Gone Phishing – Malware Wants Your PII Part 1


A Two Part Series on Data Breaches Caused by Malware Part 1 of 2

 Part 1 of 2

Malware is Releasing Personal Records in Droves

Time Warner Cable, Fitbit, and Hilton Hotels are the latest businesses reeling from malware attacks. Millions of PII records have been exposed from these organizations and customers are questioning the effectiveness of the data security measures for preventing the onslaught of data breaches. Fitbit’s share prices have fallen almost 36% in 2016. Fitbit’s new line of products enable texting and calling, and thus store PII, but they forgot to secure the data. Customers could care less about super cool features when their PII is being sold on the black market. The major frustration for Fitbit is they have been positioning their products to compete with the Apple Watch—a very secure platform. But instead they have been dealt with a massive sell-off of their shares thanks in large part to the negative publicity surrounding a malware breach resulting in the loss of customer trust. This is just one reason that storing PII is toxic to businesses.

How Hackers Use Malware

Malware apps are crafted to look perfectly legit when encountered and can take many forms, from simple yet invisible keyloggers to full blown fake commercial web sites. Malware is often inserted using phishing emails with social engineering tricks to convince users to click on a fraudulent link or download a file containing the virus package. Using phishing techniques to inject malware that scams business and consumers, hackers made between $400-$500 billion dollars last year by selling PII and using it to commit all types of fraud. No wonder PII is such a target.

 Cyber criminals imbed malware in IT systems where it can remain undetected before it finds a vulnerable computer. A nasty example of a current malware attack is the Rovnix Trojan which is currently being used for a massive attack on Japanese banks. Rovnix uses an injection that perfectly replicates the look and feel of the account web pages of a targeted bank. It even adapts to the flow of events to the target’s authentication scheme, intercepting one-time-passwords, for example. The malware tricks the bank customer into providing their login credentials multiple times, granting the cyber criminal access to bank accounts—and they are off to the races siphoning account funds, creating huge losses for the banks and major inconveniences for customers.

Ransomware Holds Your Data Hostage

Another malicious harvester of PII is ransomware. Ransomware is almost always delivered in a phishing email message that promises to benefit the computer user in some fashion. Instead, the installed app cleans the hard drive of anti-virus solutions and encrypts all the files, demanding a payment to decrypt the data. But ransomware can be even more far reaching, giving the hacker complete access to the locally stored PII, as well as the business network where it can quickly spread. Even after paying the hacker to decrypt the files (maybe), the infected systems are still vulnerable because the majority of malware is multi-vector, using multiple layers of attacks to spread.

Ransomware developers have evolved a very extensive network, built on bitcoin currency, where they offer guarantees to their customers on the quality of the PII they have stolen from your customers, even offering a refund if the PII is unusable. Having that level of confidence in black market data is what gives CIOs, CTOs, CISOs, heck—any data security professional, nightmares.

Long-term Fallout Over PII

Security professionals know the severity of exposing customers’ very precious PII. The Federal Trade Commission (FTC) is handing out data breach fines with regularity, because too many organizations are not taking the proper steps to secure their customers’ data. The FTC does not discriminate on the “how” of the data breach, only the fact that it happened. The FTC fines are only the tip of the iceberg considering the long-term liability of a class action lawsuit. Any data breach that results in lost PII—whether by ransomware or malware—carries with it the same severity of financial penalties and loss of customer trust.

Put Distance Between You and PII with Cloud Tokenization

Capturing, storing, and transmitting personal, health, payment and any other data set that hackers find valuable puts you at serious risk. Malware and other data breach techniques will continue to rapidly evolve, staying one step ahead of data security experts and detection software. However, there is a solution that eliminates all the risk of storing sensitive data of all types—cloud tokenization. True cloud tokenization removes toxic data from an organization’s IT business environment, replacing sensitive data with mathematically unrelated tokens, so that when the inevitable breach occurs, only tokens unusable to fraudsters are exposed. No lawsuits, no FTC fines, no ticked-off customers who will have to rebuild their identity—just business as usual, protected with cloud tokenization.

Part 2 of this series will cover how organizations can use layered security with tokenization to protect themselves from malware—or prepare for the worst.

TokenEx is an industry leading cloud tokenization platform focused on removing all types of toxic data, including PII, while providing unlimited flexibility in how organizations access, use, and secure data—all while remaining payment processor agnostic. Follow us on Twitter and LinkedIn. to edit your new post...

Topic(s): payments , data security , PII , tokenization

Keep Up With Our PCI & Privacy Blog