So You've Officially Been Breached: What Now?

So I've officially been breached. What happens next???

Note: While we are going to discuss real hacks, please understand we will do so in an indirect way, without compromising any leaked information.

If you're like many Australians, you may have received notification over the past year that you've been involved in some form of data breach or cyber attack. If you have a limited understanding of how this stuff works, it can be intimidating to be in this situation. It's your information in someone else's hands without a clear understanding of what's happening to it or where it's going.

While every attack, breach, and compromise scenario is unique, today we will try to cover some of the common scenarios after a breach, and how you can best manage them for yourself.

Firstly, it's important to wait for validation of the breach from credible sources. Note that we said credible, not official. You'll usually be able to find this out by being directly informed, often by the company that's involved. However, it's important to understand that there are plenty of private sector researchers and data sources who focus solely on monitoring and validating data breaches and these can be a good source of initial information as well. These companies can be useful in two ways. Firstly, they'll undertake their own examination of the data that's been released, and usually cross-check it with previous breaches and possibly even reach out to the public for validation of the released information. This can often happen early in the response stage, so it's a good idea to actively monitor some of these resources if you have any concerns or want to be proactive. Secondly, they'll also have notification resources where you can flag emails of interest and other useful information. This can often mean you'll receive notification or validation proactively without having to search for it. As you'd imagine, that's particularly useful in situations like these. If you'd like to start accessing some of these resources, haveibeenpwned.com is a fantastic place to start.
But let's move beyond that for a second. You're smart, you registered, and now you've been officially notified. So what now??? Well, this is where it gets a little grayer. If we look at our two Australian examples more closely, we can start to dig a little deeper into what happens next.

With the Optus telecommunications hack, we had a large breach of user information, including telephone numbers, identification documents, and other additional contact information. With the Medibank scenario, we had all of the same, but we also were notified that a large portion of private medical data was stolen, in addition to the usual identification and contact information. So, while we can see both breaches are certainly legitimate by looking at the type and quantity of information that was taken, we can start to understand that, in terms of significance and severity, one is vastly greater than the other.

Depending on the actors, you'll usually find that a snippet of the information is initially released. This does two things. It allows third parties to validate the breach (as we mentioned before) but it also establishes a point of negotiation. After all, cybercrime is big business, so as you'd imagine, there's usually a financial component to all of this.

It's all about the money
Here's where the discussion gets interesting. Going back to our Australian examples, we will see two distinctly different ways that this unfolds, albeit with a few similarities. With our Optus example, we had around 10 million records taken and an initial "fee" of around 1.5 million dollars. However, after a short period of negotiation, the group withdrew their demands and promised to scrub the data while it remained unreleased (other than the initial snippet). With the Medibank example, we had a more "traditional" ransom payment of around two million dollars.
So, where does that leave us? Essentially in a holding pattern. There's no clear cut answer on how to proceed from here, and unfortunately, it's an area where you'll need to make a judgement call for yourself. If the data that's been taken is particularly sensitive (medical records, financial information, etc.), you may want to consider proactively reaching out to the relevant authorities to see if they can provide any guidance. If it's a little more general, it's worth considering what actions you can take to protect yourself. This can include but isn't limited to:

Changing your passwords
Updating your security software
Alerting financial institutions
Monitoring your credit score

These are just a few examples, and it's worth considering what actions are most appropriate for your personal situation.

Its also important to understand in the period after a breach, you may be particularly vulnerable to an increase of personalized social engineering or phishing attempts using information obtained in the breach. While you certainly shouldn't be responding to malicious links, you should keep a generalized view of whats actually being sent to you. Why? Because sometimes if you are exposed people slip up. You may find a product you haven't ordered, or a service you haven't purchased which may be an indicator of additional compromise. Spam filters will certainly help, but you should be try to be aware of the differences between an well engineered attack and a legitimate indicator of compromise. One of the most damaging forms of attack you may experience in this period, would be a social engineering attack using a spoofed telephone or email address. This allows the attacker to make their communications look like they are coming from someone you know and trust. Which as you'd imagine, dramatically increases its effectiveness. We'll talk more about spoofing and other nefarious ways of social engineering in future articles.
So, we've covered a few of the common scenarios that you may encounter in the aftermath of a data breach. We've also touched on how you can manage your response to a breach and a little about the motivations behind the attacks.
In the coming weeks, we'll be switching up our topic material and doubling back to cover some open source intelligence. We'll also ask the question "so what the hell is a hacker anyways?". If you like our content, subscribe and stay tuned for our next weekly article.