Easy jet emailed me the other day to let me know that my name and email credentials were among the millions of PII that had been breached in their January cyber attack - but so what? What can anyone do with my name and email address?
When a malicious actor breaches your cyber security (whether personal or business) PII is one of the first things they look for - its easy to find, easy to sell and is connected in some way or another with probably every private account and file that you own, whether that be financial, health, identification, whatever - Personally Identifiable Information is the first and most important step to conquering an individuals profile - with this, a malicious actor can impersonate you online or use your name to begin building a profile about who you are, where you live, what are your hobbies...every bit of extra information gathered is another door unlocked into your private affairs and money - personal or business.
Recently I received an email from my CEO - the name of sender was James Kalbassi with the subject: GOOD MORNING - but the email address, when opened, was 'email@example.com'
James wouldn't even have been made aware of this had a number of our company not flagged it up. The malicious actor had a name and company association (Paragon) and as a result was able to send an email asking for help to a number of people in our organisation; all it would have taken for a disaster would be for one person to have not clocked the email address and responded...fortunately our teams' cyber security training pays off regularly and this is but one of a tonne of simple attempts to hack our network that has been thwarted. We're not unique though, this is the case for any business, in fact hackers attack every 39 seconds, on average 2,244 times a day... (University of Maryland) it's a war of attrition!
So PII - more valuable than one might think - but what happens once the data has been stolen?
Usually it finds its way onto the dark web to be auctioned off to the highest bidder, (imagine a virtual auction house but less noisy and far more efficient) often a small handful of records will be 'sampled' or sold very cheap to ensure their validity and then the price fluctuates in line with the higher profile of victims data.
For example, 500 million consumers, dating back to 2014, had their information compromised in the Marriott-Starwood data breach made public in 2018. (Marriott) Among these consumer details were 30,000 US military personnel passport and PII records. If the average Marriott customers' details would have been sold for in between the region of $20 - $100, the military passport information was sold closer to $1,000 per record.
In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (NY Times) - that's an enormous amount of money to be made from the user names and passwords stolen, and the attacks that will have been generated from the stolen and purchased records will still be in circulation in some malicious form today.
The Equifax breach cost the company over $4 billion in total. (Time Magazine) with the average cost per record stolen at $150. (IBM) The price of data is high, it's value is paramount for a malicious actors success and as our work environments become ever more remote and digital, the number of attacks will only continue to rise - protecting a business with cyber security and insurance has never been so important.
Personally identifiable information (PII) is any data that can be used to identify a specific individual. Social Security numbers, mailing or email address, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII considerably. It can include an IP address, login IDs, social media posts, or digital images. Geolocation, biometric, and behavioral data can also be classified as PII.