You might have heard about a recent massive breach where half a billion Facebook users had their data stolen including such personal information as full names, emails, phone numbers, and locations. Actually, this is not a new data breach at all, but rather a new publication of previously breached data from a 2019 incident where a vulnerability allowed the personal information of Facebook users to be accessed. That vulnerability was shut down shortly after it was discovered in 2019, but once breached, the data is impossible to claw back. This is only one of a string of high-profile incidents where previously breached data has resurfaced, and in many ways is worse than when it was first exposed.
Typically data that is stolen in a data breach incident is coveted by the criminal perpetrator for its monetary value and sold on the dark web through illegal online data shops. However, occasionally the hackers get hacked and the information is then sold again by competing criminal factions, or in this case it is made public for free. Occasionally, as the data ages and because less valuable to the perpetrator they will sell off the data in whole, which typically leads to other types of compromise. The bottom line is, no matter how old a data breach is, the data exposure can live on.
A few days after the Facebook news, there was a report that a cybercriminal claimed to have a database of personal information on over 500,000 LinkedIn users. However, LinkedIn has confirmed that the information does not originate from a breach of their security but rather from hackers "scraping" or obtaining in bulk information that is publicly viewable on various company websites, including LinkedIn. This is not considered a data breach, BUT because so many people carelessly post sensitive personal information in public view the damage can be the same.
The most important lessons to take away from these two incidents are these:
(1) Check the security settings for each of the social media, chat, forums, apps, and websites that you use to make sure that your data is not posted publicly. This also includes transaction accounts like Venmo. Never post your personal information online, even if you believe it is secure.
(2) It is critically important to change passwords often, especially passwords tied to transaction accounts, email addresses, and accounts with mobile phone carriers. Mobile phones are being used all too often these days as an authentication token. A clever criminal can hijack a mobile phone number without ever having access to the physical phone. Then, with this device and other personal information it is a easy path to accessing other accounts through password resets.
While educating your account holders about the ongoing dangers of breached data, please also remind them that your financial institution is thinking ahead. You have given your account holders the power of professional Identity Theft Recovery Advocates standing ready to help. When identity theft strikes, we have your back!
Please contact your NXG Strategies Client Manager if you have any questions or you need assistance.