Sage Advice - Cybersecurity Blog

Why Your Personal Data is Valuable – and How to Protect It

why-your-personal-data-is-valuable

Looking back at recent data breaches, it’s interesting to note that the largest breaches didn’t involve stolen credit card or social security numbers. Instead a myriad of personal information is being stolen in massive quantities. Why this shift? It’s just more valuable!

Let’s look at some of the recent breaches that have exposed an astounding amount of personal data. Then we’ll discuss why this type of information is becoming so valuable, and share some steps you can take to protect your information.

Recent Breaches Targeting Personal Data

Facebook

Anyone with a Facebook account knows how much personal data that’s available – birthdays, contact info, interests, education, hometown, and many other details – all that we willingly provide. In some cases users are executing financial transactions via Facebook, too, so personal financial data may be involved.

In September of 2018, Facebook announced that data was being stolen as a result of a zero-day exploit using their “View As” feature. This feature allowed a user to view their profile as another person would by creating a non-encrypted identifier. If somebody compromised your machine, they were able to take that identifier, which gave them access to not only all of your data, but also the data of anyone connected to your account.

It was reported that 15 million accounts had names, email addresses, and phone numbers stolen. Plus, 14 million accounts also had dates of birth, genders, devices they logged into, language preferences, and searches stolen. With that information, one could infer information on relationships, hometown, high school, current location, work info, and travel info. The feature has since been disabled.

Cambridge Analytica

Cambridge Analytica is a political consulting firm that exploited personal Facebook information for 87 million users – reportedly in a manner violating Facebook’s policies. By combining the data from multiple sources, they were able to obtain over 5000 data points on about 230 million American voters. Allowing them to build psychographic profiles for each individual.

The information was obtained through an app called ‘This is your Digital Life,’ a personality quiz created by a professor at the University of Cambridge. Users voluntarily used their Facebook accounts and granted access to their information and the information of their friends. This information was then sent to Cambridge Analytica without user consent.

Quora

Quora is a Q&A website that reported in December 2018 that the account information and private messages of 100 million users had been exposed. This came as a surprise to many people who didn’t even realize they were members. This is because you had the option to login using your Google or Facebook credentials. The cause and culprit of the breach remains unknown.

According to an article in Forbes, a wealth of user data was comprised. “This includes names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content (including drafts) such as questions, answers, comments, blog posts and upvotes. Oh, and data that has been imported from linked networks such as contacts, demographic information, interests and (now invalidated) access tokens.”

Marriott / Starwood

In 2016, Marriott hotels purchased Starwood brand hotels, which include St. Regis, Westin, Sheraton, and W hotels. In November 2018, they discovered unauthorized access had been happening on that network since early 2014. They found evidence that data was copied and encrypted, then exfiltration was attempted. 

This breach potentially exposed 500 million users – that’s the 2nd largest breach of all time (behind Yahoo in 2017 which exposed 3 billion users). Exposed information included, names, phone numbers, email addresses, passport numbers, date of birth, and arrival / departure information.

How Personal Data Provides Value

Business Email Compromise

Business email compromise (BEC) is a common exploit where cybercriminals use social engineering techniques to trick the recipient into wiring large sums of money to their bank account. The attacker either gains control of someone’s email account and spoofs their identity or they create an account with an email address that is very similar to one on the corporate network.

The more personal information the criminal can learn about both the person they are impersonating as well as the person they are targeting, the more believable they can make the email communication.

BEC attacks have seen an explosive 476% growth in 2018 compared to 2017, according to Proofpoint’s Quarterly Threat Report for Q4 2018. And according to a July 2018 report from the Federal Bureau of Investigation, “The BEC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions.” At the time the report was published, more than $12 billion had been lost in this type of attack.

Targeted Advertising

When a service is free, like Facebook, it’s important to remember that you’re the product. That how they make money. Today’s advertisers are able to collect data, including purchase and browsing history to serve up ads specifically targeted to you. And while this may be annoying, it’s not illegal.

What’s scary are the organizations that have the ability to analyze and correlate hundreds of data points and can start making assumptions about those individuals. They can predict who the person is and what they will do based on a certain given set of circumstances. And then serve them targeted ads based on the profile they create. 

There are organizations out there willing to pay a great deal – or use covert methods – to gain this personal data that they can use to influence everything from what you buy to how you vote, and where you go to what you do.

Tips to Protect your Personal Information

Situational Awareness & Mindful Use

It’s important to be aware of the risks posed by sharing your personal information. Be sure to read the fine print and the terms and conditions on any site or application where you are sharing your personal information. Be sure you know how your information is being stored and used.

Build mindful habits when using all internet-connected resources. Mindfulness, in this case, simply means paying attention to each step along the path to achieve a goal. Mouse-over to see where the link will take you, before clicking. Pay attention to the URL of a website you’re landing on, read email carefully to see if it makes sense, or if there are grammatical errors that are clues to deception.

Good Password Hygiene

Passwords are our number one personal defense; however, we don’t always pick great ones. Here are a few tips:

  • They should be long, strong, and complex: For example, Four unrelated words or a converted phrase, at least 15 characters long using upper & lowercase letters, numbers, and special characters
  • Avoid “ambiguous characters”, e.g., Pa$$word
  • Avoid names, patterns, sequences
  • Don’t use the same password at multiple sites where protected and / or sensitive information is exchanged
  • Consider using a password manager

Two-Factor Authentication

Two-factor authentication can provide you with an extra layer of security because it requires at least two things to access an account:

  1. Something you know – for example, a password
  2. Something you have – for example, an authentication code texted to your phone
  3. Something you are – for example, a fingerprint

Always use two-factor authentication when available. You can check out https://twofactorauth.org/ to find out which of your accounts offer it.

Threat-Hunting-Guide-CTA-LI

Topics: Threat Intelligence, Risk Management, Privacy


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More