Are you seeing an increase in spam emails after a data breach?
Earlier this year, we shared how cybercriminals were found stealing Tesco loyalty points/Clubcard vouchers. In this case, it didn't appear that Tesco was responsible for the data breach. Instead, Tesco said that cybercriminals were using data that had been stolen in other breaches to try and break into customer accounts.
And this wasn't the only such case that came to our attention.
Less than a week later, we were contacted about a similar breach at Boots. On this occasion, Boots told customers that their accounts may have been accessed by someone who obtained their usernames and passwords elsewhere. Again, it does not look like these details were obtained from Boots.
Are cybercriminals using stolen data?
It certainly seems so. And, when a data breach occurs, stolen personal information is often found for sale on the dark web.
A hidden section of the internet, the dark web allows users to remain anonymous and untraceable. It is popular with cybercriminals looking to buy and sell data. Full ID packages - which usually include the name, address, online passwords, banking data and other identifying information of an individual - are offered for sale on several popular online black markets.
According to reports, more basic personal data is selling for as little as £10 on the dark web. And, that is worrying because, in our experience, cyber-criminals can do extensive damage with just names and email addresses.
Is your data being used against you?
Worryingly, at Hayes Connor, we are hearing from people who have seen a significant increase in spam emails since the Tesco and Boots data breaches. According to one person:
"I was part of the Tesco breach, and since they notified me, I've had 25 phishing scam attempts from Netflix, Apple, Paypal and others, some of them are very convincing. As well as some very dubious emails from dating sites which I 100% have never signed up for!"
The increase in phishing attempts is worrying because, if successful, this form of fraud can be devastating to those affected.
What is phishing?
Phishing is where a fraudster poses as a legitimate organisation, the police, or someone else you trust to trick you into handing over sensitive information such as usernames and passwords. This is much easier to do if they already have some information about you.
Too many people use the same, simple passwords and logins for many different accounts. So, when a data breach occurs, it is relatively easy for criminals to use this information to carry out phishing crimes.
Your data has value
Speaking about this issue, expert data protection solicitor and Hayes Connor MD Kingsley Hayes said:
"At Hayes Connor, one argument we often hear from companies that have had data stolen from them is that it's not a big deal. But, while there is a misconception that some forms of personal data are not as valuable as financial data, this isn't necessarily the case.
"Cyber-criminals are using email addresses and passwords stolen in a data protection act breach to extract additional information from victims (such as banking details). In fact, for just £6 cybercriminals can buy a "how to obtain loans" guide on the dark web which gives step-by-step instructions on how to take out a loan using stolen data. The guide does not require any special skills to follow the instructions.
"What's more, fraudsters are becoming increasingly sophisticated and are now capable of piecing together different bits of data to build a complete profile on a person. And, once they have that, they are using this information to carry out further attacks and theft."
Keeping you safe after a data breach
Follow these tips to prevent cybercriminals from using your stolen data against you:
- Contact your bank or credit card provider immediately if you spot any unfamiliar transactions or suspicious activity
- Keep an eye on your credit score for any unexpected dips and contact all the major credit reference agencies to ensure credit isn't taken out in your name
- Beware of emails with poor spelling and grammar. This is one of the most common signs that an email isn't legitimate. However, phishing scammers are getting more sophisticated, and sometimes it's almost impossible to tell a fake email from a real one
- Rollover hypertext links (without clicking them), to see if the actual URL differs from the one displayed. You should also hover your mouse over the email address in the 'from' field to see if the website domain matches that of the organisation the email claims to be from
- Always question uninvited approaches (calls, emails, texts, letters, etc.) that ask you for further information in case it's a scam. Don't assume a communication is authentic. Just because someone knows your details (such as your name and address or even your mother's maiden name), it doesn't mean they are genuine
- Understand that a legitimate bank or other financial organisation will never contact you to ask for your PIN or full password. Nor will they ask you to move money to another account for fraud reasons
- If you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware
- Register with the Cifas protective registration service
- Change your passwords regularly and consider using a password manager to generate and store different passwords for each account
- Use two-factor authentication (2FA) wherever possible.
Upholding your data privacy rights following a data breach
Hayes Connor Solicitors is a law firm operating in the data breach and protection sector. We help our clients to claim data breach compensation following data protection violations, GDPR breaches and other cyber offences.
Our firm has established itself as the leading niche provider of legal services in this area. A relatively new and evolving area of law, this is all we do. Consequently, we have become a specialist in data protection law and data breach compensation claims, and, we lead our field when it comes to understanding the complexities involved. This means you get the very best level of legal support available.
With all the experience and expertise needed to win - even against the biggest companies - we protect your rights and hold organisations to account for their failures.
For more information on how to keep your data safe, follow us on Twitter and Facebook.