More often than not, we hear about huge data breach, with millions of records being stolen, costing businesses ́huge amounts of money. The biggest one to date is the 2013 cyberattack on Yahoo, which affected 1 billion accounts. You would think an IT giant such as Yahoo would have some of the strongest data protection processes in place. Yet, they could not prevent another attack just a year after, affecting 500 million accounts.
Each year the number of cyberattacks grows exponentially, with over 1.76 billion of records being stolen at the beginning of 2019 with a global average cost of $3.6 million. The predictions are that by 2021, cybercrime will amount to $6 trillion annually.
It may seem crazy that something as abstract as information from the data breaches can cost such enormous amounts of money. But cybercriminals know exactly which kind of information to go after and how to profit from them. As a future cybersecurity expert, you should know as well.
Also known as PII, Personal Identifiable Information is the primary target of many hackers. It can be non-sensitive and sensitive.
Non-sensitive information can be obtained from public records, directories, websites, etc. (home address, phone numbers, names which are listed and published, social media information). Disclosing it would not harm the individual.
On the other hand, disclosing sensitive information can lead to harm to the individual, so this information has to be encrypted. It entails data such as names, home and email addresses, date of birth, phone numbers, and as of recently, IP addresses as well, which are not listed. It further includes biometric information (unique physical and behavioral characteristics), personally identifiable financial information (PIFI), medical information, and unique identifiers such as social security and passport numbers, passwords, etc.
They also go after the information you would not think of as valuable, such as the name of your first pet, your mother’s maiden name, the name of your best friends, etc. Combined with email addresses and passwords, they use them to easily hack into online accounts and retrieve old ones.
Email addresses could be also used for phishing, which accounts for 90% of all cyberattacks, with the goal to infiltrate companies with Ransomware or obtain access while phone numbers could be used for vishing. Both could be used for spam and nuisance marketing, while social media information can be used for further data mining.
Personally Identifiable Financial Information
PIFI is any information that is disclosed to a financial institution, not available to the public – names, contact details, bank account, and payment card numbers, Social Security number, billing information, etc. and forms a part of data breach. The quickest way cybercriminals can make a profit is by obtaining payment cards and any other banking details stored on phones in different apps (wallets, bank apps, shopping platforms) or desktops.
Apart from personal and financial information, hackers are after any information about a business which could be sensitive – methodologies, frameworks, plans, analysis, codes, etc. which they can later sell to their competition or ransom back.
Healthcare and Education Information
Even though this might not seem as attractive, medical information is also sensitive personal information that could be used for fraudulent activities. Hackers usually go after hospital records and insurance information.
The same goes for education information, with hackers targeting student records, enrolment data, and transcripts.
So how do cybercriminals profit from all of this information?
Personal information is usually used for identity theft. They can also apply for loans or credit cards or file for tax returns. But much of the stolen data ends up being sold on the dark web to the highest bidder (with the rate of $20 per record) or is ransomed back to the victim.
Another method is blackmail, once they get a hold of information which you would not want to be made public (messages, photos, videos, etc.). In the USA, hackers can eavesdrop on calls and read texts after learning the victim’s phone number, due to a security flaw known as SS7.
With PIFI, they can buy goods on any of your shopping accounts or more often purchase gift cards and vouchers. If they retrieve your passwords on banking apps and platforms, they can transfer and even withdraw money directly from the accounts. Fake tax returns, loan applications, counterfeit payment cards, the options are numerous.
Medical information is often used for healthcare abuse and insurance fraud, or fraudulent purchase of prescription drugs. With education information, hackers can apply for student loans, or use for identity theft, or sell diplomas online. Medical records are surprisingly more valuable than any financial information, worth up to $1000 on the dark web.
So it is clear that the importance of cybersecurity and protection of information grows each day. With so much data being stored on the internet, it will never cease to be the prey of cybercriminals, which is why new cybersecurity technologies and strategies should be continually devised and implemented in the protection.