A recent data breach exposed the information of 500 million LinkedIn users, and the same number was affected by the Facebook leaks few weeks prior
Intensifying data breaches push companies towards strengthening network perimeters
Businesses ask for excessive customer data to provide services, but existing system vulnerabilities show that they frequently don’t live up to cybersecurity expectations. Companies shouldn’t leave customers out of the picture because carelessness with data increases the chances of identity theft.
The breach, which allegedly happened before August 2019 and was recently published, affected 533 million Facebook users in 106 countries — exposing their Facebook IDs, names, locations, birthdates, and email addresses. A day later, a LinkedIn user database showed up on the hacker’s forum, including similar information and victim workplaces.
Cybercriminals managed to obtain data using a method known as scraping. Exposing system vulnerabilities, they launched a bot to collect any data on the table. In Facebook’s case, they turned to a now-defunct feature that allowed users to find friends by phone number. It seems that the hackers also leveraged some previously-known LinkedIn data breaches to scrape personal information.
IBM estimates that the average cost of a customer’s Personal Identifiable Information (PII) is $175 per record. Given this, the overall value of Facebook and LinkedIn databases would be enormous. However, the price of each piece depends on the type of information and its usage.
For example, cybercriminals demanded a $42 million ransom from a New York law firm after seizing 750GB of personal details on top-tier clients, including Lady Gaga and Madonna.
Personal information accelerates social engineering
Hackers can use compromised emails for scams and phishing campaigns. The latter is the most prevalent initial attack vector, allowing criminals to get a foothold on the victim’s network. Contact information can also end up in grey-zone marketers’ hands, who use it in their email campaigns.
The more information hackers have about the victim, the harder it is to identify an attack and stay vigilant. Sometimes publicly available information on marital status, children, employment, and leisure activities can give victims the impression that fraudster’s claims are indeed legitimate.
Contact and personal information together with social security numbers are precious for tax-season scammers. They apply for false tax returns, stealing $27 billion every year, targeting both citizens and enterprises.
“Data is a digital asset: marketers use it to find their audience, developers adopt software products examining user patterns, and artificial intelligence ensures our lives remain convenient.
People start to understand that online data is still a part of their identity, and its compromise can impact everyday life. Thus lawmakers are trying to change the rules of the game, giving users more control over their PII online”, says Juta Gurinaviciute, the Chief Technology Officer at NordVPN Teams.
Regulators in Europe and the US are siding with users by implementing various data protection policies. Companies in the EU have to comply with General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) protects Californians on the other side of the Atlantic. Unfortunately, hackers can utilize those strict rulings to their advantage.
Regulations are not enough to ensure protection
Recently, a security researcher exploited GDPR laws to leak sensitive PII using the systems to protect it. Using the unauthenticated Data Subject Access Request (DSAR), a white-hat hacker successfully accessed records of 6,000 organizations using a specific off-the-shelf management program.
“Effective data protection is holistic, incorporating the user, the enterprise, and the legislator. People must be aware of the information they share online and how crooks can leverage this in social engineering attacks against them. However, enterprises shouldn’t be left out of the picture: is the data collected worth the risk of a breach?” asks Gurinaviciute.
Businesses should thus establish clear data collection guidelines and handle only the PII necessary for service delivery. Even then, they should ensure the strictest cybersecurity measures, ranging from encrypted VPN connections to ZTNA-based access control to software-defined perimeters (SDP).
One billion leaked Facebook and LinkedIn records may not have comprised top-secret data, but there are endless bits of valuable information ‘under the hood.’ If that got compromised, hackers could reconstruct victims’ itineraries from location data or discover their political beliefs. The highest cost of a data breach is reputational. Thus, companies must tirelessly strengthen their perimeter to protect their assets and ensure that customer PII is protected.
Hernaldo Turrillo is a writer and author specialised in innovation, AI, DLT, SMEs, trading, investing and new trends in technology and business. He has been working for ztudium group since 2017. He is the editor of openbusinesscouncil.org, tradersdna.com, hedgethink.com, and writes regularly for intelligenthq.com, socialmediacouncil.eu. Hernaldo was born in Spain and finally settled in London, United Kingdom, after a few years of personal growth. Hernaldo finished his Journalism bachelor degree in the University of Seville, Spain, and began working as reporter in the newspaper, Europa Sur, writing about Politics and Society. He also worked as community manager and marketing advisor in Los Barrios, Spain. Innovation, technology, politics and economy are his main interests, with special focus on new trends and ethical projects. He enjoys finding himself getting lost in words, explaining what he understands from the world and helping others. Besides a journalist, he is also a thinker and proactive in digital transformation strategies. Knowledge and ideas have no limits.