CyberVulnerability

Identity theft: Causes and Consequences of a Dreadful Threat

The mathematician Jean Sylvain Bailly had no idea how meaningful this sentence could still be today. Cybercriminals, for their part, seem to have integrated it perfectly well.

Data breaches are one of the most important activities in some Dark web forums, and identity theft is undoubtedly among the most lucrative.

Whether in an organized gang or in a very opportunistic way, cybercriminals are multiplying their actions by diversifying their targets and using ever more devious methods to get their hands on one of the grails of data: personal information.

Femme avec une identité inconnue : usurpation d'identité
What if you can no longer assert your identity?

What is identity theft?

To fully understand the consequences of a personal data breach, its scope should be defined.

According to the ICO (Information Commissioner Office in the UK) a personal data breach is defined as “a breach of security resulting in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”[1]. It is both very broad and very specific. However, a classification can be drawn from it, of which the 3 main categories are:

Violation of integrity

It is related to unauthorized or accidental alteration of personal data (ex.: the fraudulent use of official documents like identity papers).

Breach of confidentiality

It is essentially related to unauthorized or accidental disclosure or access to personal data. The publication on the Dark web of the data of millions of AP-HP patients tested for COVID-19 is a clear example.

Loss of availability

It is usually the result of a loss of access or destruction of personal data. Every ransomware attack against public, financial or healthcare organizations is yet another sad example. These cyberattacks have prevented these organizations from accessing their patients’ or users’ data, resulting in tragedy from time to time.

A data breach is not limited to just one category and can be linked to all three simultaneously. This is the case in high-level ransomware attacks, with double, triple or quadruple extortion mechanisms.

Once the scope is defined, the question remains as to what is meant by “personal data”. According to the French National Commission on Informatics and Liberty (CNIL), “personal data are any information relating to an identified or identifiable natural person.” [2]

Here are some personal data easily found for sale on the Dark web:

  1. Date of birth
  2. Passport
  3. Credit card number
  4. Biometric data
  5. Social security number
  6. Address
  7. Financial documents
  8. Photographs
  9. Driver’s license number
  10. Telephone number
A lot of personal information can easily be bought on the Dark Web

All these data, which can directly or indirectly identify a natural person, are personal data. They are gold for cybercriminals, yet too few people are suspicious.

Are people sufficiently aware of the risk of identity theft?

Here are some sobering statistics about how people perceive risk, and how the majority agree to “give” their personal information.

According to a study by Le Figaro[3]:

  1. in France, 65% of people do not feel targeted by personal data theft
  2. 60% feel well protected from it

However, according to The Trade Desk 2021[4]:

  1. 3 out of 4 people do not feel they have enough control over their online data.” 

Lastly, a 2020 study by the marketing firm IntoTheMinds estimates that almost 60% of Internet users accept the websites’ terms of use without reading a single line.[5] However, for some, these conditions are just unacceptable: collection of too much data (last name, first name, location, e-mail address, etc.), misuse… The means to protect this collected data are almost non-existent. Fortunately, since 2018, the GDPR law (General Data Protection Regulation) protects people in Europe. Alas, this is not enough, as there is no such thing as zero risk.

By 2025, it is estimated that 75 billion devices will be connected to the Internet, compared to 25 billion in 2019.[6] This explosion in the number of exposed devices will inevitably lead to more and more personal data being connected, available and therefore stealable. It seems a given that our refrigerator today can read our e-mails and warn us via our Twitter account that the butter will soon be out of date…

The personal data market is booming on the Dark web. Very specific areas are even created to allow cybercriminals to do their business. Here are some examples of what is being traded:

Price Index on the Dark Web

What causes loss or theft of data?

Statistics show that the main causes of loss or theft are the lack of attention of people and the overexposure of their personal data. Unfortunately, they often forget their intrinsic value.

There are also other reasons, sometimes more technical, that can lead to these data breaches.

For example:

  1. the weaknesses in the development of applications using this data, which leave cybercriminals with the ability to get around security mechanisms
  2. the multiplication of data hosting areas, with a loss of control over the means of protection
  3. the test environments of companies, which are abandoned after production, but still available to cybercriminals
  4. the desire to simplify users’ lives to the detriment of basic protection rules (unsecured Wi-Fi, production of QR Code systems to centralize sensitive information, etc.)
  5. the lack of protection of some e-shopping websites
  6. etc.

The reasons being numerous, making an exhaustive list is almost impossible. Between technical and technological issues, and the erratic behavior of human beings, it is obvious that all these data are not secured. This insecurity can have terrible consequences.

The consequences of identity theft

Theft or loss of sensitive data is one of the major consequences of cyberattacks. They can involve the companies’ assets, intellectual property, patent theft, in the context of espionage for example.

It is also important to measure the impact of personal data breach on an individual or his family.

Consequences on a personal level

The other more personal and less tangible consequences for a company is the damage to its reputation. A tarnished reputation can lead to the loss of key personnel, damaged relationships with customers or business partners, and a deterioration of the image conveyed in the media.

On a daily basis, this can have a sociological, psychological and even physical impact.

Having one’s identity stolen can be traumatic, not to mention the fact that one must then start the process of proving and recovering it. This process is often described as “hell” by the victims, who sometimes need several years to regain full enjoyment of their identity.

The consquences of identity theft

The psychological and social consequences are not the only ones. Others, just as devastating, can occur.

The increase of cyber risks forces companies to move from a security policy to a safety policy. They will therefore have to provide a legal arsenal such as an insurance or contractual clauses with their partners. In case of attack, they find themselves both victim (administrative, deontological, criminal responsibilities and compliance with the GDPR) and responsible. They therefore must protect themselves.

Consequences on a financial level

The financial impact is the first thing we think about in the event of a cyberattack.

But indirect costs are sometimes overlooked. For example, investigation costs, but also recovery, repair and replacement costs for damaged networks and equipment due to business interruption, are often forgotten.

The intangible consequences due to loss of opportunity or confidence can also lead to the drop of a company’s competitiveness and even of its profitability. This indirect cost should not be overlooked and is difficult to estimate in most cases.

Personal data breach: a complex subject

A data breach is complex because it brings a multitude of technical, legal, financial and psychological complications. Obviously, additionally to common sense, there are simple measures to apply as part of what is called “IT hygiene”. Some of them are perfectly explained by institutional sites, such as national agencies for the security of information systems. Others are more technical.

Adopting technologies with a comprehensive approach, or with a focus on mobile protection for example, are among them. The TEHTRIS XDR Platform, as well as the TEHTRIS MTD, allow to protect one’s equipment from any deviant behavior and help to keep control over one’s data.

[1] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

[2] https://www.cnil.fr/fr/definition/donnee-personnelle

[3] https://www.lefigaro.fr/actualite-france/2011/10/05/01016-20111005ARTFIG00700-usurpation-d-identite-les-francais-inquiets.php

[4] https://comarketing-news.fr/lost-in-data-les-francais-ne-se-sentent-plus-maitres-de-leurs-donnees/

[5] https://www.intotheminds.com/blog/statistiques-rgpd-europe/

[6] A l’horizon 2025 on estime que 75 milliards d’appareils seront connectés à Internet, contre 25 milliards en 2019.