CISA Director Jen Easterly pictured at her Senate confirmation hearing in June. CISA last month released tips on protecting PII from ransomware exploits. Today’s columnist, Chuck Everette of Deep Instinct, offers advice on how security teams can protect PII. (Photo by Kevin Dietsch/Getty Images)

We would all love to believe that every time we share our personal identifiable information (PII) with a company or website, it’s kept safe and secure, but that’s far from reality. For many of us, we enter basic personal information online every day. Historically, this data consisted of name, phone number, social security number, birth date, and mailing address. But in the digital age, there’s so much more information up for grabs, including user names, passwords, online photos, social media posts, and even digital addresses such as MAC and IP addresses. How many times a week do users enter this type of information into a website without a second thought, whether it’s for paying bills, healthcare needs, employment records, tax returns, or even social media interactions?

A history of data leaks and breaches

In the past, we’ve had to worry about companies not safeguarding data and accidentally leaking or mistakenly leaving information unprotected. This trend has been on a sharp incline recently, as we have all seen and experienced the increasing media reports around data breaches, stolen data, and personal information being traded and sold as a commodity on the dark web.

Not only has the number of reported data breaches in the U.S. catapulted in sheer volume, but the number of records leaked or stolen has exploded along with it. In 2005, there were only 157 breaches reported involving 66 million records, and 12 years later, in 2017, the reported number of breaches peaked at 1,632 with more than 197 million records reported leaked. Most recently, in the first six months of 2021, there have already been 1,767 publicly reported breaches, leaving 18.8 billion records exposed.

Cyber criminals are actively seeking out and acquiring PII with a range of goals. So, why has it become so hard to protect it? For starters, PII data has a valuable price tag on it in the underground and dark web market, so it attracts some of the most skilled cyber attackers. While identity theft and fraud are at the top of the list, these sophisticated PII-based attacks have transformed to focus on bigger payouts, such as fraudulent insurance claims, tax returns, loans, hosts for spam and phishing attacks, and even a tactic for blackmail and extortion. All of this has contributed to PII becoming a booming business for cybercriminals.

The rise of the new cyber extortion tactics

Over the past few years, we have seen the ransomware trend take an even more malicious role in the PII data theft arena. In a typical ransomware attack, cyber criminals employ a double extortion tactic to gain access to a victim’s systems and data, encrypt and disable them, exfiltrate a copy of the data, and then demand a ransom to decrypt and release the data back to the victim. The criminals will then go back and threaten to release the copy of the stolen data and expose the breach publicly if an additional ransom does not get paid, further damaging the victim’s reputation.

To evade detection and continuously evolve, criminals are now sifting through the stolen data to extort additional ransoms from the clients, partners, patients, and third-party affiliates of the ransomed company and threaten to expose their PII publicly to family, friends, and social media contacts. Medical records, including mental health and medications lists, financial and legal documents, tax records, and even adult website usage, are all various forms of information used to extort victims. The latter tactic, commonly referred to as “sextortion,” is not new, but it’s become more commonplace as more digital information becomes easily accessible. Look back to the Ashley Madison breach in 2015, when the data of some 32 million users was stolen and a good number were then blackmailed. Even years later, the blackmail and extortion attempts continue for some of these users.

We have also seen the use of stolen PII to further penetrate the victim’s social circles and gather more detailed information on the victim’s personal life. It’s then used to further impersonate the victim for a larger payout, or to redirect authorities to the victim and portray them as the actual criminal – like a cyber scapegoat. This has been used in great effect in international money laundering schemes over the past years.

Protect all PII

Protecting PII is not easy because of the sheer amount of information we share about ourselves every day. While most data breaches are out of the control of the individuals being impacted, practicing good personal security hygiene can provide an added layer of protection. Here’s where to start:

  • For users and administrators, use complex passwords and set up different logins for each account – do not use single passwords for multiple accounts or sites no matter how convenient it seems at the time.
  • Enable and use two factor authentication (2FA) whenever possible – nearly all sites and programs that require PII now offer this level of security, and for good reason.
  • As an organization, invest in an advanced security solution capable of preventing and protecting you from the newest cyber attacks.
  • Be vigilant, watch credit reports, credit cards, utility bills, and bank statements for unusual or unexpected transactions.
  • Watch for phishing attempts – do not click on links or even reply to unsolicited emails and text messages asking for personal information
  • Invest in identity theft protection.

Ultimately, stop and think before willingly sharing personal information online. Users must realize that everything put in an online form, typed in an email, or posted on social media has the potential – and high likelihood – of becoming public. Never, ever consider information shared online as private or protected, especially without taking the proper measures to secure it first.

Chuck Everette, director of cybersecurity advocacy, Deep Instinct