How to Protect Personally Identifiable Information from Ransomware Attacks

Cybercriminal
Personally Identifiable Information (PII) is defined as any information that can be used on its own or combined with other information to identify, contact or locate an individual. This can include information maintained by an agency that could be used to discover or trace an individual’s identity. Some examples of PII include your full name, date and place of birth, social security number, mother’s maiden name, or biometric records. PII also includes information that can be linked to an individual such as medical, educational, financial or employment information.

Why do Cybercriminals Want my PII?

Cybercriminals are making a great deal of money by selling your PII on the dark web and those who purchase the data use it in identity theft. Your PII can be used to file false tax returns, open lines of credit or to make fraudulent purchases under your name.  This is just a few examples of what cybercriminals can do with your PII. The price for pieces of your PII has come down significantly over the last two years. In late 2015 Trend Micro reported that the price for PII has dropped from $4 to $1. There are supply and demand economics at work in the criminal world, too.

 “There’s actually a big surplus of PII currently available in the cybercriminal underground. This has caused its price to drop significantly, from $4 last year to $1 this year,” the study found. – Trend Micro

It doesn’t seem like cybercriminals are making a lot of money at $1 per record when you are considering just your own PII.  However, cybercriminals are infiltrating large companies like Anthem and stealing millions of records at a time. Millions of records stolen at even $1 a record is a large sum of money. Cybercriminals can make more money selling PII from one major breach than you have probably earned in your lifetime.  Not too bad for a day’s work.

Credit Cards, EBay Accounts – Going Once, Going Twice, SOLD !

CreditcardsCredit card numbers, eBay accounts, and mobile phone accounts are also being sold on the dark web for a significant profit for cybercriminals. Login credentials for bank accounts are going for $200 to $500 per account. The larger the available balance of a bank account, the more money a cybercriminal can demand for it. Mobile phone accounts are selling for $14 per account and PayPal and EBay accounts can go for $300 each.

What is interesting about Trend Micro’s report “Dissecting Data Breaches and Debunking the Myths” is their finding that the main reason for a data breach is not due to cybercriminals at all but in fact a product of the user. 41 % of data breaches were the result of a user losing or having their device stolen, while 25% was due to hacking and malware.

It’s important that companies scrutinize and secure the sensitive information that is stored on their employee’s devices like mobile phones, laptops, and flash drives. If any of these devices are lost or stolen, they become an easy way to steal data.

Doesn’t Ransomware Only Encrypt Data?

It is true that so far ransomware variants have encrypted data and held it ransom. Having PII stolen in a ransomware attack has not happened yet, but I believe that is the next evolution of ransomware.  Once the cybercriminals have copied your data offsite, they can demand a ransom over and over again.

I believe the next variant of ransomware will encrypt your data locally and in addition, will use exfiltration to copy your data offsite and hold it for ransom. If cybercriminals get your PII, they can collect the ransom from you to decrypt the data and further profit from selling the PII on the dark web.

How Can I Protect my PII?

There are a number of things you can do today to protect your PII. I recommend all businesses who collect and store customer PII to read the DHS guidelines for dealing with PII.

Thoroughly Inspect All Emails Received

Ransomware attacks are primarily delivered through email campaigns where the cybercriminals spoof a fax delivery, bank statement or utility bill.  Clicking on the link or attachment starts the crypto ransomware infection, and the end user doesn’t even know they are infected until after the ransomware has encrypted their data. Only after the data is encrypted do you get at least two pop-up messages with the ransom demand.

Encrypt Data on Devices

Do not transport any data that contains PII unless that device has been encrypted. Do not remove sensitive PII from the workplace unless instructed by a manager. Never leave sensitive PII in hard copy unattended and unsecured.

Use Two-Factor Authentication

Two-Factor Authentication is an excellent security mechanism that adds another layer to your complex passwords already in use. With Two-Factor Authentication, a user not only has to provide their password but they also need to input another component which is usually something that the user knows, something that the user possesses or something that is inseparable from the user. For example, you might use a product like Google Authenticator.  After supplying your account password, you will get prompted for a six digit code supplied by the authenticator app. The App generates a new and unique random code every 30 seconds.

Good luck and stay safe out there with you “Private Information” !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.