Raising awareness quickly: What happens after a breach?

What happens to all of the data taken during a breach? Here's some basic answers.

Sometimes, especially if you work in Information Security, people ask about cybercrime, hackers, and security in general – such as malware or the latest scams and news reports. While most in the field are passionate about the topic, and can speak for days on it, it's still a bit daunting when you attempt to explain some of the complexities on a level that everyone understands.

Learning InfoSec, I was fortunate to have a mentor. Honestly my entire IT career was built on learning and information sharing. Back then, I learned the value of some advice my father once gave me; "If you can't explain it to a child, then you don't know it well enough."

Not to say that people outside of InfoSec are children, but when you think about it, if you can explain some of the complexities of cybercrime, network security, or technology in a way that someone with no knowledge at all gets it, then you've got a solid grasp on the subject. Me? I like to learn, and I like to teach. This is why my first post mentioned the fact that I'd take suggestions when it comes to Salted Hash. It gives me a chance to do both.

Recently, I was pitched an infographic from ThreatMetrix (a company from San Jose, California that offers fraud prevention solutions to businesses) on the topic of what happens after a data breach. It's a simple outline, but one that covers some of the questions people outside of my normal circles ask me when they learn I'm a journalist writing about cybercrime and security topics.

It distils things down to a basic level, and makes for a good set of talking points. It's also a decent primer, so you should feel free to use it if you want to include it with any awareness programs you have in-house. What follows is the data from ThreatMetrix, combined with additional details from my own personal experience and research. Feel free to comment and suggest additions or modifications.


That number represents the number of records lost during the breaches at Adobe, Living Social, Evernote, Facebook, Schnucks Markets, AHMC Healthcare, Twitter, and the California Department of Social Services in 2013. But what was lost exactly, and what happens after it's taken?

During each of the incidents, one or all of the following were lost: credit and debit card data; PII (personal identifying information) such as names, addresses, DOB, Social Security Numbers, phone numbers, driver's license number records; related account information (unique to each organization breached) e.g., customer number; email addresses, and passwords.

Instant Access:

In some cases, this stolen information can be used to launch further attacks. Many times, people use the same password across multiple websites – or recycling – so an account compromised on one website can lead to compromises at several others. These types of instant access attacks can lead to serious dividends for a given criminal, which is why it's always best to avoid sharing passwords across more than one website. This type of information is also used to launch Phishing attacks or to build lists in order to send Spam, which in turn could contain malware that allows the criminal to victimize the people impacted by the breach further.


Another way this stolen information is leveraged is purely financial. There are entire economies that focus solely on stolen data. The criminals who steal it will sell it to other criminals, or brokers. So names and addresses can be sold to one person, while another will buy the stolen credit cards. Criminals also offer packets, where a person's entire identity (or as much as can be collected) is packaged and sold as a set. The price paid for this kind of data is always in flux, but a criminal who steals 2.5 million credit cards and corresponding account data can score several thousand dollars in relatively short amount of time.

A whole new you:

Once the stolen data is sold off to the various fraud rings, criminals then use the information to forge false identities. This is where you hear about identity theft, and why it is such a serious issue. When a database is breached, and the criminal knows your name, address, credit card number (and security code), phone number, etc., they can sell it to people that will "cash out." But some will simply create a new identity for themselves.

Digital to Physical:

Cashing out is when your stolen credit information is used to make CNP (Card Not Present) transactions online. What they've done is taken stolen digital goods, and used them to acquire physical goods of tangible value.

The $500 limit on your Visa is just a set of numbers in a spreadsheet at first. But when the criminal cashes out, now it's a new flat screen TV. They don't worry about being caught either, because they often drop ship to mules who take a small cut of the proceeds and pass the merchandise on to the crooks. Coincidentally, these mules answered "work from home" ads in the classifieds, and it seems like a great job at first, until the police arrive. Cashing out also applies to banking information too. Those accounts can be cashed out just as quickly, but with less overhead for the criminal.

While you're not fully financially responsible for this type of crime, the process of recovering it is time consuming and stressful. You should be familiar with your bank's fraud reporting and recovery process, as well as those used by the bank that provides your credit card.

Harsh Reality:

As a consumer, you cannot protect the company you do business with from cybercrime. You can only protect yourself and mitigate loss. This is why it is important to monitor your credit records, and to understand the fraud policies that apply to your bank, and your credit cards. You'll need to know who to contact, and the steps that need to be taken in the event that someone has stolen your information and is using it.

When it comes to passwords, don't use the same one for multiple websites, and use a password manager such as KeePass or 1Password. Personal information is sometimes necessary, but not always. Think about why the website is collecting this data, and if you feel it isn't needed, don't share it. For other basic tips, go to IC3.gov and click "Internet Crime Prevention Tips" on the right-hand side, it's a basic, but rounded overview of many of the common scams you'll see online.

Copyright © 2013 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022