That more and more of our personal data is collected and shared – whether we are aware of it or not – is hardly a new insight: concerns about privacy continue to hit the headlines, even as stringent new laws and regulations come into force around the world.
What is particularly interesting, however, is that hackers are increasingly focusing on acquiring information belonging to children. Advertisements placed by cyber criminals on the Darknet offer datasets comprising ‘child fullz’ and including names, dates of birth, and home addresses. Demand appears to be growing.
At first glance, it may not be particularly obvious why the data of minors is so very valuable.
We are all aware of our responsibilities towards children. We have a duty to protect them from harm, whether from abusers who will prey on them in their attempts to groom them, or from cyber bullies who may target them online for any variety of reasons, or from websites encouraging various types of dangerous behaviour such as self-harm, extreme diets or violence.
However, the issue of personal privacy is much more complex than that, and the onus is also on us – as responsible adults – to protect the data of our children from being stolen and used for criminal purposes.
Why are cyber criminals targeting this data? What makes it so valuable? The answer is simple. It is ‘clean’. With the information they can gather from a range of sources, fraudsters can use this fresh data to create fake IDs.
Children’s data is collected and stored in a variety of places, and much of it is openly available. For example, many parents and carers post photographs and other information about their families on social media: this is saved by major companies such as Facebook and Google and used for various different purposes, including targeted advertising.
IoT devices and toys collect data about children: while this is not so easily accessible, concerns are frequently raised about poor security practices found in webcams, baby monitors etc.
But by far the greatest threat to the security of children’s data lies within the education sector. Schools hold a great deal of information about their pupils, and yet they present a particularly easy target for hackers.
According to Kevin McMahon, the Cyjax CEO, this is because they are generally underfunded both in terms of IT infrastructure and in budgets earmarked for relevant staff training and development.
The fall-out accruing from a successful data compromise in both financial and reputational terms is huge, and because of this schools are now taking out cyber insurance policies, and claiming against these in the event of a breach.
Hackers are only too well aware of this, and they are now trading on risk and disruption. They know that if they can execute a successful attack, schools will pay to get the data back: therefore it is worth the risk to steal it and possibly obtain more money by entering into negotiations and returning the information rather than selling it on the Darknet. In some cases, the cyber criminal will not even bother to steal the data: they will simply select suitable ransomware, infiltrate the network and lock it. Once in control of the system, they know that the school has little choice but to pay up.
The threat of reputational impact to the school concerned makes the possession of the data even more valuable for the hacker. No longer do they have to go to the bother of advertising their haul on a Darknet marketplace, nor of running the risk of taking payment and sending the information to the buyer (who could well be a law enforcement agent tasked with identifying the seller).
Fortunately for the cyber criminal, they do not even need to have any technical knowledge to launch their attacks: the Darknet is full of advertisements offering cheap and easy-to-use ransomware, hacker for hire services etc. The fraudster can also still monetise the data further on down the line; having sold it back to the school, there is nothing to stop them from offering it on a marketplace later – at a lower price, admittedly.
For all organisations, the financial costs of dealing with a data breach are considerable. Cyber insurance will not cover everything: as with all other policies, deductibles will be applied.
Yet aside from that, we estimate that it can take up to three months from the time of discovery of the incident to the systems being fully patched and up and running again. Responders to attacks have to rebuild and redesign the networks. As they carry out their work, they are also assessing the impact of the compromise, talking to lawyers, and assisting with claims on cyber insurance policies. An interesting point which our CEO made is that the insurance industry is not used to working with these cyber responders or with specialist lawyers: while this will be less of an issue in the future as all the parties involved gain further experience, joined-up thinking is certainly something that needs consideration now.
The General Data Protection Regulation (GDPR) came into force in May 2018, focusing attentions on regulatory compliance. This is an extremely important issue, as it forces organisations in all sectors to take ownership and control of their data storage practices. If systems are breached, someone is going to be held accountable. There are very heavy penalties for all organisations if there is a successful compromise of their systems resulting in the theft of data.
Like all other organisations – whether big or small, commercial or public sector – schools should conduct regular cyber security audits and provide compulsory training for all staff. This should include advice on social engineering techniques used by hackers, as well as on avoiding the phishing scams which provide hackers with another lucrative opportunity to demand extortionate sums of money if they can successfully infiltrate a system. IT staff tasked with maintaining the security of networks must be given training on the importance of implementing robust cyber practices, such as ensuring the regular back-up of all data, and applying software patches as soon as they are released.
There is no one solution to countering cyber attacks. It is simply not possible to prevent all threats. The key goals, therefore, must be to stop the hacker from compromising your system as far as is reasonably possible, and to minimise the impacts of a successful raid.
Kevin McMahon’s podcast on cyber security in schools can be seen here.