In 2023, The Fraud Machine is Powered by Breach Opacity
2022 saw yet another near-record year for data breaches. Not only have the rates of data breaches suffered severe setbacks, but the public disclosure and management of such has become increasingly consumer-unfriendly. It’s time for enterprises to take charge of fraud prevention measures, and show their data handling maturity to consumers.
Tip of the Iceberg: Data Breaches on the Rise
The identity theft research center analyzes the data behind the ever-spiraling numbers of data breaches every year. Their 2022 report compiles breach information from mainstream news sources, company announcements, security research firms, and other cybersecurity-focused non-profits.
The numbers collated in the 2022 report found the total number of ‘data compromise’ instances were 1,802. Almost all of these were accountable through traditional breaches – where an attacker gains malicious access via credential abuse. 18 exposures occurred, which rely more heavily on cloud misconfigurations, while the underlying details of 10 incidents remain largely unknown. The number stands at the same near-record levels as 2021’s, though a key trend has become increasingly noticeable to ITRC researchers: transparency.
Customers and businesses alike are suffering more thanks to the increasing opacity of public breach notices; in 2022, just one third of publicly-released breach notices included details about both the victim and the attack. This represents the lowest level of breach transparency in five years, and a decline of 50% from just 2019.
Driving this unwillingness to spill the beans are the equal forces of market value and lack of federal law. Many companies don’t want the negative public image of mishandled data, particularly as customers are becoming increasingly aware of how their data is stored and handled. At the same time, breach notification laws are still percolating throughout the federal justice system. This means that currently, the burden of determining an end-user’s risk of breach is left almost solely on the shoulders of the customers themselves. This is dangerous thanks to the ruthless mechanisms of the data breach market. Follow-on identity fraud and scams claim millions of victims per year; this is how.
How Breach Silence Harms Consumers
A large indicator of data breach severity is how well a company has worked to protect its databases. According to a 2021 study into cloud security, a fifth (21%) of businesses host the majority of their sensitive data in the cloud; 40% of these reported a breach over that year. This isn’t because cloud infrastructure is inherently less secure – far from it. However, the road to digital transformation is paved with a lot of potholes. In the APAC region, almost 50% of companies report cloud security as much harder than its on-premise ancestor. Running in parallel with the developing understanding of cloud security, only 17% of organizations surveyed held more than half of their cloud-hosted data in an encrypted state. For organizations that have adopted multiple cloud processes, this figure drops to 15%.
Access to these databases also has a long way to come: only a third of organizations relied on multi factor authentication as an integral part to their IAM strategy, leaving passwords the inherent weak point standing in the way of data breaches.
When a data breach occurs, exposed customer data is resold at a profit. The core market mechanics are driven by the exploitation of each leaked piece of data. While the attacker is able to siphon this data out of a legitimate organization, buyers will add this sensitive information to their own databases. From there, the details – often including personally identifiable information, such as emails, addresses, and full names – are each weaponized in distinct ways.
In early November 2022, a cyberattacker was quietly rifling through an exposed AWS container belonging to Luxottica, a luxury eyewear company. This was following a similar leak in 2020 that exposed 829,000 users. Blind to the attack until cybercrime syndicate Sin posted publicly about an auction of client data. When pressed, Sin claimed it had been ‘bought legally’. The advertisement of such data allowed interested parties to offer various prices. While the personal information of luxury brand customers may fetch promising prices, most of us are limited by the capitalist mechanism of the market. Data breaches are so common that social security numbers now sell for less than a dollar, matching the price of non-financial account logins. This market is perfectly set for middleman attackers, who filter the raw breached data into honed phishing and account takeover attacks. Automation has empowered attackers to use every scrap of stolen data.
How Proactive Protection Needs to Change
In an ideal world, systemic gaps in cloud security could be closed up, freezing attackers out of their source of income and exploitation. However, security evolves in steps and strides – and even worse, the data is already out there. The RockYou21 file is an example thereof; it’s the largest single password compilation ever leaked, its over 8-billion strong database forming a foundation for automated attacks. If an unwitting employee or customer were to accidentally reuse an entry, their account would likely face compromise, even with no new attack.
Rather than hiding it, organizations need to rely on proactive account safeguarding. Sensitive sites and apps must be protected with a comprehensive solution that identifies bot attempts, leaked user credentials, and account takeover attempts. With this visibility assured, it becomes possible to discreetly inform customers on any account takeover attempt, while using the opportunity to educate on risk avoidance. By preventing an attack, rather than wildly handling the post-breach fallout, your enterprise becomes a beacon of responsible customer security.