Server room

Laying Out the Welcome Mat: Unsecured Servers

Laying Out the Welcome Mat: Unsecured Servers
By Lisa Baergen, Director of Marketing, NuData

Server room

One of the things we do at NuData is monitor the news and provide commentary to media on breaking stories. We are fortunate to be one of the experts called upon to speak about a variety of cyber fraud issues.

These past few weeks have been interesting because we’ve seen a trend that can be so easily prevented: data theft from unsecured servers. Yesterday, news broke that the WWE Corporation’s server was accessed, and fraudsters accessed wrestling fans’ personally identifiable information, or what we refer to as PII. The fan database included names, addresses, emails, ethnicity, children’s age ranges and more.

There are two important issues here. One is that PII was stolen and likely will be for sale on the dark web by the end of the day. The opportunity to abuse this data is high as it was so fulsome with names addresses, ethnicity and birthdates (known as fullz to hackers). Fullz makes it easy to impersonate actual users and access their other online accounts. It raises concern about the amount of private information collected. Children’s data opens the door for the creation of synthetic identities (see: Synthetic Identities: trust the behavior, not the data!).

Just last week it was discovered during a routine security review that a database of usernames and email addresses on data.gov.uk was breached. The publicly accessible site lets registered users browse information published by a variety of British government departments. And the week before, it was discovered that Deep Root Analytics was behind the data breach on 198 million US voters.

Which raises the second concern: high-profile organizations, likely despite their best efforts, are leaving their servers unprotected or leaving cracks for the hackers to permeate. It’s like laying the welcome mat out to every fraudster who accesses the site. Here’s what one of our security strategists had to say to the media today:

    “In less than a month, there is news of a third “non-breach ‘breach’” of sensitive user PII data.  The unfortunate mishandling of trusted data by Deep Root, data.gov.uk, and now the WWE continues to show that sophisticated hacking is not required to obtain troves of identity data that can be used to create fraudulent identities or access online personas.  We have hit a turning point where financial and identity cybercrime has become something that a person with the most basic computer skills can dabble in. Because of this, merchants and FIs need to rethink how they protect and identify their users in the digital world.” – Ryan Wilk, Vice President of Customer Success

We need to protect all consumer data, but more importantly, we need to make it valueless. Using advanced techniques like Passive Biometrics and Behavioral Analytics gives merchants and financial institutions a step up on the bad actors looking to monopolize this data. Understanding the user behind the device is key, in effect devaluing the stolen identity data to any other person or entity. It’s time to roll up the welcome mat and lock the door.

Want to read more posts like this? See our full blog here.