When a major data breach occurs it makes headlines for a couple days, maybe weeks if it’s huge, but then news returns to normal and the public largely forgets. That cycle doesn’t change even when it’s our own data that is compromised. But it should, if nothing else, because of what can happen years after a breach.
I spoke with David Harding, Chief Technology Officer for ImageWare Systems Inc. on the repercussions data breaches can have later on after you think that the threat has passed.
NM: What exactly does it mean for your data to be on the “dark web?”
DH: The dark web refers to content on the internet that is not indexed by conventional search engines like Google or Yahoo. It is more commonly known as a place for illicit activity. When we mention that your data is on the dark web, we infer that your stolen information is up for sale.
NM: Who is buying this data and what are they using it for?
DH: Hackers buy data to have financial gains in most cases. The 2019 Data Breach Investigations Report by Verizon states that 71% of breaches were financially motivated.
Let’s assume that your personal data was exposed during the Equifax data breach, hackers now have access to your full name, address, social security number, knowledge-based questions and many other personally identifiable information. With that, they can open credit cards under your name, take bank loans, impersonate you in many of your online accounts – they have information that identifies you, which only you should have.
NM: Why would hackers wait years to use someone’s data?
DH: First of all, hackers have a lot of data to browse through. Going back to the Equifax case, which did not even break the top 10 list for the largest breaches by number of records, it did compromise data of over 100 million people. So going over all that data will take a while. Secondly, different hackers specialize in different types of attacks. The hacker that breached Equifax most likely will not use that information himself/herself. That data will be sold to multiple other hackers. So that Equifax data from 2017 will most likely be up for sale on the dark web for years, and it might take even more time for a hacker to find a way to monetize from that data and conduct an attack aimed at you.
NM: How can you prevent this after your data has been hacked?
DH: It depends on what information is breached. If it is just passwords, you can change those. If it is social security, there is not much you can do besides monitoring your credit or freezing it. My biggest suggestion is not to think about mitigating a breach after it happens; it is to propose solutions so that data breaches never occur in the first place.
NM: Do you have any examples of someone’s data who layed dormant for years?
DH: A good example is Facebook’s CEO Mark Zuckerberg. In 2012 LinkedIn had over 100 million usernames and passwords compromised. But it was not until 2016 that Zuckerberg’s Twitter and Pinterest were hacked using the credentials from LinkedIn’s data breach. Ironically, you would think that Mark Zuckerberg’s passwords would be extremely complex and safe since he is in the online business, but his password was actually “dadada.”
NM: What advice do you have for those involved in data hacks and preventing future data hacks for those who have not been hacked?
DH: As I mentioned before, avoiding a data breach is much more responsible, cheaper, and efficient than to mitigate the symptoms of a breach that occurred. One statistic that surprises people is that according to a 2017 study by IBM, 81% of data breaches happen due to a weak or stolen password. My advice is simple: let’s get rid of passwords. Besides being insecure, they are also very inconvenient. For years we have had biometric technology that can replace passwords. I see the movement towards a passwordless world happening. The question about getting rid of passwords is a matter of when not a matter of if. Plus, legislation such as CCPA will definitely hasten that time frame.