worries”, “I think the attackers are not targeting me, I am just a by catch that would be thrown back to the sea.” …These are the response that I had usually get when the topic of the recent cases of cyber attack was brought up during conversations. No matter how insignificant you may think you are, the truth is that everybody is definitely affected. Let’s explore the “Stolen Data Lifecycle” and see how your insignificant data could be easily misused by data thieves.
1. Just after a data thieves steals a load of data, they would first create an inventory of the loot and create a list of victims and the corresponding information of each name. This may roughly look like a spreadsheet of “Name”, “Authentication Credentials”, “Contact Details” “Credit Card Details”, etc. Depending on the source of the data, many other details like medical history (like in the recent Singhealth case), places frequent, income, grocery shopping habits, preferred brands, frequency of purchasing products or services, etc, would be good attributes to enhance the value of the data that was stolen.
2. With the now consolidated and sorted data, the hackers would then offer the sale of these databases to prospects, for example, the medical records of the victims could be sold to manufacturers of medical supplies to help analyse the needs, demands, and trends of various medical supplies. Or the shopping habits of the demographic, could help retailers to further enhance their marketing effort by streamlining it to suit the behaviour of the demographic of targeted users. There, your insignificant information actually contributes to the value of the data that is sold and purely based on the masses of data that were stolen, this information would be used to make useful decisions that would impact probably not today but somehow in the near or far future.
Legitimate organisations may even purchase such data to complement their market studies and the varying effects of getting such data could include pricing decisions, production volume planning, marketing plans, and the list goes on.
3. The bonus that hackers look out for are essentially information that would be able to be monetised and likely to be further monetised by exploiting the data stolen. Authentication credentials could be used as a gateway to further enhance the data or to allow the attacker to go deeper in depth and even exploiting people surrounding the victim via various scams that happen every day. Credit card details are also a great bonus for hacker are the would easily clone the cards and use it for unauthorised transactions as they know that many users would only notice the discrepancies when their bills arrive on a monthly basis, by then it is often too late as the products purchased using stolen cards had been long gone by then.
4. The stolen data by now would be monetized and sold to interested buyers, but that does not mean that the data is now purged and thrown away. It could still be kept and merged with data that was stolen earlier or later and made relevant again through creative sorting and tailoring to suit the industry specific buyer.
The dark web is no urban myth and such transactions happens 24/7 and even if you won’t feel the impact anytime soon after an attack, it may just surface to haunt you just when you had thought that the worst is over. So, with this simple and non-exhaustive write up, I hope that this would make you more aware on the effects of such data breaches no matter how insignificant you think you are. Simple measures you can take whenever a data breach is reported with an organisation you have an account with includes changing your password immediately or change your registered email address to an alternative one. Your data getting stolen is often beyond your control, but steps you just have to react quickly to and appropriately to minimise the damage that can potentially harm you.