Security advisor on impact data hacks have on consumers

With more and more consumers venturing online to do their banking and shopping, as well as participate in other e-commerce activities that rely heavily on personal information shared with secure sites, little wonder that Americans might cringe with every report of a data breach. It happens more than we think. According to TransUnion, one of three national credit agencies in the U.S., there are no fewer than 19 consumers falling victim to identity theft every minute of the day. What’s more, according to the bureau it costs on average $500 and takes about 30 hours to resolve each incident of identity theft.

“Part of the problem,” according to Chester Wisniewski, senior security advisor with Sophos, an international cyber security company, “is that sites billed as secure — or sites that consumers assume to be secure — are not secure at all, or at the very least not immune to hackers” — who can easily get beyond anything but the latest and most sophisticated security measures. “There are so many insecure sites,” Wisniewski told writer Brenda Craig. “You could find thousands of them every day if you went looking for them.”

And hackers do just that: Wisniewski relates the story of Drake International, a human resources company based in Toronto which, according to Wisniewski, “became the victim to hackers in 2011 and then again in 2013. The personal records of some 35,000 Drake clients were copied, and then removed from Drake’s database. The hackers offered to return the information for a ransom of $50,000.”** Drake was being extorted. “The company’s data had essentially been kidnapped for ransom,” says Wisniewski. “Drake called the RCMP and reported the kidnapping. They didn’t hide, they refused to play ball. They also ended up having to pay for credit monitoring for all the people whose data was stolen,” Wisniewski told’s Brenda Craig.

Wisniewski said he is “aware of some data hack situations in which the company paid the ransom to have the data returned,” but he declined to divulge names.

“It’s coordinated opportunism,” Wisniewski continues. “They look for places where people have ‘left the door open.’ They are looking for the juiciest one. The ones they are looking for are ones they can make money from. When they find unlocked doors, they go back and search the domain names to see which ones have information they can profit from in some way,” says Wisniewski.

One law professor and cyber security expert speaking to noted that in his view there is little reason to believe that a consumer suffers economic harm when criminals hack into databases. “If it is financial data or credit card data, mostly it is banks or companies that are harmed, not the individual,” says Fred Cate, who spoke from his office at the Center for Applied Cybersecurity at the Indiana University.

Wisniewski, however, takes a different view. “I simply don’t accept that there are no victims here,” Wisniewski continues. “In the U.S., the bank owns the credit card fraud. But in Canada, the UK, Europe, Australia and New Zealand with chip and pin credit cards, the fraud is on the consumer. They are the ones who pay because the assumption is that they gave someone their pin number.

“Identity theft is a perpetual nightmare,” Wisniewski concludes. “You can’t get a new birthday and [it] is extremely rare that you would be given a new social security number in the US. You never know when it is going to be over.” 


  1. No comments
Sign in to post a comment »