Security Behaviour Database
/

Personal Exposure

Personal exposure is the extent to how much someones personal information is available online.


Behaviours

Reporting old accounts

Reporting old accounts

Dormant accounts may still hold or provide access to sensitive data. Security teams should be notified when ...

Using a search engine to search for personal information

Using a search engine to search for personal information

Personal information can be used during social engineering attacks. Search engines can show what personal data can ...

Completing security awareness training

Completing security awareness training

Security Awareness training is an important part of organisational security. Completing awareness training ensures ...

Using a screen lock

Using a screen lock

Mobile devices can be protected with screenlocks (like pins, patterns and passwords). This can help prevent ...

Locking devices

Locking devices

Locking devices when not in use prevents unauthorised access. This is especially important in common areas, such ...

Refraining from discussing sensitive work topics in public

Refraining from discussing sensitive work topics in public

Sensitive topics should not be discussed in shared spaces. This includes public spaces and workspaces frequented ...

Backing up data

Backing up data

Data is valuable and should be backed up regularly. Lost or corrupted data can be restored from backups. Data ...

Securely disposing of confidential documents

Securely disposing of confidential documents

Documents containing sensitive data should be disposed of securely after use. Such as by shredding or using ...

Reviewing privacy settings and permissions for apps and online services

Reviewing privacy settings and permissions for apps and online services

Some apps and online services will request information from devices for use. Reviewing privacy settings and ...

Reviewing social media privacy settings

Reviewing social media privacy settings

Privacy settings on social media accounts should be reviewed regularly to make sure personal data is not exposed ...

Removing personal details from the open voters register

Removing personal details from the open voters register

Unless removed, a UK voter’s information is listed on the public electoral register, increasing digital footprint ...

Requesting personal photos or information are removed

Requesting personal photos or information are removed

Photos posted online without consent can increase digital exposure. Taking steps to remove sensitive photos posted ...

Verifying messages

Verifying messages

Contact details can be spoofed. Receiving a message that breaks any norms should be met with suspicion. Using ...

Checking emails before forwarding them

Checking emails before forwarding them

Messages from workplace contacts are more likely to be trusted than messages from other sources. Forwarding ...

Case study

Uber, 2016

In 2016, criminals gained access to 2.7 million UK Uber accounts thanks to what was described by the UKs Information Commissioner's Office (ICO) as “a series of avoidable data security flaws”.

Criminals first gained access to Amazon Web Services, a cloud-based storage system operated by Uber’s US parent company. They then leaked all the contact details they found, including phone numbers and email addresses.

The breach led to huge losses for Uber. Admitting it did not have up-to-date security in place, Uber's Chief Security Officer resigned from the company. Uber was fined £385,000 as it failed to immediately disclose the attack. A ICO report also found that Uber paid the attackers £78,294 to destroy the compromised data.

EasyJet, 2020

In May 2020 Britain’s biggest budget airline, EasyJet, reported it had suffered a cyber attack that compromised the data of 9 million customers.

After harvesting the confidential data, criminals leaked the victims' travel information and email addresses. The leak allowed others to access victims’ bank and other online accounts.

An initial investigation found that at least 2,208 victims had already had their bank accounts compromised. The UKs Information Commissioner's Office warned EasyJet customers to look out for phishing scams or signs of secondary account compromise in the near future.

EasyJet claimed criminals seemed to be after the company’s intellectual property, rather than information that could be used in identity theft. Still, the company stands to lose a huge sum of money as a result: the ICO can impose a fine of 4% of EasyJet’s turnover in 2019, amounting to almost £255m, and aggrieved customers are likely to defect to rival organisations.

Privacy Affaris Report

In 2020, a report from Privacy Affairs revealed in shocking detail what can happen to stolen personal data.

The report found cyber criminals on the Dark Web will pay £800 on average for a full range of stolen documents that enable them to steal identities. In particular, hacked Facebook accounts were priced at about £60.

Other information for sale included credit card data (CVVs, PINs, login information), hacked payment processing services, forged documents (driving license, national ID cards, passports), and hacked social media accounts

The report concludes by advising people to secure their information. It recommends people install antivirus systems on all internet-connected devices, avoid divulging sensitive information over the phone or via SMS, check ATMs for potential skimming devices, and use different passwords across different accounts. All reduce the risk of personal details appearing on the Dark Web.

SebDB is brought to you byCybSafe| © 2020 CybSafe Ltd