Skip to main content

Personal Data is big business for criminals

Large scale data theft is increasingly big business for professional cyber criminals writes Professor Mark Skilton following the announcement of a major cyber security at Talk Talk. The value of personal identity data records and account details on the open market is increasingly high value as it can be used in masquerading identity to commit access and theft of other data; or direct access to personal bank account money and fraudulent transactions.

Data breaches of personal identity is a core theme for example: details of 76 million households and 7 million small businesses were stolen from JP Morgan bank; 80 million personal medical records from Anthem Medical Insurance; and 5.6 million fingerprints and 22 million personal records stolen in the US Government OPM data.

It was reported that some of the Talk Talk data was not encrypted suggesting again lessons were not learnt on controlling sensitive content. This is another reoccurring theme of data breaches and a lack of strong data controls. Dan Rosser from PA Consulting has written on good digital trust. He has believes that the latest Talk Talk data breach shows the importance of digital trust to major brands in this digital age. As well as the short term activity of fixing the security vulnerability and improving processes, he believes that Talk Talk’s major longer term challenge will be winning back the confidence of its 4million customers to trust them with personal and financial information, even if those customers don’t directly get targeted by the cyber criminals themselves.

Minutes not days count

Talk Talk appears to have learnt lesson of quick media response to manage the damage to reputation. Whereas Sony, Target and others delayed by days and weeks to tell customers which compounded the brand damage. Talk Talk has alerted banks to the theft to try to limit the follow on from the last 24 hours but this is now too late as it will already be on the move in the cyber criminal community. All that can be done is to rapidly change the “locks” and identity management of the millions affected but that’s not easy of course. Why was this done?

So what can customer do now?

Advice from digital trust practice include

- If your Talk Talk username is your email address and you use that email/password combo anywhere else, change it immediately wherever you use it. And make your Talk Talk password unique to that site from now on. The attackers may still be in there!

- Check frequently for odd activity on sites where you used the same Talk Talk log in credentials. Go back over your online bank account and check for any transactions you don't recognize. Also, check your account details (home address etc) are correct.

- Keep watching for reliable news stories about the breach. It will take a while for the full details of how you might be affected to come out.

Mark Skilton Professor of Practice in Information Systems & Management, Warwick Business School

For further details please contact Nicola Jones, Communications Manager, University of Warwick 07824 540863 or N.Jones.1@warwick.ac.uk