Stolen Data Stockpiled for Future Attacks Beyond E-Commerce Fraud

Stockpiled stolen data can be used to profile and track targets with more dangerous attacks.

Pam Baker

March 19, 2019

5 Min Read
Binary Data
Shutterstock

A report by e-commerce fraud prevention company Forter found that while online fraud attacks spiked across industries, the scale doesn’t match the amount of data stolen in breaches last year. The researchers surmise that “compromised data is being stockpiled to use in future attacks.”

“The air -ravel industry surprisingly saw fraud attack rates decrease 29 percent between the fourth quarter of 2017 and the fourth quarter of 2018, indicating that data from the 2018 breaches in the sector hasn’t yet been used to scam merchants and customers,” the researchers said.

But who is to say that the stolen data is being stockpiled solely for merchant and consumer scam attacks? Data has many uses on the dark side. While scamming merchants and customers tends to be profitable, it’s also the low-hanging fruit for aspiring criminal minds. There are, as it’s said, bigger fish to fry, more ways than one to skin a cat, and loads of bounty to be mined from large data stores.

Accordingly, MSSPs should think bigger in providing cybersecurity services for their customers. For starters, think in terms of expanding the security focus to include potential attacks on new, yet foreseeable and unique vulnerabilities unfolding over time.

Take for example the very likely possibility that data from multiple data breaches can be used to build more complete profiles of targets, making more sophisticated attacks more subtle and nuanced, but also infinitely more dangerous.

One example of such a possibility stems from the 2015 Office of Personnel Management (OPM) data breach wherein 5.6 million fingerprints of former and current government employees were stolen. Certainly, those fingerprints could be used to circumvent biometric security systems, and that’s a possibility MSSPs should consider for decades to come. After all, people commonly change jobs, but their fingerprints remain the same. Fingerprints can be used to access sensitive data, devices and facilities.

But fingerprints are not the only stolen data that hackers collected through breaches. There are other threats that stockpiled stolen data poses. Several federal databases were breached, including at the Veterans Administration (VA), the White House, the State Department, the U.S. Postal Service (USPS), and the Government Publishing Office (formerly the Government Printing Office). Combined with data taken from the private sector, criminals and nation states can create highly detailed profiles of individuals and use that information against them.

“American businesses who want their employees to obtain visas for business in China may find that, for reasons that are not articulated, certain employees may be denied a Chinese visa,” Joe D. Whitley, the first General Counsel of the Department of Homeland Security, former Acting Associate Attorney General for the Department of Justice, and chairman of Baker Donelson’s Government Enforcement and Investigations Group, told InformationWeek.

“United States citizens abroad in China may find that their Chinese counterparts are very literate about their past government affiliations,” he added. “We are traveling into some unknown territory with a data breach as massive as the OPM breach, so we will be living with an unfolding challenge to our national security for many years to come.”

Even if an organization’s employees were not formerly employed by the U.S. government, their data may still have been harvested in federal agency data breaches if they did other things such as apply for a security clearance or a job, or get health care from the VA. Conversely, their info may have been harvested from …

… any of the many private-sector breaches.

Beyond nuanced problems like the Chinese visa and biometric breach scenarios, data can be manipulated to create many different types of real-world harm beyond scamming for money.

Reiber-Jonathan_Illumio.jpg

Illumio’s Jonathan Reiber

“Given the lack of financial incentive, coupled with the opportunity to cause widespread disruption or panic, nation states and terrorist groups are the most likely actors in data manipulation attacks. That’s why the military and intelligence services take them so seriously,” Jonathan Reiber, head of cybersecurity strategy at Illumio, and former Pentagon chief strategy officer for cyberpolicy, told MSSP Insider.

This means, among other things, that the threats to the private sector charged with managing infrastructure are steadily becoming more serious.

Unfortunately, while MSSPs and other cybersecurity pros contemplate all the implications in stolen data use, the current problems of fraud and thievery persist. Further, they’re likely to always exist. After all, most stolen data is reusable — even over large swaths of time.

The Forter report found that fraud rings, a group of bad actors who band together to commit fraud, have grown 26 percent this year. Account takeovers increased 45 percent between the beginning of 2017 and the end of 2018. The industry that saw the highest amount of e-commerce fraud last year was food and beverage, which incurred a 79 percent spike. In second place was electronics with a 73 percent uptick, while apparel and accessories came in third at 47 percent.

The security industry preaches the virtues of layered security protocols against an ever-expanding attack vector, as it rightly should. Perhaps it’s time also to preach the importance of layered security strategies to protect against an increasingly malevolent “Knowledge Era” when the bad guys know everything about you.

Read more about:

MSPs

About the Author

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, Linux.com and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like