You may recall news reports in early June 2023, regarding the hack of the MOVEit file transfer software by a ransomware extortion group based in Russia, known as “Cl0p” but more commonly referred to as “Clop”. Keeping in mind that the vast majority of ransomware instances are not publicly reported, in order to avoid both embarrassment of the victims and attention for the perpetrators, this one was disclosed for a number of reasons. For one, it was widespread, affecting a diverse group of victims that included the U.S. Department of Energy and other federal agencies, Johns Hopkins University and the Johns Hopkins Health System, the University System of Georgia, CalPERS (the California Public Employees’ Retirement System), the Province of Nova Scotia, Shell Oil, British Airways, the BBC, and the state motor vehicle departments in Oregon and Louisiana. A second reason was that Clop publicized the victims of its exploit on the dark web. Whether or not you had ever previously heard of MOVEit, software that is widely used by companies and organizations around the world to share sensitive data, you may very well have used similar file transfer products such as WeTransfer and Dropbox.
In the MOVEit instance, the hackers exploited a previously unknown vulnerability in the software, gaining access to users’ files before the software could be patched. This is what is referred to as a zero-day exploit, when software engineers have “0” days to patch a vulnerability prior to its exploitation. What made this extortion a bit atypical was the fact that the perpetrators did not follow the usual pattern of locking down victims’ computers until a ransom was paid, but instead threatening to release sensitive data that had been accessed unless their ransom was paid, as always, in the form of Bitcoin or another cryptocurrency. According to the latest information published by Palo Alto Networks, which monitors ransomware payment trends, the average ransom demand rose to $2.2 million in 2021, with the average payment rising to $541,010.
The Value of Your Personal Data
Ransoms are one thing, but the stolen data may be even more profitable when sold on the dark web. Let’s very conservatively presume that a hack discloses the private data of 5 million users. According to Privacy Affairs, an organization that monitors and compiles lists of prices for personal information when sold online, the following are just a few examples of the going prices for everything from social media logins to credit card accounts.
Credit card details, account balance up to $5,000: $110
Credit card details, account balance up to $1,000: $70
Stolen online banking logins, with a minimum balance of $2000 on account: $60
Stolen online banking logins, with a minimum balance of $100 on account: $40
Cloned Visa, MasterCard or American Express account with PIN: $20
USA hacked credit card details with CVV: $15
50 Hacked PayPal account logins: $120
Hacked Gmail account: $60
Hacked Facebook or Instagram account: $25
Hacked Twitter account: $20
US eBay account: $20
Netflix account, 1-year subscription: $20
Hacked Spotify account: $10
10 million USA email addresses: $120
Clearly, these international thieves are playing a numbers game. Although the hackers in the MOVEit incident exploited a software vulnerability, the majority of breaches occur as the result of human error. Most typically, those errors involve unwarily responding to a phishing scam, carelessly clicking on a link, or using the same (usually weak) password on multiple sites. Many phishing scams appear legitimate because they utilize data from earlier corporate hacks. For example, if an email service provider has been hacked, its subscriber list will have been compromised, leading to subscribers receiving suspicious emails. Because nobody wants their email service to be disrupted, many people will quickly comply with a request to divulge further personal information.
One of my clients recently received an email, indicating that his email account had been compromised, requiring him to click on a link to confirm his username and password. He did so, without a second thought, then had his email account disabled two days later because it was being used to send out massive amounts of spam, effectively turning his computer into a zombie device. When his password was reset and his account access restored, he received another email, no doubt from the same perpetrators who had lost access to his account, asking him to click on a highly suspicious link in order to “cancel the requested deactivation” of his account. Clearly, they were hoping that lightning would strike the same victim twice. Now you can see why a single hacked Gmail account sells for $60 on the dark web!
Take Precautionary Measures
I have said it before, and let me say it again, that we all need to be highly vigilant before clicking on links in an unsolicited email. If that email contains spelling mistakes or grammatical errors, you can be assured that it did not originate from the company whose graphics have been “borrowed” in order to enhance credibility. Hover over any links, and you will see how they go to some highly suspicious URLs. In addition, take the time to set up and utilize multi-factor authentication on every online account that involves either payments or passwords. Then be sure that you always use a secure and unique password for each site. Many of us tend to “recycle” our passwords, a truly lazy habit. In those instances, a hacked password on one account could lead to hacked access to multiple accounts, falling victim to what is referred to as a “stuffing” attack.
If you would like to learn more about the very serious nature of these online threats, I highly recommend a reading of “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth, a cybersecurity journalist for The New York Times and an advisor to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). This is a difficult book to put down (so you may want the audio book version), and it will keep you awake at night.
In recent years, just about every business in America was widely encouraged to engage with its customers through social media, Facebook in particular. I was guilty of offering that advice myself, until I decided that the potential marketing benefits were outweighed by the costs of having my personal privacy continuously invaded by the platform, leading me to abandon my use of Facebook four years ago.
If your business has maintained a presence on Facebook, as has almost certainly been the case, you have also maintained a Facebook personal profile that has allowed you to administer your business account. That personal profile most likely entitles you to participate in a class action settlement brought against Facebook, Inc., now known as Meta Platforms, Inc., for violations of your privacy through the sharing of your personal data, as well as data about your friends and associates, with third parties that included advertisers, data brokers, and business partners. These violations were made without your permission. Although Meta denies any liability or wrongdoing in this matter, it has agreed to an out-of-court settlement, and you are entitled to your share of the proceeds.
