An article published by the ABC has highlighted the dangers of data breaches and identity theft, including how they occur and the consequences.
It shows how a person’s full identity and information can be pieced together by cybercriminals, and the dangers of what they can do with such information.
Some people might have heard about the data breaches at Medibank and Optus, but unfortunately, there have been thousands more breaches which the general public is unaware of.
‘Have I Been Pwned?’ is a website that records stolen data and is so helpful that national governments, law enforcement, and security agencies use it to monitor data and identity theft.
How Does ‘Have I Been Pwned?’ Work
Using information available online, the Have I Been Pwned? website collates lists of personal information that has been hacked or gained through nefarious means. Members of the public can visit the Have I Been Pwned? website and enter their email address, from which they can discover if, how, and when their private details have been compromised.
Data Breaches And Identity Theft: A Case Scenario
Following is a hypothetical case scenario and timeline of how a person’s identity can be obtained and pieced together through data breaches.
The first data breach that occurred was through the Lastfm website, in 2012. During this breach, a person’s email address, username, password, and website usage were obtained.
Next, their data at LinkedIn was breached, which also included email addresses along with passwords, and then another breach occurred through Apollo. As the breaches continued to occur, more of this person’s identity and personal details were becoming available.
The next breach occurred at YouveBeenScraped, and it involved email addresses, personal names, geographic locations, employers’ names, job titles, and social media accounts, and after that the design website Canva was also compromised.
Another two breaches followed at People Data Labs and Gravatar, and up to this date, the case study has had their details exposed through seven data breaches, and between them, eleven individual items of their identity have been exposed, and some of them many times over.
The types of information gained through these types of breaches most often included email addresses, personal names, geographic locations, passwords, and usernames, and when combined, it reveals quite a lot about a person and their personal life.
What A Cybercriminal Can Do With This Information
With each breach, more information about a person’s identity can be pieced together, and with this, a picture starts to form, and the risk of the person falling foul to a cybercrime and fraud increases as well.
This gathering of personal information is called the “mosaic effect”, and the level of risk to a person increases with every data breach. This is because all of the information can be linked using one piece of unique data that ties it all together, which in the previous case scenario, is an email address.
Where Does The Stolen Data Come From?
Using this case scenario, we can further explore the results presented.
The largest breach was the Apollo breach, which revealed eight pieces of personal information, and the next largest was through a site named People Data Labs with seven.
Significantly, the person in this scenario only gave their data to four of the seven entities that were the conduit for their personal information being distributed. When undertaking a search on the Have I Been Pwned? website, many of us won’t recognise the entities that have exposed our data, which highlights how little control we have over it once we have shared it.
The Have I Been Pwned? website does not tell the complete story though, as it only reflects data breaches that are already known, and what it doesn’t reveal is all the other information about someone that is available on the internet.
Additionally, data breaches are also only one part of a much bigger picture, as personal data can subsequently be bought and sold online through data markets.
Data enrichment services, which include brokers, intermediaries, and aggregators, all sell access to large databases of private information which has come from a range of sources.
What Are The Largest Sources Of Breaches On Have I Been Pwned?
Here are the top six sources for breaches from the Have I Been Pwned? website. Notably, only one is a household name:
- Collection #1 – 773M accounts
- Verifications.io – 763M accounts
- Onliner Spambot – 711M accounts
- Customer of People Data Labs – 622M accounts
- Exploit.In – 593M accounts
- Facebook – 509M accounts
A Common Theme And Personal Identity
A common theme that appears here, is whatever its original intended use, this leaked information can be used to construct an intricate profile of our personal identities.
A single piece of information, such as an email address, is all that is needed to locate someone amidst the vast collection of exposed data compiled by Have I Been Pwned?.
This includes information from major breaches at everyday companies like Facebook and Twitter, as well as repackaged data acquired from data-enrichment firms.
There exists a tremendous volume of personal data, openly traded on marketplaces which are accessible to anyone, and it is a person’s contact details that serve as the adhesive that pulls together a more complete picture of someone’s identity, sourced from all the exposed data.
What Can Be Done To Better Secure Your Data?
A wide array of privacy and security tools are available to consumers, ranging from browser extensions to comprehensive digital hygiene solutions.
Some of these tools can mitigate the mosaic effect of identity theft by limiting the ability of criminals to connect different data breaches.
Email-masking services like Apple’s HideMyEmail and Firefox Relay offer random “burner” email addresses for website and service sign-ups, effectively diluting the ability to construct a mosaic of a person’s identity by reducing the number of identifiers.
And there are similar services available that can mask credit card details, phone numbers, and other personally identifiable information, yet employing all of them simultaneously is cumbersome.
The answer to best securing your personal information ultimately lies in a mix of self-resilience, and improved privacy protections to be implemented, enforced, and maintained by the various levels of government.
To keep up to date with the everchanging world of online security arrange a consultation with Aryon today.