One of the striking things about the record data breach suffered by Yahoo! was the low value which the stolen records had on the dark web - just 0.00009 cents each. On the one hand, that could suggest that user names and passwords from two years ago may not be that useful in their own right, certainly compared to financial or sensitive data, like social security number or credit card.
On the other hand, it may just indicate where that data sits on the pathway towards criminal misuse - just one more element to build into curated “fullz” which have sufficient richness to enable account or ID takeovers. Buying completed profiles will cost tens or even hundreds of dollars.
What that low valuation should draw you towards, however, is to question the motivation of the hackers involved. If they are unlikely to make a fortune from their theft, why bother? For some hackers, it is simply for the “lolz” or to build a rep. A few, like Gary McKinnon, are on a mental health spectrum which means they can not see the consequences of their curiosity. More troubling are those acting for criminal groups and, perhaps most threatening of all, hackers linked to foreign intelligence agencies or rogue governments.
The idea that commercial data sets could be targeted by bad actors of this sort is worrying, unless you think about their potential goal of economic disruption or creating a climate of uncertainty. Political data is being hacked for exactly that reason - it is often said that the business of America is business, so there is little difference between going after data at Yahoo! or on former Secretary of State Colin Powell’s email server.
So what can you do to get ahead of this cyber-security threat? Many large-scale platforms offer bounties to ethical hackers who find vulnerabilities and report them. That could prove to be a useful way of turning wannabe hackers away from a poorly-remunerated criminal activity and towards a more positive engagement with the critical world of information management. Script kiddies are probably ripe for the application of nudges to change their behaviour in this way.
Defending against well-resourced attacks from a rogue nation is harder, but is increasingly the cost of doing digital business. What Yahoo!’s misfortune revealed - like Sony, LinkedIn or countless other data breaches have previously shown - is that cyber-security is still under-resourced and under-reported. Was the business really unaware for two years that it had been breached? If so, where was its penetration testing and monitoring? One of the leading-edge approaches now is to track the dark web for data sets on sale which match the company’s user base - Facebook does this and alerts users when it finds a password which matches what it currently holds, for example. Buying stolen data to take it off the market could be another option.
Paying a bounty might seem like inviting attacks or encouraging illegal activity. Except that hacking attacks will take place anyway and also that most global organisations already have insurance policies that will pay the ransom should one of their executives get kidnapped. If your business has already crossed that threshhold, there is little point arguing that it can not also find ways to buy-off the hackers.
Related articles: News analysis: How to steal the US presidential election