Individuals whose information has been stolen in a commercial data breach are already at increased risk of being the victims of crime, including identity theft. But a warning from the FBI on Wednesday makes clear that identity theft isn’t the only danger awaiting victims of a breach.
The FBI’s Internet Crime Complaint Center (IC3) issued a Public Service Announcement about extortion attempts targeting victims of “high profile data thefts.” Recipients are told, via e-mail, that personal data, including financial information and “other personal details” will be released to the recipient’s social media contacts, family and friends unless a ransom is paid.
Ransoms are demanded in Bitcoin, the virtual currency, and range from 2 to 5 Bitcoin ($250 to $1,200 at current exchange rates). Samples of menacing emails connected to the scams include gems such as:
“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”
And:
“If you think this amount is too high, consider how expensive a divorce lawyer is.”
Nice.
One thing that isn’t clear from the FBI warning, however, is whether the extortion attempts have any actual link to the data theft, and whether extortionists are truly in possession of the data and account access they claim. The FBI notes that there seem to be multiple groups of fraudsters that are active, and that they “quickly use the news release of a high-profile data breach to initiate an extortion campaign.”
It could certainly be the case that the campaigns are more or less indiscriminate, looking to capitalize on news of a large breach, in the same way that cyber criminals used to play a numbers game by sending more or less indiscriminate phishing campaigns to target customers of large, national banks with the expectation that the messages would land in the inbox of more than a few customers of those banks.
But it could be that cyber criminals really are mining data breaches for more personalized attacks: using leaked emails and passwords to move laterally and compromise social media accounts, or mining leaked data for answers to password reset questions and the like. That’s certainly a much higher percentage scam than cloning credit cards in the hope of using one before the account is closed.
Under the “personal responsibility” heading, the FBI is recommending that individuals who receive such email extortion attempts not communicate with the scammers and lock down social media accounts with the highest possible security settings. Storing sensitive or embarrassing photos online or on your phone is also a no-no, the FBI warned.
One clear take-away, however, is that data breaches are not a victimless crime. And that’s important because of the on-going debate about whether consumers whose information was leaked in a breach can claim to have been damaged by it, even in the absence of fraudulent charges and other economic harm.
If indiscriminate, the extortion emails are just a byproduct of large breaches – with no direct link to them. But if individuals who have had data exposed in a breach are being individually targeted by extortionists, than clearly they have experienced an specific harm directly related to the theft of their data – and that, even if no economic harm is visited upon them by the extortionists.
That’s a point that companies, their customers, lawmakers and the courts should all consider, as the pace of large breaches steps up.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.
