Recent data breaches at Superdrug and T-Mobile have thrust data security into the headlines once again. In fact, these types of breaches have become so common that consumers are somewhat desensitised to the news.
However, a new extortion scheme should serve as a reminder that neither businesses nor consumers can afford to become complacent when it comes to basic security practices. The scam comes in the form of an email referencing an old password to grab the victim’s attention, and demanding payment in the form of Bitcoin, in order to avoid personal images and webcam videos being released on the internet.
This recycling of old credentials by cyber criminals has become all too common. So far, this scam has relied on passwords from up to a decade ago, gleaned from old data breaches and scrapes of internet forums, and has used them as a shock tactic in the hope that individuals are still using these.
It’s also expected that customers will soon be targeted with more up-to-date passwords and other personal information exposed by recent breaches. It’s easy to see how the impact of one data breach can spread, and if you’re worried about whether your personal information has been stolen, you can visit Have I Been Pwned? to get an idea of who has hold of your details, as well as the compromised data that you would need to change.
We’ve seen many other examples of how credentials can be leveraged by cyber criminals, including a recent attempt to extort a ransom from Superdrug. A lone hacker had used credentials from other websites to access Superdrug customer accounts and gain more details – a method known as credential stuffing – clearly demonstrating how a cyber criminal can take advantage of individuals not using unique passwords.
Superdrug avoided any significant damage as a result of this attack, but reputational and business losses, as well as an increased risk of penalties under GDPR and successful extortion from cyber criminals, are all potential consequences of lax data security.
To protect themselves and their customers from threats now and in the future, all businesses must get the basics right and prioritise strong security measures. This means implementing and regularly testing robust security controls across all areas of the business.
Businesses should also take responsibility for educating customers on the dangers of reusing passwords for multiple accounts, actively preventing them from using weak passwords and raising awareness of emerging internet scams.
Get in touch to find out how we can help your business to become more resilient against emerging cyber threats.