AI: The Biggest Threat to Privacy
Recent headlines reveal another fruitful summer for cybercriminals. One of the largest, courtesy of CapitalOne, has resulted in the breach of 100 million credit card applications, 140,000 social security numbers, and 80,000 bank account numbers. This information makes its way to the dark web, where it can be sold and traded for as little as $4. And if you thought that was a problem - Artificial Intelligence (AI) is making things far worse.
Typically, after a breach information ends up on the dark web for purchase. The data is sectioned off and sold on a breach by breach basis. Now, hackers are using AI tools to aggregate information from different breaches, and creating "profiles" for victims of multiple security events. For example, they are able to create a packet that contains a person's social security number from Equifax, their email address from Yahoo, financial details from the IRS, and social content from LinkedIn. Given the massive backlog of breaches to pull from, these cybercriminals are able to create individuated profiles with all the information needed to pursue malicious action. This raises the necessary question: how can you keep your information safe going forward?
Multi-factor authentication (MFA) is commonly touted as a first line of defense. While you absolutely should implement MFA on your devices, it won't protect you in the event of a third-party breach. MFA only inhibits unauthorized access through legitimate avenues, for example someone trying to steal your Amazon username and password. If a vendor's database is hacked, and your information is exposed, MFA won't ameliorate the situation. Here are some proactive steps you can take, to avoid finding yourself on the wrong side of a data breach:
- Never use a business email for a non-business site. Keep corporate and personal accounts as separate as possible.
- Volunteer the minimum personal information across your social sites.
- Change your passwords frequently - this can help mitigate bad actors who are looking to log in and steal your credentials. Implement MFA going forward, if you haven't already.
- When asked to provide answers for security questions, give the wrong information. This makes it more difficult for cybercriminals to reset your accounts.
- Lock your credit reports, and ensure access is carefully monitored. You can leverage vendor security services to monitor personal content, just as a business would intellectual property. If your identity has been compromised, these services may help track usernames and passwords on the dark web.
In the wake of these massive breaches, it's also important to remember where responsibility lies. During coverage of CapitalOne, companies were incorrectly conflating Amazon's AWS platform with CapitalOne's IT department, whose employees are ultimately responsible for securing their client data. Most of the breaches over the past five years have stemmed from similar bad IT practices including:
- failure to patch
- no change control
- lack of / inadequate permissions
- lack of multi-factor authentication
These safeguards are in the hands of the enterprise, not the platform provider. And whether cloud-based or on-premise, they require thorough IT oversight. If you're looking to implement any of the changes mentioned above, or improve your company's overall security posture, consider reaching out for a free IT consultation today.