What Happens to Personal Data After a Breach?

The subject of data breaches remains top of mind for most organisations and boards as the end of 2022 and the start of 2023 unfolds.

But what exactly is a data breach? How does it occur? And what are threat actors doing with the data they steal? (I will cover the consequences of a data breach in a future article).

At a high level, this article will endeavour to provide answers to these questions. If you want to get into the nitty gritty, then I am always up for a coffee and a chat where we can engage in what I like to call, a ‘robust discussion’!

When it comes to intellectual property (IP), the answer is straightforward: IP holds monetary value, and whether a threat actor accidentally comes across it or specifically targets an organisation for its IP, the benefits are measurable. However, what about personally identifiable information (PII)? The major data breaches we saw at the end of 2022 in Australia (Medibank and Optus) resulted in PII being stolen and held for ransom. Neither organisation, we have been informed, paid that ransom, which means the data was never returned and as far as the world can tell, the threat actors still have possession of this information. Or do they?

What is PII?

PII has been defined by the Australian Cyber Security Centre as:

“Information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context.”

Organisations in Australia that are not government agencies and earn over $3 million are required to report data breaches to the Office of the Australian Information Commissioner. Reportable personal information, as defined by the OAIC, includes examples such as:

• Sensitive information (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation, or criminal record, provided the information or opinion otherwise meets the definition of personal information)
• Health information (which is also ‘sensitive information’)
• Credit information
• Employee record information (subject to exemptions), and
• Tax file number information.

According to Australian law, employee record information is exempt from certain provisions. However, this exemption only applies to data that directly relates to current or former employment relationships and does not extend to future employment relationships. Therefore, any data collected about prospective employees, such as resumes, is considered PII and must be reported under the Australian Notifiable Data Breach Scheme if breached.

Under the General Data Protection Regulation (GDPR) governing the EU, and other international privacy laws, all data pertaining to employees, workers, and contractors is considered reportable PII.

As of December 2022, Australia has imposed new penalties for organisations that breach the privacy act. To see what these penalties are and how they may affect your business see our Australian Privacy Legislation Amendment: How Will It Impact You & Your Organisation article.

How Do Threat Actors Steal Personal Information?

There are many ways threat actors gain access to personal information. We often hear in the news of ‘sophisticated cyber-attacks’ and yes, sometimes a threat actor will use an exploit not seen before, but it can also be as simple as an employee clicking on a phishing email or an employee practicing poor password hygiene. Some of the ways I have seen PII breached include:

Phishing and Malware Attacks

Threat actors use phishing or text messages to trick victims into divulging sensitive information, such as passwords, or to download malware onto their devices which then allows the threat actor to gain access to the victim’s device or organisation.

System and Application Vulnerabilities

Systems have not been patched or updated, or have vulnerabilities in their code that allow for threat actors to exploit known or new vulnerabilities.

Insider Threat

An employee may intentionally or unintentionally send PII to the wrong person, or intentionally download PII to a USB key or upload it to a cloud account to sell.

Poor Password Hygiene

Staff may be using the same passwords for both their work and private accounts, they may be using weak passwords in general, or the organisation has not implemented MFA on critical systems. Breached or stolen credentials are then matched up to the employee and organisation and a threat actor has been able to gain unauthorised access without breaking a sweat!

Physical Compromise

Ineffective locks or missing physical security controls means a threat actor may be able to walk into an organisation and steal PII in paper form, or access PII from unmanned and unprotected systems.

Compromised Downloads

Someone may download software, a game, or a movie and that download comes with a malware payload which is then used to access the person’s device or organisation.

Dumpster Diving

Threat actors can search through trash or recycling bins to find physical documents containing PII. And no, I have not seen this one in real life, although I have seen it in a movie (does that count? And can you name the movie?)

 Public Wi-Fi

Threat actors can intercept traffic on public Wi-Fi networks and capture PII entered by users using techniques such as a Man-in-the-Middle (MitM) attack.

Publicly Available Sources

Threat actors can obtain PII from publicly available sources, such as social media profiles or online directories. In fact, some online “marketing” companies have done a lot of the heavy lifting for threat actors, as they will link a person to information scraped from the Internet, such as work email, private email, phone number and work history.

For statistical breakdowns of reportable data breaches in Australia, based on industry and other factors, such as whether the breach was via human error, malicious actor, or application error, see OAICs Notifiable Data Breach Statistics page.

Where To (For Your Data) From Here?

There are various actions that a threat actor could take once they obtain your data. Here are a few examples.

On-Selling

Threat actors can on-sell your data in a variety of ways. One common method is to sell the data on the dark web to buyers who are looking for specific types of information, such as driver’s licences, email addresses and passwords or credit card numbers. The information is then used for illegal activities such as identity theft, financial fraud, or targeted phishing attacks. The information may also be used to carry out additional attacks on a victim’s organisation or to gain access to other systems or networks.

Identity Theft

Identify theft may occur in several ways. Some of the most common methods include:

• Account Takeover: Stolen credentials may be used to gain access to a victim’s social media accounts, bank accounts, email accounts or other types of accounts.
• New Account Fraud: Stolen PII may be used to open new accounts, such as credit cards, loans, or utility accounts in the victim’s name.
• Synthetic Identity Theft: Threat actors can combine PII to create a fabricated person, or synthetic identity, for new account fraud (mentioned above).
• Medical Identify Fraud: Stolen PII has been used to obtain medical treatment, prescription drugs or health insurance, leading to erroneous medical records and bills.

Spear Phishing Attacks

Threat actors may use stolen PII to craft targeted phishing emails that appear to be legitimate and relevant to the victim, increasing the likelihood of the victim giving away additional PII or clicking on a malicious link. Spear-phishing occurs when the threat actor personalises the attack by using the victim’s name, educational institute, job, or job title, for example, to target a specific individual, group, or organisation.

Targeted PII Attacks

Threat actors may identify employees who have access to sensitive corporate information such as intellectual property, trade or military secrets, or financial information. They then go looking for PII on these individuals to increase the likelihood of a social engineering attempt being successful. FYI, threat actors will target IT, human resources and finance staff more than any other area of a business.

Extortion

Threat actors use stolen PII for extortion activities. They may demand a ransom, as we saw with Medibank and Optus, or a threat actor may threaten to expose sensitive or embarrassing information to the public or a victim’s employer, family, or friends.  An example of this type of extortion is sextortion, where a threat actor claims to have intimate photos or videos of the victim and will expose these images unless a ransom is paid. One of the more controversial cases of last year was against Grill’d Co-founder Geoff Bainbridge, who resigned as CEO after a sexually explicit video emerged after a failed extortion attempt.

The Going Rate for Data

The last topic I will look at for this article is the going rate of Australian data on the dark web. The value of stolen data on the dark web depends on how complete an individual’s profile is. The more complete, the more valuable it is. According to a Nine News study conducted in 2022, digital passport scans were being sold for $16.50, driver’s licenses for $48, and mobile numbers with email and login information for $13.00.

To provide some context, suppose your organisation collects copies of driver’s licenses, and you have 40,000 customers. Based on the November 2022 price of Australian driver’s licenses, the threat actor stands to make roughly $1,920,000 by infiltrating your organisations and stealing your data. It’s a pretty substantial payout and makes it very clear why your PII is so valuable.

I hope you have enjoyed this article and it has shed some light on how data is breached within an organisation and what happens to the data once it is breached. It is a fascinating topic and one that I can talk about for hours. But, since I am such a nice person, I will stop this article here and will have some additional articles that expand on this topic in the future. Bye for now.