Back in November, two of the largest data breaches ever occurred, but despite being headline news, many people outside the security industry failed to notice because they simply did not recognize the brand names associated with the breaches — People Data Labs and Oxydata, two large market research firms.
The unique aspect of these data breaches was the actual data stolen. The breaches did NOT include social security numbers, credit card and banking account numbers, addresses, or passwords. Instead, it included information on up to 1.5 billion people including over “a billion personal email addresses, more than 420 million LinkedIn URLs, more than a billion Facebook URLs and IDs, and more than 400 million phone numbers” per Wired. Forbes notes that People Data Labs bills themselves as the “source of truth for person data” and has “unparalleled coverage across over 150 data points” while Oxydata has aggregated data on over 380 million people and 14 million companies.
These two companies scour the public domain online and gather all of your information to sell to companies and advertising firms to market you. This type of market research is legal, highly unregulated, and a normal part of the advertising/marketing industry. However, this information in the wrong hands goes far beyond the creepy factor where you see an ad on Facebook of a product you just looked at on Amazon.
Most people know phishing is a common tactic hackers use where they send millions of emails to random email addresses hoping unsuspecting people will click on a link. Phishing is a numbers game where a .01% click rate on 10,000,000 emails still nets them 10,000 clicks where they can quietly install a ransomware virus onto your machine or trick you into providing your email login credentials.
The more specific form of phishing is called “spear-phishing” where cybercriminals research the target and send a highly tailored email to the target, generally a business executive, wealthy individual, or someone with access to confidential data like an HR director. Because the message is customized, their percentage of clicking is much higher than .01% and they know the target has access to something they want.
After these two breaches, hackers now have 150 data points on over 1 billion people, including 260 million Americans, at their fingertips. How do we know cybercriminals have this information? This week, we’ve gotten over 500 alerts that our clients’ information was found on the Dark Web related to the People Data Labs and Oxydata breaches.
We expect cybercriminals will do the following tactics with this highly detailed data about you:
Unfortunately, you cannot delete information off the internet, especially if it is on the Dark Web already.
You need to stay vigilant and confirm suspicious emails, especially from people you know randomly asking for data like account numbers, personal information, or for you to do something like buying gift cards. Look at details like the email came from an email outside your company email and the hackers just added an “s” to your domain name.
Change your passwords to something complex that has lowercase and uppercase letters, numbers, special characters, and is at least 8 characters, if not 12 characters long. We also recommend not reusing passwords, in particular, never use the same password as your personal or company email.
Always utilize two-factor authentication where available, especially on your email, financial, and social media accounts.
You can also utilize identity theft monitoring to quickly alert if something looks suspicious or if your identity has been stolen. These services will also help you much faster and thoroughly than you can do alone.
Unfortunately, we live in a world with cybercriminals and we must stay diligent to protect ourselves, our family & friends, our companies, and our clients. Although these two breaches did not include sensitive information like passwords and social security numbers, the data stolen adds a whole new level of sophistication and personalization to a hacker’s arsenal.
If you’re concerned about your company’s cybersecurity, please reach out to us and let’s discuss how we can better secure your data, train your team, and protect your company. We can also run your company’s domain name in our Dark Web database for free so you can see if you have passwords and personal information already accessible to cybercriminals.
6620 Riverside Drive, Suite 200
Metairie, LA 70003
347 W. Bert Kouns Industrial Loop
Shreveport, LA 71106