Understanding the impact of data breaches on phishing

TL;DR: Data breaches give cyber criminals the method and means by which they can conduct successful phishing campaigns.

This past month has featured some of the worst data breaches of the past few years. We’ve seen breaches of Samsung, TikTok, North Face, Uber, Rockstar, Kiwi Farms, American Airlines and most importantly Optus. The amount of data stolen in each breach has varied from corporate IP to personally identifiable information (PII) of customers. In the case of Optus, PII on 9.7 million Australian customers was stolen, representing slightly more than one in four Australians.

How does this relate to phishing?

Cyber criminals will often follow the path of least resistance which is also likely to result in the most financial gain. For example, if a criminal knows you have cryptocurrency holdings, you’ll be a prime target as they have both the motivation, and they also know that you’ll be susceptible to crypto-themed emails. Criminals also have the means, with there being dozens of open-source phishing projects available for use.

Following from this, customers of the recent Optus data breach may find themselves being targeted by Optus-themed phishing material which may be highly personalised depending on whether the attacker has been able to access an untampered dataset from the breach itself.

What’s the impact?

The impact of these attacks are real and lasting… And with each breach, there’s a growing pool of information available for cyber criminals to abuse. All it takes is for a criminal to be successful a small percentage of the time to make their endeavour worthwhile. It’s for this reason, the Optus breach is so severe to the Australian economy, and it also explains the response to this breach. Optus is now being supported by the Australian Federal Police, Australian Signals Directorate, and the US Federal Bureau of Investigations to respond to the incident and apprehend those involved.

What to expect

Data breaches don’t just help criminals personalise phishing emails but it also exposes individuals who previously weren’t targets… The type of phishing material a target can expect to receive is typically going to be financially motivated in nature and to fulfill this goal, criminals will entice targets to enter their credentials into phishing websites or to send them money directly by masquerading as a legitimate entity or even blackmailing them if sensitive or compromising data has been leaked.

Wrapping up

The first step to protecting yourself is to first understand and identify if your data has been leaked in a data breach. The best way to do this is to utilise the free tool Have I Been Pwned – simply type your email address and the tool will tell you if your email address has been associated with any known data breaches where the data has been released for public use.

By utilising the free phishing simulation platform provided by CanIPhish, you can ensure your organisation is actively addressing and hardening your largest attack surface - your employees. If you have any questions, please don’t hesitate to contact the team at CanIPhish.