In our previous article on data breaches, we considered the potential damage that could result from public exposure of an individual’s membership informationIn this article we examine the potential collateral fallout of an online activities data breach.

Capturing online activities can be accomplished by using cookies installed on your computer. Cookies are small files that can hold small amounts of data from web clients and servers on your computer. Cookies can tailor web pages  with certain content pertaining to the user, or carry script from a web client and present it on another page.

Developers use cookies to tag user devices and track online activity. Marketers often use cookies to build customer profiles and continue selling to the user. Cookies have been around since the early nineties, and technology has advanced since then.

When Google announced in 2012 that it would start following users across its various web services in an effort to “better tailor its ads to people’s tastes,” it signaled a new era where marketers would keep track of customer behaviors more than ever before. They were actually a late-player to the idea of using online activities information to create a more complete user profile.

Capturing Online Activity

Back in 2010 the FTC began considering the implications of the current practice by many ISPs of so-called “deep packet inspection.” Specifically, they found that the practice especially worrisome as it allows the ISPs to create “highly detailed profiles” across the entire customer online activity history. The FTC considered use of information for the sake of targeted marketing purposes wto be something outside of customer intentions in allowing that history to be captured and recorded.

When legitimate companies use customer information for legitimate purposes, it can create a more intuitive online experience for individuals. Though, in some cases, it creates scenarios that skirt on the edge of data privacy, dangerously close to creating an Orwellian “Big Brother” scenario. In a worst-case scenario, however, when cyber criminals manage an online activities data breach, the collateral damage to individuals is hard to fathom.

Patreon’s 10M Users Exposed to an Online Activities Data Breach

In late September of 2015 the philanthropy website Patreon suffered an online activities data breach in which an attacker stole and later published 15 GB of data. Included in the published data were details of fundraising campaigns, the identities of individual supporters, and the amount pledged by each patron. Private information meant for the benefit of the site’s users were made public. The information therein compromised indicate more information about a person’s interests, spending patterns, and income level can be used in an extraordinarily broad array of well-disguised targeted attacks.

The following scenarios can occur when the online activity data of a consumer is compromised:

  • Targeted Phishing Attacks: A pharming attack is a specialized and very sophisticated process of redirecting the victim’s browsing from an intended legitimate site to the attacker’s bogus website, even though the victim entered the correct, legitimate URL. If the fake website provides the same look and feel as the legitimate one, the victim will never know that business being conducted – and the money being donated / spent – is going straight into the attacker’s account.
  • Selling Fake or Stolen Merchandise: Similar to the phishing attack, by knowing the individual’s interests and spending patterns through an online activities data breach, attackers can set up websites that have all the markers of being legitimate through which they offer “deep discounts” on products or services, which the targeted individual has shown a history of purchasing. But these sites are actually fronts for selling stolen or counterfeit items.
  • Targeted Waterhole Attacks: In a waterhole attack the hackers “poison” the attacked company’s system such that every time a visitor requests a legitimate download from the company’s server, a piece of malware comes along with it. Sending the malware to the visitor’s computer is the goal of the waterhole attack. The malware then acts like phishing malware (i.e. a keystroke logger) to provide information to the attacker that can then be used against the victim.

An online activities data breach provides attackers with so many options either to directly monetize their cache of stolen data or to increase the value of that data by gathering more information on the individuals in an effort to create a more complete profile. With such a wide variety of options to use the breached data at their disposal, it’s difficult to believe that 1 – 3 years of credit or identity monitoring, if offered by the breached company, would serve to ameliorate the effects of the breach’s collateral damage.

ThreatModeler’s Out-of-the-Box Solution Identifies, Prioritizes and Mitigates Threats

Since online activities fall under personally identifiable information (PII), organizations are responsible ensuring this form of data is completely secured. An organization that maps out its threats and vulnerabilities through threat modeling will be able to not only identify, prioritize and prevent threats, it will also be able to improve to inform and drive overall risk management activities.

ThreatModeler has created an automated platform for developers, operations and security teams – known as DevSecOps – to better understand their attack surface. ThreatModeler is equipped with the Threat Intelligence Framework, content that comes from threat intelligence authorities such as OWASP and CAPEC. Additionally, ThreatModeler provides components all mapped out for AWS and Azure cloud environments with security requirements based on their respective guidelines. To learn more about ThreatModeler, we recommend scheduling a live demo. If you’d like to speak with a threat modeling expert, visit our contact page.

Join ThreatModeler at AWS re:Invent and H-ISAC Fall Summit 2019

ThreatModeler will host a sponsored booth at this year’s AWS re:Invent conference. This year’s re:Invent will feature general sessions, breakout sessions, bootcamps, labs and more. Come visit our booth #3809, to explore our latest product capabilities, discuss industry trends plus discover how we can improve the security of your AWS, cloud and IT infrastructure services. We recommend stopping by our booth or scheduling a private appointment.

This is the first year that we will be sponsoring a booth at H-ISAC Fall Summit, a conference focused on sharing knowledge, information and advice on healthcare-related security. Join likeminded attendees for general and breakout sessions, keynote speaker presentations and networking opportunities where cyber and physical security is the primary topic.

To set up a private appointment in advance, please send all inquiries to