Proactively managing major data-breach risks

September 2017

On September 7, Equifax, one of the three major credit agencies, publicly announced that it had suffered a major data breach. The company disclosed that unidentified hackers exploited a vulnerability in their website software to gain unauthorized access to company data and exfiltrated it from May through July of this year, impacting as many as 143 million consumers.

The details of the attack — including the identity and nature of the attackers — were not immediately available. If the attackers were financially motivated, they could monetize the data by fraudulently opening new accounts at financial institutions, conducting unauthorized transactions, and selling the data to other criminals. If a nation-state conducted the attack, the stolen information could be used to support espionage operations.

This data breach is the latest in a series of high-profile cybersecurity incidents, and is yet another reminder that organizations should enhance their management of cyber and privacy risks, including those related to identity management, authentication, data encryption, and vulnerability management. Further, organizations should manage cyber, privacy and fraud risks in an integrated way, mindful of how creative fraudsters and hackers might quickly leverage information exposed in one breach to perpetrate either new fraud schemes or new cyberattacks.

 

What are the immediate risks?

The motives of the attackers — either financial gain by criminals or information to support espionage operations by nation-state actors — will determine how any stolen personally identifiable information (PII) might be used. 

Financially motivated attackers

If the attackers were financially motivated, they could use the stolen data to fraudulently open new accounts and gain access to existing ones. Once in possession of personally identifiable information (PII) such as social security numbers, driver’s license numbers, and full names, the attackers may attempt to order new credit cards, request new checkbooks, and open new accounts at financial institutions. They may also seek to modify existing account information and gain access to additional PII. PII presents greater risks than details gained from stolen credit card information because while credit cards can be voided, PII is intimately linked to particular individuals and can be used for a wider variety of fraudulent purposes such as those listed below:

  • Defeating existing identity verifications. Attackers can use PII to answer account verification questions (such as “at which address have you previously resided?”) that organizations ask before helping customers with any transactions, which include approving large transactions, home loans, new lines of credit, and new credit cards.
  • Creating and registering fraudulent accounts. PII can be used to create fraudulent accounts from legitimate identities or synthetic identities.2 In some cases, criminals create accounts where the legitimate user has never registered (e.g., Health Savings Account), making fraud prevention more difficult.
  • Changing passwords for online accounts. PII provides data for criminals to guess password reset questions for online accounts. While most financial institutions have moved away from using this information as a form of online identification verification, several non-financial services firms (e.g., email providers, insurance, and retail services) still rely on this information for identity verification.
  • Selling stolen information to other criminals. The attackers can sell stolen PII in online marketplaces to other criminals, who in turn can use the information to carry out the activities listed above.

Nation-state actors

If the attackers were nation-state cyber actors, the stolen data could be used for the following purposes:

  • Building intelligence dossiers on individuals and organizations. Foreign intelligence services use PII to build dossiers on persons of interest for recruitment. While this type of activity would have a much less severe impact to the general consumer, it can significantly impact the national security of the US government, as it enables a foreign intelligence service to more clearly identify individuals and vet identity information of US persons. For example, foreign intelligence services responsible for data breaches at the Office of Personnel Management (OPM) used the compromised data to support espionage, counterintelligence, and competitive intelligence efforts.
  • Conducting espionage. Foreign intelligence services may also attempt to gain access to key individuals’ online accounts for espionage and counterintelligence purposes. An example of this would be Google’s November 2016 warning to prominent journalists and academics (who may possess more relevant information) that government-backed attackers may have attempted to steal passwords.

 

 

What should organizations be doing now?

In the immediate aftermath of a data breach, organizations should take steps to identify the population of their at-risk customers and communicate with them regarding whether they were impacted and what they should do now. Compliance departments should closely follow federal and state regulations that may require that they inform customers or regulators within a prescribed time period. Once organizations have identified potentially impacted customers, they should suggest that such customers (1) perform a “credit freeze” to restrict a lender's access to the customer’s credit report, (2) change password reset questions for online accounts to questions that do not rely on data that could be found in credit reports, and (3) stay alert regarding online scams using this data breach to solicit sensitive information, such as emails purporting to be from compromised parties that ask for sensitive data.

After a breach, organizations will often receive a significant increase in call volumes from concerned customers. To manage this increased volume, organizations should put into place multi-channel outreach communication campaigns, including creating bespoke web pages to keep clients informed of developments and provide tips and helpful resources, in the hopes of diverting some inquiries away from the call centers.

 

 

Enhance cybersecurity and fraud controls

In addition to client identification and communication, organizations should consider taking the following steps (many of which are more long-term) to mitigate the risk from potentially exposed data and to reduce the probability of this type of event occurring in the future:

  • Encrypt all sensitive personal customer data, including data “at rest.” This way, if an attacker does gain access, any sensitive data cannot be easily accessed and exploited.
  • Harden and reduce your organization’s attack surface by patching or moving vulnerable web applications behind firewalls or restricting access to these applications from external sources. Recent examples of this type of attack include the Apache Struts 2 vulnerabilities (CVE-2017-9805 and CVE-2017-5638).
  • Enhance identity proofing process and capabilities. Examples include having help desk staff call back clients at pre-registered phone numbers, requiring the use of Virtual Private Networks (VPNs) for remote access, and implementing account lockouts after a set number of failed logins.
  • Use behavioral analytics to monitor and detect anomalous activity associated with users accessing sensitive data (e.g., user registration, help desk inquiries, password resets, and sensitive business transactions). By establishing normal network behavior by roles and job functions for accounts with access to sensitive information or systems, behavioral analytics can detect unknown malicious activity targeting an organization’s critical assets.
  • Stay abreast of government regulations mandating businesses to better protect customer data against identity theft.3
  • Develop a coordinated process between cybersecurity and fraud teams for incident response and crisis management processes and procedures. This includes providing a central governance process for investigations, which should include clearly defined escalation paths and communication plans.
  • Ensure that the organization does not rely on the type of stolen information for identity provisioning or identity and password reset services.
  • Provide guidance to call center staff to take extra steps when verifying customer identities to account for criminals employing social engineering techniques who may be posing as clients asking for password resets or other account management activities.
  • Fortify the onboarding process for new merchant and business accounts and reinforce account update procedures for existing merchant and business accounts.
  • Implement an internal communication plan to discuss potential impact to the business and next steps. This should include developing action plans, control changes, and metrics on the performance of mitigating controls, as well as conducting regular calls with senior leadership.

Managing cyber, privacy and fraud risks in an integrated way has never been more important. By establishing a clearer view of the threat landscape and a more coordinated process for investigations and reporting, organizations have an opportunity to significantly improve their risk management posture before the next major breach.

 

  1. Attackers reportedly exploited Apache Struts vulnerability CVE-2017-5638. For additional information see the Apache Software Foundation’s blog.
  2. A synthetic identity is the creation of a fake individual using bits of PII from different, real individuals (e.g., one individual’s postal address, another person’s phone number). Because most firms only check these details in isolation from each other, attackers can potentially use synthetic identities to open fraudulent accounts.
  3. Examples of such regulations include a proposal released by the Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Commission last year, and a final rule released earlier this year by the New York Department of Financial Services. For additional information, see PwC’s Financial crimes observer, Cyber: Banking regulators weigh in and the Financial crimes observer.

 

Contact us

Sean Joyce
US Cybersecurity and Privacy Leader
Tel: +1 (703) 918 3528
Email

David Burg
Global Cybersecurity and Privacy Advisory Leader
Tel: +1 (703) 918 1067
Email

Grant Waterfall
Global Cybersecurity and Privacy Assurance Leader
Tel: +1 (646) 471 7779
Email

Follow us