Stolen Data Stockpiled for Future Attacks Beyond E-Commerce Fraud

A report by e-commerce fraud prevention company Forter found that while online fraud attacks spiked across industries, the scale doesn’t match the amount of data stolen in breaches last year. The researchers surmise that “compromised data is being stockpiled to use in future attacks.”

“The air -ravel industry surprisingly saw fraud attack rates decrease 29 percent between the fourth quarter of 2017 and the fourth quarter of 2018, indicating that data from the 2018 breaches in the sector hasn’t yet been used to scam merchants and customers,” the researchers said.

But who is to say that the stolen data is being stockpiled solely for merchant and consumer scam attacks? Data has many uses on the dark side. While scamming merchants and customers tends to be profitable, it’s also the low-hanging fruit for aspiring criminal minds. There are, as it’s said, bigger fish to fry, more ways than one to skin a cat, and loads of bounty to be mined from large data stores.

Accordingly, MSSPs should think bigger in providing cybersecurity services for their customers. For starters, think in terms of expanding the security focus to include potential attacks on new, yet foreseeable and unique vulnerabilities unfolding over time.

Take for example the very likely possibility that data from multiple data breaches can be used to build more complete profiles of targets, making more sophisticated attacks more subtle and nuanced, but also infinitely more dangerous.

One example of such a possibility stems from the 2015 Office of Personnel Management (OPM) data breach wherein 5.6 million fingerprints of former and current government employees were stolen. Certainly, those fingerprints could be used to circumvent biometric security systems, and that’s a possibility MSSPs should consider for decades to come. After all, people commonly change jobs, but their fingerprints remain the same. Fingerprints can be used to access sensitive data, devices and facilities.

But fingerprints are not the only stolen data that hackers collected through breaches. There are other threats that stockpiled stolen data poses. Several federal databases were breached, including at the Veterans Administration (VA), the White House, the State Department, the U.S. Postal Service (USPS), and the Government Publishing Office (formerly the Government Printing Office). Combined with data taken from the private sector, criminals and nation states can create highly detailed profiles of individuals and use that information against them.

“American businesses who want their employees to obtain visas for business in China may find that, for reasons that are not articulated, certain employees may be denied a Chinese visa,” Joe D. Whitley, the first General Counsel of the Department of Homeland Security, former Acting Associate Attorney General for the Department of Justice, and chairman of Baker Donelson’s Government Enforcement and Investigations Group, told InformationWeek.

“United States citizens abroad in China may find that their Chinese counterparts are very literate about their past government affiliations,” he added. “We are traveling into some unknown territory with a data breach as massive as the OPM breach, so we will be living with an unfolding challenge to our national security for many years to come.”

Even if an organization’s employees were not formerly employed by the U.S. government, their data may still have been harvested in federal agency data breaches if they did other things such as apply for a security clearance or a job, or get health care from the VA. Conversely, their info may have been harvested from …