Cyber attacks: What do hackers do with your data?
A wave of cyber attacks across the UK has left hundreds of thousands of Brits’ personal information vulnerable to online criminals.
M&S admitted that hackers stole personal data – but not payments information or passwords – in a cyber attack at the end of April, while recent breaches at the NHS and Legal Aid resulted in stolen sensitive information.
Hacking, particularly ransomware and phishing scams, is on the rise – particularly in retail.
Cyber criminals overwhelmingly target ‘basic personal identifiers’ in data attacks, like names, dates of birth, or addresses.
Over 40 per cent of data breaches in the last five years have included this type of breach, according to the Information Commissioner’s Office, with health data in another 15 per cent and financial data in just under 10 per cent.
But what do hackers do with this data when they have it, and how do they make money off it?
Data: A valuable commodity
Selling the data up front on the dark web is often the first port of call for hackers.
There is an “entire ecosystem” of vendors and intermediaries on the dark web who buy and sell people’s data, according to Ted Cowell, head of UK cyber security at S-RM.
The ecosystem is made up of “specially designed forums and community groups” on the dark web where credentials, personal data and sensitive information is traded, Cowell said.
“[There include] ‘initial access brokers’ and other hackers for hire, who are willing to pay other users for information that might help them stage further attacks on companies or commit identity fraud,” he added.
“The value [of basic details] resides in the bureaucratic complexity of changing this data, meaning they have a longer shelf-life,” Spencer Starkey, executive VP of Europe at SonicWall, said.
But if the data contains more than just basic information – medical or legal records, say – it is “extremely valuable” on black markets, Cody Barrow, CEO at EclecticIQ, said.
Launch cyber attacks
Once the data has been sourced or bought, it has a variety of uses.
The value of medical or legal information on the black market, for example, lies in its use when attempting a phishing scam, with attackers able to convince victims of their reputability by citing bank details and personal histories. It can also be used for lucrative identity theft.
But while sensitive information is the most valuable, basic information is useful, too – and easier to get hold of.
“[Basic personal information] is a goldmine for launching targeted phishing campaigns and social engineering attacks,” chief security officer at Thingsrecon, Tim Grieveson, said.
Social engineering attacks manipulate people into sharing sensitive information, often used for further attacks, and phishing is a form of social engineering where attackers disguise themselves as trusted actors to encourage people to share sensitive information – often via email or text.
“Even seemingly harmless data can be the building blocks for more serious identity theft or fraud,” Grieveson added.
Credential stuffing attacks are also common if passwords are stolen, where attackers “test known passwords a number of times across a number of platforms to gain access to accounts,” Marshall Erwin, security officer at Fastly, said.
Erwin cautioned that technical breaches are “not a one-time thing”.
“Once data is in the hands of criminals it can be used for long-term social engineering attacks if left unaddressed. Most attacks start with credential theft, vulnerable APIs [backend cyber frameworks], or malicious bot activity,” he said.
Holding you (or a company) hostage
Hackers can also make money off your or a company’s data by holding it hostage.
This can be done on a small or large scale: The M&S attack, for example, was a ransomware attack where hackers withheld access to its computer systems, hoping the retail giant would pay up to let them back in.
This attack format has also been showing up in ‘extortionware’ attacks, where hackers will contact an individual with a warning that they will release sensitive information to the public if the person does not pay the attacker.
“Threat actors will threat to ‘leak’ – or make public – stolen data as part of their extortion methodology,” Cowell said.
“This scenario is especially prevalent for more established threat actor groups – mainly ransomware groups – who might maintain public-facing ‘leak sites’, where victims’ data can be alluded to and victims who don’t pay ‘named and shamed’ if no payment is received,” he added.
How to protect your data
Two thirds of UK consumers changing online shopping habits due to recent retail cyberattacks, according to research agency Opinium, with over half concerned their personal data has already been stolen.
“For customers, the advice remains clear: be cautious of unsolicited communication, never click on suspicious links, and consider changing passwords if reused across platforms,” Grieveson said.
“Two-factor authentication (2FA) and identity monitoring services should no longer be seen as optional, they’re vital.”
It’s also key to be cautious at work: a new study found nearly two-thirds of UK workers say they’ve experienced a cyberattack at work, yet only 11 per cent see it as their responsibility to prevent one.
Correction: The original version of this article contained incorrect information from the ICO on the number of attacks in the retail sector.