Personal Exposure
Personal exposure is the extent to how much someones personal information is available online.
Behaviours
SB009: Ensures online accounts that are no longer needed are de-activated
Dormant accounts may still hold or provide access to sensitive data. Security teams should be notified when ...
SB011: Uses a search engine to see what personal information is accessible online
Personal information can be used during social engineering attacks. Search engines can show what personal data can ...
SB015: Completes assigned security awareness training successfully
Security Awareness training is an important part of organisational security. Completing awareness training ensures ...
SB036: Secures devices with automatic screen locks
Devices can be protected with screenlocks (like pins, patterns and passwords). This can help prevent unauthorised ...
SB036a: Secures mobile devices with automatic screen locks
Mobile devices (e.g. phones and tablets) can be protected with screenlocks (like pins, patterns and passwords). ...
SB036b: Secures laptop and desktop devices with automatic screen locks
Laptops and desktops can be protected with screenlocks (like pins, patterns and passwords). This can help prevent ...
SB037: Locks devices when they're not in use
Locking devices when not in use prevents unauthorised access. This is especially important in common areas, such ...
SB037a: Locks mobile devices when they're not in use
Locking mobile devices when not in use prevents unauthorised access. This is especially important in common areas, ...
SB037b: Locks laptop or desktop device when not in use
Locking laptops and desktops when not in use prevents unauthorised access. This is especially important in common ...
SB050: Does not allow sensitive work-related matters to be overheard in shared spaces
Sensitive topics should not be discussed in shared spaces. This includes public spaces and workspaces frequented ...
SB061: Regularly backs up data
Data is valuable and should be backed up regularly. Lost or corrupted data can be restored from backups. Data ...
SB067: Securely disposes documents containing sensitive data once no longer needed
Documents containing sensitive data should be disposed of securely after use. Such as by shredding or using ...
SB070: Reviews privacy settings and permission levels for apps and online services
Some apps and online services will request information from devices for use. Reviewing privacy settings and ...
SB071: Regularly reviews privacy settings on social media accounts
Privacy settings on social media accounts should be reviewed regularly to make sure personal data is not exposed ...
SB075: Requests photos are removed if posted online without consent
Photos posted online without consent can increase digital exposure. Taking steps to remove sensitive photos posted ...
SB082: Uses known contact details to verify suspicious messages
Contact details can be spoofed. Receiving a message that breaks any norms should be met with suspicion. Using ...
SB083: Checks before “blindly” forwarding messages to workplace contacts
Messages from workplace contacts are more likely to be trusted than messages from other sources. Forwarding ...
SB195: Completes policy attestation
Most organizations today have multiple compliance requirements and contractual obligations that require all ...
Case study
Uber, 2016
In 2016, criminals gained access to 2.7 million UK Uber accounts thanks to what was described by the UKs Information Commissioner's Office (ICO) as “a series of avoidable data security flaws”.
Criminals first gained access to Amazon Web Services, a cloud-based storage system operated by Uber’s US parent company. They then leaked all the contact details they found, including phone numbers and email addresses.
The breach led to huge losses for Uber. Admitting it did not have up-to-date security in place, Uber's Chief Security Officer resigned from the company. Uber was fined £385,000 as it failed to immediately disclose the attack. A ICO report also found that Uber paid the attackers £78,294 to destroy the compromised data.
EasyJet, 2020
In May 2020 Britain’s biggest budget airline, EasyJet, reported it had suffered a cyber attack that compromised the data of 9 million customers.
After harvesting the confidential data, criminals leaked the victims' travel information and email addresses. The leak allowed others to access victims’ bank and other online accounts.
An initial investigation found that at least 2,208 victims had already had their bank accounts compromised. The UKs Information Commissioner's Office warned EasyJet customers to look out for phishing scams or signs of secondary account compromise in the near future.
EasyJet claimed criminals seemed to be after the company’s intellectual property, rather than information that could be used in identity theft. Still, the company stands to lose a huge sum of money as a result: the ICO can impose a fine of 4% of EasyJet’s turnover in 2019, amounting to almost £255m, and aggrieved customers are likely to defect to rival organisations.
Privacy Affaris Report
In 2020, a report from Privacy Affairs revealed in shocking detail what can happen to stolen personal data.
The report found cyber criminals on the Dark Web will pay £800 on average for a full range of stolen documents that enable them to steal identities. In particular, hacked Facebook accounts were priced at about £60.
Other information for sale included credit card data (CVVs, PINs, login information), hacked payment processing services, forged documents (driving license, national ID cards, passports), and hacked social media accounts
The report concludes by advising people to secure their information. It recommends people install antivirus systems on all internet-connected devices, avoid divulging sensitive information over the phone or via SMS, check ATMs for potential skimming devices, and use different passwords across different accounts. All reduce the risk of personal details appearing on the Dark Web.