“There are so many insecure sites,” says Chester Wisniewski, senior security advisor with the international cyber security company, Sophos. “You could find thousands of them every day if you went looking for them.”
Cyber criminals go looking for exactly those kinds of places.
“It’s coordinated opportunism,” as Wisniewski calls it. “They look for places where people have ‘left the door open.’ They are looking for the juiciest one. The ones they are looking for are ones they can make money from. When they find unlocked doors, they go back and search the domain names to see which ones have information they can profit from in some way,” says Wisniewski.
In 2011, a Canadian human resources company in Toronto called Drake International was the target of cyber theft. Cyber ’nappers broke into company files and found the names, social insurance numbers, addresses, e-mails and reams of other personal information related to some 35,000 of Drake’s clients. They copied the records and destroyed Drake’s computer files.
Rather than sell the information on the information black market, they offered to return the information for $5 million.
“They were being extorted. The company’s data had essentially been kidnapped for ransom,” says Wisniewski. “Drake called the RCMP and reported the kidnapping. They didn’t hide, they refused to play ball. They also ended up having to pay for credit monitoring for all the people whose data was stolen,” says Wisniewski.
“I am aware of other cases where companies in the same situation have paid the ransom to have the data returned,” says Wisniewksi, who declines to divulge names.
In 2009, thieves stole hard drives containing data of one million clients in an after-hours burglary at the Tennessee offices of health care insurance company, Blue Cross.
The company was later fined $1.5 million for not maintaining proper data security. It was also ordered to pay for credit monitoring services for its customers. There is, however, little evidence to show that any harm was done to Blue Cross clients.
Law professor and cyber security expert, Fred Cate, from the University of Indiana’s Center for Applied Cybersecurity, says that there is very little reason to believe that consumers are actually done an economic harm as a result of cyber criminals hacking into databases.
“If it is financial data or credit card data (like the recent Target Stores breach), mostly it is banks or companies that are harmed, not the individual,” says Cate.
TransUnion, one of the three national credit bureaus in the US, reports that the Federal Trade Commission says that there were 9.9 million incidents of identity theft in 2013. The credit bureau says that 19 people a minute fall victim to identity theft, and that it costs on average $500 and takes 30 hours to resolve each identity theft crime.
TransUnion also reports that in 50 percent of all identity theft cases it’s a relative, family member, friend, neighbor or an in-house employee that is the perpetrator of the crime.
READ MORE DATA BREACH LEGAL NEWS
“And we don’t know where the Tennessee Blue Cross data ended up,” says Wisniewski. “We’re working on the assumption that no one was harmed but we don’t know. The hard drives were probably sold on eBay. We don’t know if someone looked at the data or sold the data.
“Identity theft is a perpetual nightmare,” says Wisniewski. “You can’t get a new birthday and is extremely rare that you would be given a new social security number in the US. You never know when it is going to be over.”