If you had a Facebook account between May 24, 2007 and December 22, 2022, there is a very simple online form that will allow you to participate in this class action and to receive your entitled share of the proceeds. Each user is eligible to participate, even former Facebook users with deleted accounts. Importantly, your form must be submitted before 11:59 PM Pacific Time this Friday, August 25, 2023. Go to https://facebookuserprivacysettlement.com/ and click on the “Submit Claim” option. Of course, individual shares in class actions such as this generally do not amount to a significant sum of money. Among other factors, your share will be determined by the length of time within which you maintained your Facebook account. If you value your personal privacy, see to it that you are awarded your share of the proceeds, sending a message to Facebook (and other even more invasive social media platforms) that enough is enough.
You might be surprised to
learn how much of your personal information is readily available online, easily
accessed by just about anybody, and being packaged and sold at a profit by over
100 data brokers, so-called public records providers. There are over a billion
searchable public records today, and both federal and state legislation passed
over the last 50 years ensures the public’s right to access. It all started
with the Freedom of Information Act, passed in 1967, guaranteeing that anyone
can submit a public records request to any federal agency, and that agency
(with few exceptions) is mandated to provide the information in a timely
manner. This federal legislation was followed by similar “sunshine laws” that
were passed in all 50 states, providing access to state and local public
records. The public has a right to know what is going on behind closed doors with
its elected officials and government agencies, but it is the access to public information
regarding specific people – routinely exploited by profit-seekers who sell
compiled data to marketers and others who have no business accessing your
personal information – that is troublesome.
If you do a search on Google
for your name, city, and state, you are likely to be shocked to see how much
personal information (some of it highly inaccurate) is available with just one
click, where public records are consolidated with information that you may have
voluntarily provided on platforms such as Facebook and LinkedIn. You will probably
find your full name and address, former addresses, family members (including
births, deaths, marriages and divorces), phone numbers, email addresses, year
of birth, estimated annual income and net worth, real estate and property
records, property taxes, professional licenses, voter registrations, campaign
contributions, court records, arrest records, prison records, sex offender
registrations, bankruptcy records, educational level, general credit status, liens,
and corporation and LLC records. Is that enough? About the only records that
are generally off-limits are your tax returns, school transcripts, library
records, health records, and juvenile court records.
How
Public Records Providers Operate
If you go to one of these
public records providers’ websites, you will first be asked enter the first and
last name of the person for whom you are searching, along with his or her city
and state. You will then be presented with a list of results that likely include
that person, along with links for “more information” or a “full report”. You
will then wait several minutes for the report to be allegedly generated,
teasing you with the categories of information that are being compiled, and
presenting you with one or more payment or subscription options. If you are
like me, you realize that public information must remain accessible, but you
would like to see your personal information removed from websites that are
packaging that information for profit and selling it to anybody willing to pay
their fee.
If you live in California,
you are in luck because the California Consumer Privacy Act (CCPA) protects the
rights of California residents regarding their personal information, including
the right to easily request access to or deletion of their personal
information, as well as the right to demand that businesses stop selling that
personal information. Whether you live in California or elsewhere, you
basically need to go to the website of each public records provider and click
on the link (usually at the bottom of the page) that says “Do Not Sell My
Personal Information”. You will then be directed through a multi-step process
that will include email or text authentication in order to be removed from that
one seller’s database. (If you live in California, there will be a secondary
link that will streamline the process.) Of course, there are businesses that
are willing to capitalize on anything, and there are companies online that will
do the work for you for a substantial fee. Two of those are companies called
DeleteMe – https://joindeleteme.com/ and
OneRep – https://onerep.com/ that
will provide that service for one person for one year at prices of $129.00 or
$99.00 respectively.
Presuming that you would
like to avoid that kind of fee and would like to go through the process of
removing your personal data from these websites yourself, here is a list of
some of the major culprits, along with their removal URLs:
Several additional websites do not maintain their own databases, basically repackaging the information from larger data brokers and earning a commission on sales. In those instances, getting removed from the source of the data will remove you from more than one site. Examples are the PeopleLooker, PeekYou, and PeopleSmart websites that run off the BeenVerified database, and InstantPeopleFinder that runs off the Intelius database. Then there are other companies – such as FreeBackgroundCheck.org (with a bald eagle in its logo and which at $19.95 per month is anything but free) – that seem to spit in the eyes of privacy rights. According to the FAQ page of their website: “As a courtesy (sic) we can ‘opt out’ your specific information. Contact customer support and request the procedure instructions to be removed from the database. Each individual that wishes to be opted out of must be accompanied by proof of identity and address. We will only be processing opt out requests we receive by fax or mail and no request will be processed without complete information. Requests for opt out will not be processed over the phone or via email.”
You probably already knew that we are living in a world where personal privacy rights are continually swept under the carpet, and where there are countless companies and individuals that are willing to compromise those rights through the use of dubious profit-based services. Although you may very well feel like David vs. Goliath, you can at least attempt to fight back!