I’m sure many are curious to find out where and how their data is used after hackers gain access to their information. According to a recent study, hackers are reportedly able to use leaked data within 9 minutes of it being posted.
Mr Salsburg, chief counsel and acting chief of research and investigation project at the FTC (Federal Trade Commission), reiterated the mysteriousness of what happens to data when it’s publicised:
“…there’s a real mystery of what happens to consumer data when it becomes public.”
But the dangers of how quickly it can be used are evident.
FTC’s role and example of their enforcement
Since 2002, the FTC has brought over 60 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk.
One such example is dating site Ashley Madison that was subjected to a hack. It transpired that the website allegdly deceived consumers and failed to protect 36 million users’ account and profile information in relation to the July 2015 data breach. Ashely Madison agreed to implement a data-security programme and also agreed to pay a total of $1.6 million (£1.2 million) to settle FTC and other actions.
FTC’s presentation
In the FTC presentation, headed by Tina Yeung and Dan Salsburg at the FTC Office of Technology Research & Investigation, they stated that “if you post it, they will use it.”
They emphasised the fact that when sensitive consumer data such as credit card information or email login details are publicised – whether accidentally or purposely – it only takes cyber-hackers/thieves a matter of minutes to make an unauthorised access attempt. If not minutes, then at best, only a few hours; they warned that they’re quick to leech onto the information.
FTC’s study
In order to oust some of the mysteriousness, researchers created 100 consumer profiles, making up names, gathering addresses from a national database, phone numbers and emails for the purposes of the study. Researchers also created payment methods for the study – online payment account, bitcoin wallet or a credit card. Passwords were also set up for the purposes of the study.
Upon setting up these batches of consumer profiles, Mr Salsburg states:
“…our goal was to make this customer database look as realistic as possible.”
The made-up database was released twice on a website known to cyber-thieves.
Within 90 minutes of the first release, some cyber-thieves had already tried to access the email and payment accounts – there were 100 views.
The researchers released the information again a week later – there were 550 views. It only took 9 minutes for the cyber-thieves to leech onto the information and start using the false data to make purchases as well as attempting to access the accounts.
The total amount of credit card purchase attempts amounted to $12,825.53 (£9,901.31) in just 2 weeks.
The noteworthy attempts of using the credit card information were on online dating services, pizza places and hotels.
FTC’s advice
The FTC’s study provides 3 insights that could assist consumers in protecting their data:
- Continuously monitor your accounts – setting up alerts for suspicious transactions like big purchases and purchases made abroad could increase the protection on your accounts.
- Enable two-factor authentication – this can force cyber-thieves to hold additional ID knowledge beyond the password. This could also be used as a notification system that someone is trying to log into your account from a different device.
- Put additional precautions in place – it’s important to be proactive and not reactive, because when cyber-hacks have already taken place, the damage has already been done. Proactive steps could include using a complex password which is unique to each and every one of your accounts.