Small data breaches: countless, dangerous, obscure
According to the 2020 Data Breach Investigations Report, 86% of breaches are financially motivated. With the dark web market of stolen data being so vibrant and so profitable, organizations and individual users are under constant threat of cyber-attacks. But while big companies prioritize investing in cybersecurity, smaller organizations often put themselves and their users in a vulnerable position.
Attacks victimizing big players make a splash
Attacks on famous organizations are widely reported by the media. This is why it may seem that hackers are primarily interested in big companies with large user bases. Of course, well-known companies should stay alert, because their protection is being constantly tested by cybercriminals. Dark-web trade of personal data, opportunities for blackmail, spam, and money theft with compromised credit card information is what motivates hackers to spend hours and days in attempts to find a breach in the company’s digital infrastructure.
For instance, on May 19, 2020, a British low-cost airline group EasyJet reported a leak of 9 million customers’ records. The compromised data included email addresses and travel details. 2,208 credit card details were stolen as well.
In such cases, the companies usually undertake serious measures to deal with the impact. They contact customers, offer support and compensation, and advise them of protective steps to minimize the risk of phishing and social engineering. Often the organizations reset all users’ passwords or even temporarily freeze the access to digital services.
Big companies also have “bug bounty” programs and pay good money to “white-hat” hackers who report security vulnerabilities instead of exploiting them.
Risks of data breaches are numerous and impactful
What risks do data breaches pose? Companies can face serious reputational, financial losses, and fines from regulatory bodies. Some businesses may never recover from an attack.
The consequences for individual users are also various. For starters, they can receive spam messages. Their accounts on valuable services may be stolen, and the access to them may be lost. Money can be charged to the compromised credit cards.
External access to any personal data allows criminals to earn the trust of users through social engineering attacks. The fraudsters pretend to be friends, relatives, or representatives of trustworthy organizations such as banks, government bodies and employers. They create a sense of urgency and play on people’s emotions such as fear, curiosity, or love for a good bargain. Then users can fall into the trap and give away access to their financial accounts or inadvertently install spyware and malware.
Hackers have incentives to attack small organizations
Attacks on big companies are very profitable for hackers. But why do small organizations also fall victim to data breaches?
First of all, these organizations are soft targets. They often don’t have any security protocols, store their data in less protected systems, and don’t encrypt it too well.
Secondly, criminals combine compromised accounts into so-called “combo lists’’ and sell it on the dark web. In May 2020, the Security Service of Ukraine arrested the hacker known as Sanix. He made headlines in 2019 after offering an enormous database online containing 773 million e-mails and 21 million unique passwords. The base was called Collection #1. 18% of emails and about half of passwords haven’t been reported as compromised before. During the arrest, Ukrainian law enforcement found at least seven databases totaling at about a terabyte of personal and financial data of users from EU and North America, including bank card pin codes and account details of cryptocurrency wallets.
The third motive behind non-discriminatory attacks compromising even small organizations’ data is connected with the current hacker demographics. Apart from mature and sophisticated criminals, we witness a soaring population of so-called “script kiddies”. Wannabe hackers run ready-made malware while barely understanding the way it works. They enjoy vandalism and leak breached records ‘’for fun’’ and peer recognition. These “skiddies” usually don’t have a specific target and don’t know the end-users of the breached data, so it is really hard to access the outcome of such crimes.
Dangerous consequences of small breaches
A scandalous attack involving a famous organization makes the news, so users are more likely to take steps to protect their data. The company usually notifies the users while its security specialists implement a mitigation plan.
As for small leaks, you may never hear about them at all. You probably don’t even remember all the small services you’ve registered at. Since the level of protection and encryption is so low, hackers will get to your sensitive data in a snap. And the criminals may never be prosecuted. The FBI’s Internet Crime Complaint Center states that the number of reported cybercrimes in the agency’s reports only represent 10 to 12% of the total number actually committed in the U.S. each year.
Here are some of the recent leaks reported by Breach report as the result of the dark web monitoring and analysis:
In June 2020, a file belonging to Hrady Slovakian castles guide and research group (Hrady.sk) surfaced on the web. It consisted of 1,332 user accounts, compromising email addresses and plain text passwords.
In June 2020, a file belonging to The Regional Accounting Council of Mato Grosso in Brazil (CRCMT.org.br) appeared on the dark web. The file included 4,868 user accounts with email addresses and plain text passwords.
In June 2020, a file belonging to Corporate LiveWire, a media outlet for corporate news (corporatelivewire.com), was published online. It consisted of 2,263 user accounts including email addresses and plain text passwords.
In May 2020, a file allegedly belonging to VDB Audio, a broadcasting equipment retailer (VDBAudio.com), surfaced on the web. The file included 1,686 user accounts, compromising email addresses and plain text passwords.
In May 2020, a file belonging to Zombie John, a car seller (ZombieJohn.com), appeared on the dark web. The file consisted of 1,933 user accounts with email addresses and plain text passwords.
All these leaks contained unencrypted passwords, so scammers can use them right away. The situation gets even more serious once a stolen database includes financial and other highly sensitive data.
A smart approach to data protection
What should be done to minimize the risks of data breaches?
Individual users should always use strong passwords: long, complex, regularly updated, and unique ones for each service. On our website, users can check if an email was previously compromised and take appropriate measures to update the password.
The organizations should run cybersecurity audits, prepare response plans, use reliable contractors, and high-quality security solutions. Breach Report offers a user-friendly interface for analysis and reporting of privacy threats, account breaches, and vulnerabilities. The solution provides a 24/7 monitoring of individual and business accounts and immediate notifications in case of the breach, continuous updates of new dumps found on the dark web, a scanner of dark web activity surrounding those accounts, and tools for additional breach-related research.
Stay safe and remember that a chain is only as strong as its weakest link. So without a smart approach to credentials management, your favorite password combination for a small long-forgotten service can spark a chain reaction one day and compromise very sensitive personal data.