Shortly after the news broke that Cathay Pacific had been hit with a huge data breach impacting 9.4 million people (more than the entire population of Switzerland) Computer Business Review was speaking with one leading CTO.
We asked them if they flew with the airline: “Not recently, but I did with BA and my data has probably changed hands multiple times by now!” he/she said cheerfully. With data breaches now so frequent, many are similarly cavalier.
See also: Morrisons Loses Data Breach Appeal: A “Serious Warning” for Business Leaders
Setting aside the regulatory and reputational risk for companies affected (which is substantial) should those affected really by concerned?
We asked Rafael Amado, a Strategy and Research Analyst at Digital Shadows (which tracks the dark web for corporate material) for some insight into what happens to such huge data sets after they are stolen – and whether encryption is the answer.
Should anyone really care if their data’s leaked?
It really depends on the type of data that has been leaked or compromised, but as a general rule, yes, people should be concerned when incidents such as this occur.
Often, breaches will result in customer credentials, including passwords, being stolen. As people tend to reuse passwords across multiple accounts, individuals will therefore be at risk of account compromises if their passwords have been exposed, and an attacker may be able to then break into the victim’s sensitive accounts such as personal email and online banking services.
In this case, Cathay Pacific claimed no passwords or full loyalty profile information had been compromised. Nevertheless, a large amount of personal data was exposed, including dates of birth, passport numbers and identity card details. This type of data would be very valuable for a cybercriminal looking to perform identity fraud. With this amount of information on an individual – as well as full names, nationality and contact details – you would be able to bypass security checks on a number of services.
Cathay Pacific also stated that the credit card details that were exposed were either expired or had no CVV numbers included. While CVVs were introduced as an anti-fraud measure, card details can still be used fraudulently without a CVV if you don’t use a secure site.
Aren’t hackers just after quickly monetisable card details?
No. There is a very large and varied market for all different types of services.
Certain actors specialise in payment card fraud, while others are more interested in compromised accounts, or even compromised infrastructure. Then there is another market for identity, tax, health and insurance fraud: here attackers are after personally identifiable information, tax documents from finance departments, or health records. Some actors, of course, trade across all these different areas.
What happens to data like this? There’s so much of it…
Cybercriminals can take a variety of approaches here, and it depends on what their ultimate motives are.
Attackers will usually try and make use of the most valuable or lucrative pieces of data – such as performing identity fraud using the personal details exposed.
However, they will also look to maximise how much value they can get out of the data. This will either mean selling the dataset in its entirety to other criminals, or partitioning the data and then selling it in smaller batches on criminal forums, marketplaces and online stores.
What you will also often see happening is that datasets end up being recycled across the cybercriminal community, with the value of the data being exhausted every time it changes hands and is used. As email addresses and copious personal details were exposed, this type of large dataset will very likely end up being used for phishing purposes, with attackers potentially able to create more targeted attacks to socially engineer their targets.
Are there really buyers for a set of this scale? Where do they operate?
We do see a lot of demand for compromised accounts, payment information, personal details and especially identification documents such as passports across the channels that we monitor. This includes cybercriminal forums and marketplaces, but also messaging platforms such as Telegram and Discord.
Following the seizure of AlphaBay and Hansa, more and more individuals are preferring to use specialised forums and messaging apps such as Jabber, Skype, Telegram and Discord to continue their activity. Often sellers will advertise their service or product on a particular forum, but rather than communicate directly with sellers on the forum or through its private messaging service, buyers are encouraging interested parties to reach out to them directly on alternative messaging platforms.
In May 2018, an individual in the UK – known online as “Courvoisier” – was sentenced to 10 years and eight months imprisonment for computer hacking and fraud. Courvoisier was a prominent seller on Alphabay, using customer details they had obtained through phishing campaigns to sell discounted services for retail, online gambling and travel companies. A major international airline lost £400,000 after their frequent flyer accounts were compromised and sold by Courvoisier. With over £1.6 million in cryptocurrency still unaccounted for, and Courvoisier’s targeting of over 100 different businesses, you can see that this is a popular and lucrative enterprise and he obviously had enough demand for his services.
And a dark web passport costs…?
There are different types and formats of passport and identity information traded online.
Some sellers trade passport scans – a digital picture showing the passport details and unique identification number. These are useful for fraudulent activity such as opening bank accounts under another identity. These are sold for as little as $10-20. A physical passport – which is of course harder to acquire – can sell for between $5000-15,000, with certain passports (such as Russian ones) being more widely available, but those from the US being most popular and in demand.
Passport details aren’t always sold individually either. Vendors will offer packages that have a range of data on individuals. This can be partial PII or “fullz”, a term that means a combination of financial and personal information. A passport, therefore, could be sold alongside bank statements, tax documents, payment card details and health information. The more information provided in the package, the more it will be sold for.
Is more widespread corporate use of encryption the answer?
This is a complex problem. Encryption is very useful, but in this case, encryption would not really have helped.
The database that was compromised is what we refer to as a “hot” database. This means that it has to be accessible all the time (for example an airline passenger or ticketing database). You can either have a database be accessible or encrypted, but not both simultaneously.
Instead this is more of a process issue. By processes we refer to common failures seen across organizations such as not patching effectively, weak monitoring, not training your employees or having a decent incident response process in place, failing to harden your systems, or applying principles of least privilege so that access is reserved only for those who require it.