General

Average cost of a customer’s personal identifiable information (PII) is $175 per record

Intensifying data breaches push companies towards strengthening network perimeters

A recent data breach exposed the personal identifiable information of 500 million LinkedIn users, and the same number was affected by the Facebook leaks few weeks prior. Businesses ask for excessive customer data to provide services, but existing system vulnerabilities show that they frequently don’t live up to cybersecurity expectations. Companies shouldn’t leave customers out of the picture because carelessness with data increases the chances of identity theft.

The breach, which allegedly happened before August 2019 and was recently published, affected 533 million Facebook users in 106 countries — exposing their Facebook IDs, names, locations, birthdates, and email addresses. A day later, a LinkedIn user database showed up on the hacker’s forum, including similar information and victim workplaces.

Cybercriminals managed to obtain data using a method known as scraping. Exposing system vulnerabilities, they launched a bot to collect any data on the table. In Facebook’s case, they turned to a now-defunct feature that allowed users to find friends by phone number. It seems that the hackers also leveraged some previously-known LinkedIn data breaches to scrape personal information.

IBM estimates that the average cost of a customer’s Personal Identifiable Information (PII) is $175 per record. Given this, the overall value of Facebook and LinkedIn databases would be enormous. However, the price of each piece depends on the type of information and its usage.

For example, cyber criminals demanded a $42 million ransom from a New York law firm after seizing 750GB of personal details on top-tier clients, including Lady Gaga and Madonna.

Personal identifiable information accelerates social engineering

Hackers can use compromised emails for scams and phishing campaigns. The latter is the most prevalent initial attack vector, allowing criminals to get a foothold on the victim’s network. Contact information can also end up in grey-zone marketers’ hands, who use it in their email campaigns.

The more information hackers have about the victim, the harder it is to identify an attack and stay vigilant. Sometimes publicly available information on marital status, children, employment, and leisure activities can give victims the impression that fraudster’s claims are indeed legitimate.

Contact and personal information together with social security numbers are precious for tax-season scammers. They apply for false tax returns, stealing $27 billion every year, targeting both citizens and enterprises.

“Data is a digital asset: marketers use it to find their audience, developers adopt software products examining user patterns, and artificial intelligence ensures our lives remain convenient.

People start to understand that online data is still a part of their identity, and its compromise can impact everyday life. Thus lawmakers are trying to change the rules of the game, giving users more control over their PII online”, says Juta Gurinaviciute, the Chief Technology Officer at NordVPN Teams.

Regulators in Europe and the US are siding with users by implementing various data protection policies. Companies in the EU have to comply with General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) protects Californians on the other side of the Atlantic. Unfortunately, hackers can utilize those strict rulings to their advantage.

Regulations are not enough to ensure protection

Recently, a security researcher exploited GDPR laws to leak sensitive PII using the systems to protect it. Using the unauthenticated Data Subject Access Request (DSAR), a white-hat hacker successfully accessed records of 6,000 organizations using a specific off-the-shelf management program.

“Effective data protection is holistic, incorporating the user, the enterprise, and the legislator. People must be aware of the information they share online and how crooks can leverage this in social engineering attacks against them. However, enterprises shouldn’t be left out of the picture: is the data collected worth the risk of a breach?” asks Gurinaviciute.

Businesses should thus establish clear data collection guidelines and handle only the PII necessary for service delivery. Even then, they should ensure the strictest cybersecurity measures, ranging from encrypted VPN connections to ZTNA-based access control to software-defined perimeters (SDP).

One billion leaked Facebook and LinkedIn records may not have comprised top-secret data, but there are endless bits of valuable information ‘under the hood.’ If that got compromised, hackers could reconstruct victims’ itineraries from location data or discover their political beliefs. The highest cost of a data breach is reputational. Thus, companies must tirelessly strengthen their perimeter to protect their assets and ensure that customer PII is protected.