Why cybercriminals want your data

by PCI Booking | June 30, 2022

And what they want.

Cybercrime is a mega business with estimated revenues in 2019 of $1.5 trillion – cybercriminals making more than Walmart, Apple, and Amazon combined. Cybercriminals use stolen data to provide the building blocks for fraud and other cyber-attacks to drive the business of cybercrime.

Stolen personal data is as valuable to cybercriminals as financial data. Here is the type of data cybercriminals want and how to cut off their supply.

Data that cybercriminals love

Data breaches are so common that they are now normalized. In 2021, 22 billion data records were breached. This haul of information includes personal data such as name, email address, date of birth, Social Security Number, etc. According to a report from RiskBasedSecurity, the main types of data stolen included:

  • Name
  • Social security number
  • Address
  • Date of birth
  • Email
  • Financial

Hackers will often use bits and pieces of data collected from different sources to compile a comprehensive “picture” of a person; they may also validate and corroborate other data retrieved from various sources. Stolen data typically ends up on a dark web marketplace, sold to the broader hacker community. The Dark Web Price Index collates details on the amounts that data sells for on Dark Web marketplaces. Everything from credit card data to ID documents such as driver’s license details to email address dumps is available to purchase. These data are then used to further the fraud and cyber-attack efforts of cybercriminals the world over.

Five areas where data theft leads to fraud

Data feeds cybercriminal activity; here are five examples of how stolen data can propagate this activity:

Account takeover

An online account is a valuable resource for a cybercriminal. Online accounts can be hijacked and taken over if a cybercriminal has access to login credentials such as username and password. These data are often included in the stolen data from a data breach. Even if a hacker only has an email address, they can take over an account as many passwords are vulnerable to brute force. For example, the most used password is 123456.

Sim Swap

Sim Swap is a type of fraud where a cybercriminal takes over a mobile device and then uses it to perform extortion, data theft, or account takeover. Sim Swap fraud relies on social engineering and poor verification checks by mobile operators. Sim Swap needs personal data stolen either directly from a target or purchased from dark web marketplaces that can often include mobile phone numbers. Control of a phone number and a Sim Swap means a fraudster can intercept all the communications on the phone. This means that a fraudster can use the phone to obtain the SMS or generate the authentication app code used for two factor authentication (2FA) in order to log in to an account owned by the target.

Ransomware infection

In 2021, 71% of companies were affected by ransomware. Personal information, especially login credentials, is an important part of the attack chain that leads to ransomware infection. Stolen personal data is used on phishing emails to make them look legitimate and fool recipients into handing over login credentials. Hackers use these stolen login credentials to carry out the initial access needed to facilitate control over a network and install ransomware.

Business Email Compromise (BEC)

The FBI describes BEC scams as “one of the most financially damaging online crimes.” BEC fraud has multiple steps, but the fraudster needs information about a target to ensure the attack is successful. One of the first steps in the attack chain is to gather information about the target, which is often a high-ranking employee such as a CEO or CFO. The victim’s data can be stolen using several methods, but spear-phishing is typical. The spear-phishing messages are often difficult to tell from legitimate emails; personal data is used to configure them to look realistic. The point of the malicious email is to steal data, including login credentials, to take the BEC scam to the next stage. The result of a BEC scam is to trick the company into sending money to the fraudster. For example, Save the Children recently lost £800,000 during a BEC attack.

Identity theft and fraud

The UK’s National Fraud Database recorded an increase of 22% in identity theft in 2021. Digital identity is increasingly employed by digital government and online sites to check that they are dealing with a legitimate person. ID theft uses stolen personal data to carry out various fraudulent activities, such as insurance fraud, opening a bank account, applying for loans and credit cards, etc.

How to prevent data loss that leads to fraud

There are specific baseline security measures an organization should employ  to prevent data loss:

Data tokenization – this is a baseline standard for data protection. Data tokenization is widely used to protect financial data where sensitive data is replaced with a software token represented by unique symbols.

Security awareness training – this measure is used to educate users to spot the tell-tale signs of phishing. It is also a valuable way to help stop password sharing between employees and ensure that people are cognizant of the security behaviors that lead to data exposure.

Security patches – cybercriminals use vulnerabilities in software and firmware to move across the network, escalating privileges once they have an initial stolen credential. The hackers can then install malware such as ransomware.

Anti-phishing measures – solutions such as spam filters can help to prevent phishing emails from entering an employee’s inbox.

Data storage and access – storing the data in secure storage locations (whether in the cloud or in physical storage facilities) helps prevent hackers from gaining access to it. Limiting and properly controlling those with access to the data further limits the hackers’ ability to access the data. It also helps reduce the chance of an employee falling for a phishing scam.

Data cleanup – ensuring that only relevant and necessary data is stored is another simple step to reduce your threat. Unless there is a business or regulatory need to store unused data for longer periods, all data should be deleted as soon as it is no longer needed.

All the above measures work together to reduce the risk that data is stolen and used to commit fraud or a cyber-attack.

It's not only financial data that needs to be protected

Cybercriminals use a complicated chain of tactics and techniques to commit fraud or carry out a cyber-attack. The first link in this chain is to obtain personal data by direct theft or purchase from a dark website. Most organizations realize the importance of protecting financial data using robust methods such as data tokenization. But personal data is at risk alongside its financial counterpart. Any personally identifiable data should be considered sensitive and stored securely – not just payment information and health information. Also, regulations such as GDPR and its UK version UK GDPR expect this level of personal data protection.

Learn More About The Tokenization Solution

PCI Booking’s tokenization service provides the flexibility to store files or text strings in a highly secure environment; importantly, you can access it any time through our APIs and protect yourself and your customers from becoming targets of an attack.