Why are threat actors faking data breaches?
Earlier this year Europcar discovered a hacker selling info on its 50 million customers on the dark web. The European car rental company immediately launched an investigation, only to discover that the data being sold was completely doctored, possibly using generative AI.
Why fake a data breach?
The most obvious reason why hackers are selling fake data is because there is money to be made. When you think of it, it is like a criminal trying to peddle fake jewelry or replica watches. But there are other possible reasons:
Earning notoriety: In March 2024, a Russian hacking group announced it had hacked Epic Games. Epic found zero evidence of this claim. Eventually, hackers announced that they had faked the entire incident because they were trying to gain visibility by targeting a known brand. Reputation is something that is highly valued in hacker communities and therefore it makes sense that some groups resort to such tactics.
Creating distractions: Distraction is a common battlefield tactic – preoccupy your opponent (or target) so you can attack them from another direction. Similarly, attackers can fake a data breach to keep the security team distracted with signs of a breach while adversaries execute a more dangerous attack or infiltration elsewhere.
Destroying reputation: Cybercriminals can inflict damage to a company’s reputation without having to steal their data. In September 2023, a ransomware group announced it had breached Sony’s environment and acquired its data. Negative publicity followed. Sony eventually concluded that the hacker’s claims were false, however the damage had already been done.
Manipulating stock prices: For publicly traded companies, the news of a cyber-attack or a data breach can impact market value or stock price by a minimum of three to five percent. Threat actors can announce a fake data breach, which can spark fears, panic and loss of public confidence, causing the stock prices to drop; in this way, cybercriminals can manipulate the market for financial gain.
Uncovering security processes and setup: Just like you need bait to hook a fish, cybercriminals can use the pretext of a data breach to understand a company’s security setup, its security capabilities, processes, and threat response time. Attackers can use this knowledge to fine-tune their attack strategy, launching a more severe and pinpointed attack.
How do threat actors generate fake data?
Generative AI tools like ChatGPT can be easily used to generate fake data complete with realistic data sets that include email formats from a real company along with local telephone numbers, and more. A smart hacker will go to the extra length of researching previous breaches or using an existing data model to reproduce another data set.
In addition, there are multiple resources online that can generate large amounts of data sets for testing purposes.
What can organizations do to tackle the threat of fake data breaches?
Below are recommendations that can help organizations mitigate the threat of fake breaches:
Proactively monitor the dark web: Have your security team or expert partner proactively monitor the dark web for signs of a breach, such as an attacker selling your data. Investigate those claims immediately.
Analyze previously leaked datasets: Recycling previously stolen data is a common ploy among scammers. When you encounter a leaked data set, compare it with old breach data (from websites like haveIbeenpwned.com) to assess whether the data is recycled or not.
Prepare your workforce: Raise awareness among staff members around fake data breaches and explain what they should or should not be doing if they encounter news of a potential breach.
Keep communication teams on standby: As part of your incident response plan, ensure that marketing and public relations are trained and ready to address any negative word of mouth that may arise from news of a breach, whether real or fraudulent.
Deploy canary tokens: In a network, a canary token is a type of digital identifier that acts to detect unauthorized access, data breaches and intrusions. In case a hacker announces a data breach, security teams can leverage canary tokens to determine the authenticity and integrity of the alleged theft.
Utilize integrated security: Given that 47% of breaches originate in the cloud, it’s advisable that organizations adopt a converged security model like Secure Access Service Edge (SASE) that detects and blocks breaches as they happen, correlating events across their network. This approach improves visibility into security incidents, discerning genuine threats from false alarms.