There are no trivial breaches: why all compromised data matters
No organization wants to deal with a data breach that puts highly sensitive or personal data at risk. But what about a data scraping incident involving less sensitive information? How concerned should the company – and the people whose data has been compromised – be?
Consider the data breach notification that Dell recently sent to many of its customers. The letter revealed that “limited types of customer information” had been retrieved from a customer database on a Dell portal. The compromised data included customers’ names and physical addresses, along with order information such as transaction dates, product serial numbers and warranty information. The report highlighted that no payment, financial or ‘highly sensitive customer’ information was obtained in the incident, with Dell claiming: “We believe there is no significant risk to our customers given the type of information involved is.”
Let’s take a closer look at this incident and whether it is truly insignificant to the customers whose information was compromised, as well as to Dell.
Resident CISO (EMEA) and VP Security Research at Netwrix.
The database was advertised on a cybercrime forum
The Dell breach came to light when a threat actor known as Menelik posted to a cybercrime forum on April 28. Menelik claimed to have deleted the data of 49 million customer records from a Dell portal that contained customer order information related to Dell purchases made between 2017. and 2024.
In the post, Menelik invited interested parties to contact them, implying an intention to sell or distribute the stolen data. The post has since been removed from the forum – indicating that the database has indeed been taken over by another entity, which may be trying to monetize the content.
All information is exploitable
The Dell Breach Notice means that because the data collected does not include financial data, login details, email addresses or phone contact details, any damage resulting from the breach will be minimal. Think about this, though: malicious actors who have demonstrated the ability to steal data from some of the largest corporate networks in the world may well have the ingenuity to exploit even a minimal amount of information.
In fact, enterprising cybercriminals have proven adept at leveraging seemingly innocuous data to orchestrate more elaborate attacks or combine it with other compromised information for nefarious purposes. They actively trade and share large data dumps containing millions of stolen user records due to major data breaches on dark web forums and underground marketplaces. They collect data from various breaches and leaks and then compare or combine the information to create more comprehensive profiles of individuals. For example, they can match names or email addresses from different breach sets to collect and correlate associated passwords, personal data, and more.
Today, armed with AI, they can achieve these goals faster than ever.
The possibilities are endless
While the compromised Dell information may seem harmless enough, there are endless ways for the threat actors to make money from it. For example, they can easily create something that looks like an official Dell product notice and send it to customers. It may contain a QR code that customers can easily use to confirm their details or take advantage of a special offer to extend their warranty – after which the QR code will take them to a malicious site that installs malware on their device.
Another option is to compare the personal names in the Dell database against other collections of compromised data, such as stolen credentials. The resulting information could be used to launch a massive credential stuffing attack on Dell, allowing the adversaries to exfiltrate financial data or other highly sensitive information.
The well-known site Have I Been Pwnd gives even novice users an easy way to determine whether their personal information, such as email addresses, usernames, and passwords, has been compromised in documented data breaches. Now imagine that this process is carried out on a large scale by skilled hackers, using advanced techniques and huge repositories of stolen data.
Reputational damage and legal fines
While data scraping incidents are not as overt as high-powered breaches, the consequences for the victim organization can still be severe. One consideration is mandates like GDPR, HIPAA, and PCI-DSS. From a compliance perspective, how data is compromised is irrelevant. If the organization, as controller of the data, fails in its responsibility to adequately secure it, and if regulated data is made public, it may be subject to fines and other penalties.
Even if no compliance violations are discovered, an organization that experiences a data scraping incident can still suffer significant reputational damage. Erosion of trust among current and potential customers can lead to customer churn, lower revenues and other serious financial consequences.
Conclusion
No matter how a data compromise unfolds, data theft is data theft and the damage is real. In today’s cyber threat landscape, cyber attacks are not a matter of if, but of when. Therefore, organizations must have a resilient cybersecurity architecture and a robust incident response plan. Being able to limit the likelihood and impact of a breach and ensure rapid recovery will yield major benefits in the long term.
We recommended the best encryption software.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro