“We’re talking about names, addresses, bank details — the sort of stuff that could be used for opening up bank accounts in your name or it could be used for opening up PayPal accounts.

“Whereas last year you probably would have been looking at around $35-$50 for that information, it’s dropped to about $15-$20, and that’s if it’s verified which will add an extra value to it.

“It’s the same thing with credit cards. A verified card, tested and working — so that’s the 16 digit PAN (primary account number) and also the CVV (card verification value), the three digits on the back — that has gone as low as $3 at the minute.”

D’Alton, senior manager with information security firm, Espion, delivers his update so matter of factly, it’s easy to forget that he’s talking about stolen goods and the illegal market where they are traded.

That he can readily find out the latest prices and check trends over time shows how brazen the business has become.

The ‘firms’ operate underground in the darknet but there are websites dedicated to monitoring their performance, rating their reliability and even interviewing their founders and senior ‘staff’ — all anonymously of course but then anonymity is their speciality.

The existence of this market helps explain why data theft takes place.

“Every piece of information you leave behind you has an associated value. The reason for that is what can be done with the information,” D’Alton says.

On its own, the limited personal information of one customer might yield little or no return, but in combination with more information gleaned from another source at some other time in the past or future, or as part of a bulk-buy, it can prove profitable.

D’Alton can use himself as an example, having fallen victim to the Playstation data breach five years ago.

“At the time I had a couple of dozen psswords that I rotated. I was quite lucky in that when Playstation was breached, I changed the password quite so I wasn’t immediately affected.

“But a few months down the line I changed my user name and password for my iTunes account, using the old password. I often buy iTunes cards for birthday presents so I had a nice little reserve queued up in my account and they managed to use it to buy an online gambling app.

“Using the app they cashed credit into gambling account and cashed it out as bitcoin. So that’s how you turn iTunes into money.”

Similarly, with the recently disclosed Yahoo breach, it’s likely the value was in the passwords and the certainty that a good proportion of people would be using the same passwords on other accounts with more money-making potential.

“It’s really quite basic economics,” D’Alton explains. “What’s happening is that hackers and traders are setting up their own markets and the market sets the price.”

It’s tempting to put a positive spin on the current market slump, to suggest that perhaps information security technology is now so tight that buyers of stolen data won’t find much use for it so the main suppliers are having to drop their asking price to shift it.

Not so, says D’Alton, who looks to the opposite explanation.

“The reason for that would seem to be that the market has been flooded with data. There’s so much of this stuff leaking out at the moment that, as with any commodity when there’s a glut, the value has fallen.”

As with any commodity, there is a supply chain where it pays to add value at each stage, he explains.

So raw data has a certain price and raw data from wealthier countries where individuals are likely to have more money in their account on their cards or in their account commands a higher price.

Data that is verified, possibly through that couple of euro that appeared on your credit card but you put down to a forgotten surcharge on a ticket purchase or some other such transaction, goes up in value again.

But data traders aren’t snobs. Major data breaches such as the one at the UK telecoms company, Talk Talk, which brought the details of more than 150,000 customers to market last year, would normally be sold off in blocks of 100 or 1000 in their raw, unverified form.

“They don’t limit themselves to high quality data. A lot of the market activity is just down to what’s available so they’ll keep looking for any available scrap that’s out there,” says D’Alton.

So who are ‘they’? “What’s really being noticed in terms of cyber security in the last couple of years is that traditional crime gangs are moving online, particularly in Eastern Europe.

“It’s all about risk and reward for these gangs. Smuggling goods carries a big risk because physical goods are more easily detected.

“A tiger kidnapping might get them, say €100,000, but there’s a very big risk attached. This [data cime] is simpler, almost risk-free, and brings in recurring revenue over time. It’s a business decision for them.”

They not only think like conventional businesses, they organise themselves along similar lines.

“They structure it like a big consultancy or accountancy firm. They take juniors in and train them to do a lot of the grunt work — the more laborious, lower-skilled stuff.

They report to managers who curate their work and the money flows up to the people with the skills and then up to the partners. It mirrors legitimate corporate organisations.”

They’re also highly efficient, deploying botnets or zombie armies, to harness the processing power of a whole network of unsuspecting computers to sort through the very data they target for theft. And if you’re a tentative new entrant to the buyer’s market, they’ll even offer free online tutorials with step by step guides to how to go about using stolen data.

There are individual operators in the market too, who act as brokers, and will often offer escrow accounts to mind funds on behalf of transacting parties.

If this parallel universe of illegal business surprises you, you’re not alone.

Espion, which is headquartered in Dublin with operations in the UK, Brussels and the US, works to make safe the data of businesses and public sector bodes of all types and sizes but what they tend to have in common is a blissful ignorance of their own vulnerability.

“For most organisations, especially SME’s (small and medium enterprises), it’s not a core competency . It’s an afterthought for most people until something goes wrong,” says D’Alton.

“Also, up to now the power to levy fines for data breaches has been kind of toothless in most European countries, Ireland being no exception to that so there’s no real sanctions.”

Cost is also an issue for many organisations because cyber security expertise doesn’t come cheap.

“In the public sector, as a rule of thumb, your IT spend should be between 10 and 20% of your overall budget and your information security spend should be 10-20% of that.

“That’s what you need to be throwing at information security on an annual basis.

“People controlling the finances can find that hard to justify and in some respects what they get for their spend may seem intangible because the value can only really be weighed up by the potential of loss.”

With new EU regulations and tough sanctions for data breaches looming, however, Espion is increasingly getting calls to carry out penetration tests on IT systems — just to be on the safe side.

“We’re finding the GDPR (General Data Protection Regulation) coming into effect in 2018 is a real driver. People are beginning to sit up and take notice because the fines are between 2% and 4% of global turnover which, for a large organisation with a lot of personal information, is a potentially staggering hit to the bottom line.

“So a lot of the action that organisations are taking now is straight up fear-based but I don’t necessarily think that’s any harm if that’s what it takes.”

But even among those acting out of fear, D’Alton finds that management tend to believe that calling in the experts is a box-ticking exercise and that they’ll get the all-clear.

“For many organisations embarking on getting external security testing, there is absolutely a degree of shock and awe when the results land on the table.

“On paper it might seem they just need a tweak to their system but in real terms it represents a potential exposure of all their data in their data base to the outside world.

“We tend to find that once you’ve explained it, that’s when the panic sets in. The biggest question we’re asked after a first round of security testing is how do I know I haven’t been breached before and the simple answer is that you don’t because the gates have been open for some period of time and you don’t know who’s come in through them. So that’s quite sobering for many organisations.”

For most organisations discovering they have a gap in their data protection, the instinct is to get it closed off immediately but some are looking at the problem differently.

“There’s a new mindset being discussed in major organisations — it is wiser in some respects for them to leave the threat there and monitor what it might do rather than try to eliminate it because by the time they close off one window, somebody else might kick in another window? It’s a controversial mindset but it is starting to happen.

“Also, some are going out into darknet markets and monitoring whether there is any information out there that has come from their organisation. Sometimes the best way to know if you have been breached is to go where stolen data is traded. It’s like having a private detective on the case.”

Not all cyber criminals want your data, however. They just want you to want it badly enough to pay a ransom for it if it’s taken from you. Over the past year there has been a proliferation of ‘ransomware’ attacks where organisations discover they can’t access their own data bases and are contacted with details of how to pay up to get it back.

“It’s all very professionally done. The Cryptolocker one that we’ve seen a lot of sends you a notice of what’s happened and it’s super civilized and the language used is super polite.

“They actually had helpdesks that they were manning where people could ring them up and talk through how to get their data unlocked which is a whole new level of cheekiness. A lot of Irish organisations paid up.”

The problem with cyber criminals is that they keep setting new levels of ingenuity and D’Alton is blunt about the ability of Espion or any other experts to guarantee a watertight IT system.

“There is no such thing as 100% security. There is risk minimisation, not risk elimination. Anyone who tells you otherwise is a charlatan.” That means having the programmes, personnel and procedures in place to both minimise the risk and maximise the emergency response if a breach occurs.

D’Alton and fellow experts can provide the programmes and advise on the procedures but he says there is a shortage of suitably trained and experienced personnel coming on stream to fill the increasingly critical roles of data protection officers and information security managers in Irish organisations.

“Data protection tends to get fobbed off a bit in Irish organisations so where there is someone in charge, you might find they come from HR, or IT, or legal or somewhere in administration.

“There’s a mix of skills required. Someone from admin might not have the IT skills to fully understand the area but a computer science graduate may not grasp the legal issues and the human dimension.

“We provide training courses and we’ve given talks to Irish colleges to let them know these types of jobs are coming down the line fast. There’s going to be a goldrush for people with the right skills and experience come the GDPR in 2018.”

Companies must tighten data protection by 2018

In just over 18 months time significant EU-wide regulations will come into effect that will force companies and organisations to up their game considerably when it comes to data protection.

The General Data Protection Regulation will become law in May 2018 and will give the data protection authorities in each country far more teeth when it comes to sanctioning offenders.

Central to the regulation from an enforcement point of view is the ability to apply fines ranging from 2% to 4% of a company’s global annual turnover.

While some countries already do have monetary fines in their domestic legislation, they are rarely applied. For countries like Ireland where there is currently no power to impose a fine, it will bring a massive change in the way the Office of the Data Protection Commissioner is perceived.

The regulation also includes a right for the subjects of a data breach to submit compensation claims to the offending firm or organisation, even if the subject suffered no financial loss.

Among its other provisions are the requirement that financial institutions appoint their own data protection officer, that reporting of data breaches be mandatory and that they must be reported within 72 hours.

The regulation is a step towards standardising data protection law and practice across all EU member states. For the first time, a company headquartered in one EU country but operating in several will only have to deal with the data protection authorities in that country rather than potentially all 28.

The Office of the Data Protection Commissioner is being strengthened in preparation. Its €7.5m budget for 2017 is quadruple that in 2014 and its staff will increase to 100 — triple the number in 2014.

While that is a significant increase, the job of Ireland’s commissioner Helen Dixon is particularly complex given that so many international digital companies have their headquarters here. Yahoo’s massive data breach falls into her realm of responsibility and she has had to launch an investigation here in conjunction with that undertaken by US authorities.

The Government is also creating a National Cyber Security Centre, a beefed-up statutory version of the non-statutory Computer Security Incident Response Team that operates under the auspices of the Department of Communications. It will focus on the protection of information in state agencies and in key national infrastructure such as energy and telecommunications.

Communications Minister Denis Naughten said this week the team is due to move out of departmental accommodation and into its own dedicated offices at UCD very soon.

Battles in cyber warfare

The idea of a government ordering the hacking of a company or state agency in another country sounds like a spy movie.

But it is increasingly accepted that state-sponsored hacking goes on and — given the resources available to governments — that it could be the hardest to guard against.

Such operations aren’t always motivated by financial gains although companies with highly prized intellectual property, for example details of a new technological advance or designs for a new product, need to be wary.

It’s one thing suing a domestic rival for copyright theft if they suddenly produce a product that bears an uncanny resemblance to your secret prototype but try taking on a state-owned manufacturer in China.

There many other reasons why states deploy hackers but they can generally be summed up as politics and power.

When Sony Pictures suffered a near complete shutdown of its IT systems in 2014, followed by the leaking online of details of upcoming projects and embarrassing internal emails, the attacked was traced to North Korea.

Sony were about to release the satirical movie, The Interview, about a CIA plot to assassinate Kim Jong-un. Sony were forced to postpone the release and then to give the film a limited release in a row that ended up at the White House with President Obama increasing sanctions on North Korea.

Russia insisted it had no hand in a cyber attack that left a quarter of a million Ukranians in the cold and dark last winter when their power station was taken over remotely but given Russia’s annexing of the Crimea and its ongoing territorial dispute with Ukraine, there is no doubt in Ukrainian minds who was to blame.

Russia has also been blamed by Hillary Clinton and US security agencies for this summer’s theft and publication online of thousands of her private campaign emails, although Donald Trump dismissed the idea in the first presidential debate, suggesting instead the hack had been conducted by “some 400lb guy sitting on a bed”.

Yahoo has claimed its recently disclosed hack was nation state sponsored, although it has yet to point the finger firmly at an accused. But Yahoo is also at the centre of a row over claims it was routinely scanning emails for US intelligence agencies so if that is true, it’s not beyond imagination that another country would have a similar interest in seeing them.

In case this all sounds remote from the day to day online activities of the average Irish citizen or business owner, Gavin D’Alton of information security firm Espion sounds a warning note.

“We’re discovering we can see footprints and traces of them [nation states] in many Irish organsations,” he says. “It’s not academic. There are specific pieces of malware kit put together by nation states and the signs are they have been used in attempts to breach systems here.”

Privacy concerns outweighed by convenience

Many people give away huge amounts of personal data. It isn’t surprising that some of it will end up in the public arena

IT WAS “one little oops”, said the head of security at Australian phone company Telstra in 2012, explaining how personal and financial details of 800,000 customers had been exposed in a classic case of internal bungling.

Those were the innocent days. Now when news breaks of a data breach, such as the recent Yahoo revelations involving 500m customers, the finger is as likely to point to a well-orchestrated state-sponsored hacking operation as it is to a clumsy mishap.

But whether it’s one little localised oops or one massive international cybercrime, the data breach has become a regular occurence, raising questions about the security of personal information in a world where such information resides in clouds and not even a computer chomping equivalent of the old fashioned paper shredder could render the details beyond use or abuse.

Or does it really prompt any concerns? People have become so used to conducting their affairs online and entrusting their personal, medical and financial histories to computers that it’s hard to imagine that anything of any consequence could go wrong.

And yet an experiment conducted by the Danish Consumer Council a couple of years ago shows that putting our personal lives online doesn’t so much go against our natural instincts as bypass them altogether.

Using secret cameras, people paying for goodies at their local bakery were filmed being asked by a shop assistant for their phone number, the last five texts they sent, where they were at 8pm the previous evening, what their parents’ address was and other questions.

At one stage, the staff member even left the shop with a customer and, when asked what she was doing, replied: “I just want to follow you to see where you go.”

Reactions ranged from surprise and bemusement to annoyance and hostility. Why would anyone hand over such private information to a complete stranger, was the common thought?

Of course, the punchline was that we do this all the time, without a second thought entrusting personal data to a myriad of websites, apps, online payment schemes, social media and basic telecoms services.

They know who you texted last. They know where you were at 8pm last night. They could probably land at your parents’ house in advance of your own planned visit and have your favourite takeaway on the table for you when you arrive.

Maybe that’s the price you pay for convenience. Maybe you don’t mind if you get bombarded with ads based on assessments of your buying habits. Maybe you trust companies never to use your information for anything other than the reason you gave it.

But how do you know they can prevent your information escaping through technical glitch or human error? And how do you know they can protect it from others who want to it to steal from you or to extort money from the host company by disrupting their operations and, indirectly, yours?

Helen Dixon, the Data Protection Commissioner, didn’t mince her words when she produced her annual report this summer. “What becomes clear from dealing with many organisations in Ireland is that they deploy little resource themselves to manage data protection compliance,” she wrote.

“Some organisations appear to struggle with the principles based nature of data protection legislation and suggest that it is difficult to correctly interpret and apply the principles in the specific scenarios with which they are dealing.

“From what I have seen, little real attempt is made in some cases to interpret and apply the principles and to examine implementation from the perspective of affected data subjects.

“In other cases, organisations appear to not even be conscious that what they are proposing represents a significant interference with an individual’s data-privacy rights and view efficiency and cost-saving as automatically sufficient justifications for any action.”

Less than impressed would sum up her views. And no wonder. Her office received 2,376 data security breach notifications last year, a number that has increased annually from a mere handful ten years ago.

It’s worth noting that notifications are voluntary except for telecommunications and internet service providers who are under legal obligation to disclose breaches. It’s also worth pointing out that only three of the breaches could be firmly attributed to hacking attacks while 26 were due to the theft of IT equipment, which suggests the deliberate and/or criminal element in breaches is low.

But 117 were due to website security and other security-related issues which shows companies and organisations do need to tighten up IT systems.

Human error was by far the biggest problem. Ms Dixon has given examples before — it could be as simple as placing the wrong bank statement in an envelope, or attaching the wrong statement to an email, so that one customer receives another’s details.

It’s perhaps not the biggest data security sin the world — although the implications could be serious if the details were commercially sensitive and were misused by the unintended recipient.

But the point Ms Dixon was making is that as long as attitudes to data security are lax then data security will be too and that’s just asking for trouble.

Loyaltybuild has the unenviable distinction of suffering the first highly publicised case of data breach trouble in Ireland. The Co Clare-based firm, which organises discount hotel breaks as part of customer loyalty card schemes for retailers and other businesses, disclosed in 2013 that an attack on its website had resulted in the theft of the personal and/or financial details of 1.5m customers here and across Europe.

An inspection team from the Office of the Data Protection Commissioner subsequently reported “serious issues regarding the security of data on Loyaltybuild’s systems and a lack of procedures to ensure that the data was protected and managed properly”. Gardaí investigated but there were no prosecutions.

Big fish have been caught in data breach net

From Yahoo to Ebay, it’s worrying how many huge corporations have had data compromised

DATA breaches come in all shapes and sizes. Here’s some of the bigger and more interesting examples from around the world.

Yahoo!

The email and search engine provider disclosed last month that a copy of certain user account information was stolen from it two years earlier, compromising the accounts of 500m users worldwide although sources have been reported as saying the figure could be as high as 1bn.

The stolen data included names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers.

Yahoo said its ongoing investigation “suggests” that unprotected passwords were not stolen and neither was payment card or bank account information, but nevertheless it advised its users to change their passwords pronto and stay vigilant for any suspicious activity on their payment card and bank accounts.

According to Yahoo, a “state-sponsored actor” was responsible for the theft but it has yet to produce proof to back that claim. Neither has the company explained exactly why it took so long to report the breach.

It hasn’t been a good month for Yahoo — hot on the heels of the data theft revelations came the news that it had been scanning hundreds of millions of emails on behalf of US security agencies, such as the NSA and FBI.

The company hasn’t said a whole lot about that either.

Ebay

Hackers used stolen Ebay employee credentials to gain access to the global online buy and sell market’s data base and helped themselves to the personal information and passwords of 233m account holders in 2014.

Encryption saved the day for Ebay — and most customers —but the company still had to issue a warning to all users to change their passwords, just to be doubly sure.

JPMorgan Chase

The US bank revealed two years ago that more than 70m households and 7m small businesses may have had their private data compromised in a cyberattack.

It remains the single largest data theft from a financial institution, believed to have been facilitated by a weakness in just one server in the company’s vast IT system. Reports suggest a double password policy was in place but wasn’t reinstated on the server following an overhaul.

It has since emerged through criminal investigations and prosecutions that the hack was orchestrated by a highly sophisticated international cybercriminal organisation that had also targetted three other financial institutions over a number of years.

Some reports say the hackers made more than $100m from the scheme. It cost JPMorgan Chase millions to revamp its IT security.

Anthem

Customers of the US health insurance group were informed in January 2015 that it had been hit by hackers for a number of weeks, with some 80m records believed to have been stolen.

According to Anthem, the information accessed included names, dates of birth, social security numbers, health care ID numbers, home addresses, email addresses, employment information and income data.

It said it did not believe medical records were stolen but given the sensitivity of such information, and the potential for blackmail, the fact that hackers got anywhere close to this information was cause for major concern.

In a particularly audacious move, the hackers then posed as credit monitoring experts offering, for a fee, to spot any suspicious activity on customers’ credit cards over the next few years.

While the matter is still the subject of an FBI investigation, it appears the hack succeeded because a handful of employees were duped into downloading malware by opening up phishing emails — emails containing malware that are deliberately designed to look like legitimate communications.

TJX

In 2007, the US company that owns TK Maxx among other retail chains, disclosed that hackers had managed to steal a quantity of customer credit card and debit card numbers.

Over the course of several months, the full scale of the breach became known with 47.5m people affected, some going back as far as 2002.

By the time of detection, the data had been used to buy at least $1m worth of electronic goods and jewellery.

The hackers had found weaknesses in the security around TJX’s in-store wifi which was used to process card transactions and were able to exploit it to steal the data which was stored in unencrypted form.

TJX was fined and also had to compensate a large number of directly affected customers customers as well as insure them against future fraud, and had to issue gift vouchers to everyone whose details were compromised regardless of whether they had suffered any loss. Unsurprisingly, the saga has become required study for students of information security the world over.

AshleyMadison.com

The online affair site had the reassuring word ‘discreet’ written all over it but last year the names and addresses of its 30m subscribers from 40 countries was stolen and released on the web for the whole world to see.

Even those who had used fake identities were exposed because their credit card details — which carried their real names — were attached.

The hackers had given advance warning of what they were capable of doing but didn’t seem open to negotiation on what it would take to keep the database private. When they published it a month later, countless marriages fell apart and reputations were destroyed.

Several suicides were also attributed to the disclosures. No one knows the true number— only the few where the bereaved spouses decided to speak out.

The Canadian based owners of the website said in August this year that an independent review of their security systems would be completed by year’s end, and that by May 2017, it would have revised policies and procedures in place for handling details of deactivated and inactive accounts.