In our previous article on data breaches, we considered the potential damage that could result from public exposure of your membership information. In this article we examine the potential collateral fallout of an online activities data breach.
At the start of 2012 Google announced that it would start following users across its various web services in an effort to “better tailor its ads to people’s tastes.” They were actually a late-player to the idea of using online activities information to create a more complete user profile.
Capturing Online Activity
Back in 2010 the FTC began considering the implications of the current practice by many ISPs of so-called “deep packet inspection.” Specifically, they found that the practice especially worrisome as it allows the ISPs to create “highly detailed profiles” across their customers’ entire online activity history for targeted marketing purposes – a use of information, which, in the view of the FTC, would be considered something outside of the customers’ intentions in allowing that history to be captured and recorded. When legitimate companies use such information for legitimate purposes it can create a more intuitive online experience for individuals – though it does come dangerously close to creating an Orwellian “Big Brother” scenario. However, when cyber criminals manage an online activities data breach, the potential collateral damage to individuals is hard to fathom.
Patreon’s 10M Users Exposed to an Online Activities Data Breach
In late September of 2015 the philanthropy website Patreon suffered an online activities data breach in which attacker stole and later published 15 GB of data. Included in the published data were details of fundraising campaigns, the identities of individual supporters, and the amount pledged by each patron. Private information meant for the benefit of the site’s users were made public, and information that indicates a person’s interests, spending patterns, and income level can be used in an extraordinarily broad array of well-disguised targeted attacks.
Here are a few scenarios for you to consider:
- Targeted Phishing Attacks: A pharming attack is a specialized and very sophisticated process of redirecting the victim’s browsing from an intended legitimate site to the attacker’s bogus website, even though the victim entered the correct, legitimate URL. If the fake website provides the same look and feel as the legitimate one, the victim will never know that business being conducted – and the money being donated / spent – is going straight into the attacker’s account.
- Selling Fake or Stolen Merchandise: Similar to the phishing attack, by knowing the individual’s interests and spending patterns through an online activities data breach, attackers can set up websites that have all the markers of being legitimate through which they offer “deep discounts” on products or services, which the targeted individual has shown a history of purchasing. But these sites are actually fronts for selling stolen or counterfeit items.
- Targeted Waterhole Attacks: In a waterhole attack the hackers “poison” the attacked company’s system such that every time a visitor requests a legitimate download from the company’s server, a piece of malware comes along with it. Sending the malware to the visitor’s computer is the goal of the waterhole attack. The malware then acts like phishing malware (i.e. a keystroke logger) to provide information to the attacker that can then be used against the victim.
An online activities data breach provides attackers with so many options either to directly monetize their cache of stolen data or to increase the value of that data by gathering more information on the individuals in an effort to create a more complete profile. With such a wide variety of options to use the breached data at their disposal, it’s difficult to believe that 1 – 3 years of credit or identity monitoring, if offered by the breached company, would serve to ameliorate the effects of the breach’s collateral damage.
In the next article, we’ll explore the potential dangers you face when your Geo-location information is stolen.