The UK’s National Police Chief’s Council lead for cybercrime, Peter Goodman, spoke at a media briefing on the government’s response to hacks and breaches. He revealed that nearly every person in the country has had their details sold on the dark web.
Goodman urged firms to come clean to customers when they become the victim of a breach. Once GDPR comes into force in May 2018, businesses will no longer be able to sweep the loss of Personally Identifiable Information (PII) under the rug. Part of the legislation will require firms to report a breach within 72 hours of it being discovered.
Addressing the briefing attendees, Goodman said:
‘I can almost guarantee that every single one of you around this table has had a data breach against you and that some of your personal data is held somewhere on the dark web and is being sold, traded - are you happy with that? And you probably don’t know about it. Am I happy if, for example, my data was stolen in the TalkTalk breach and nobody ever told me? I have not had the chance to think if I’m happy with my security, do I need to change my password? Because I don’t know.’
‘Russian speaking nations were the biggest enemy and there were increasingly blurred lines between state sponsored attacks and criminal activity. For several years we have reported that Russian speaking nations are the number one cyber-crime threat to the UK. The available intelligence is there is a cross-over between state and criminal cyber actors.’
‘When we talk about Russian speaking countries and Eastern Europe we are seeing an overlap between state and criminal groups, there is clearly some sort of mutual beneficial arrangement.’
If you’re concerned about whether or not your personal data has been leaked, you can check by using websites such as haveibeenpwned. By typing in your email address, the database will provide you with when the breach occurred and details of the breach itself. As you can see below, my details were compromised in December 2016, and August 2017.
Unfortunately, as a consumer, there is nothing you can do to stop breaches from happening. But there are some measures - If you find that your details have been leaked as part of a data breach, below are some steps you should take to minimise the damage.
If your login credentials have been compromised: Change your password on the affected website. If your password is the same across any other websites, change those too. As well as passwords, take some time to change your security questions. The leaked information could include personal data that attackers could use to guess the answers to your security questions.
If your financial information has been compromised: Don’t wait around for a suspect charge to appear on your bank statement. Call your bank as soon as you think your financial details have been leaked, cancel your cards and get replacements. You should always inform your bank if you think you could be a victim of potential fraud, so they can log your concerns and take appropriate action.
The biggest issue is that no one is typically informed when a breach occurs, Goodman said. There are websites where one can go to search for information on whether or not they've been hacked, but if they don't do the research themselves, they may never have the answers. Despite the widespread nature of the attacks, police response has been slow. According to Goodman, police investigations have been a "patchwork quilt, it's a postcode lottery for victims." As far as who is perpetuating these crimes, Goodman noted that the UK had some Russian actors in custody. Russian-speaking countries are blurring the lines between state-sponsored attacks and criminal ones, according to Oliver Gower, head of the National Cyber Crime Unit, who also spoke at the briefing.