Category: Uncategorized

A portion of what appears to be data hacked from the district was posted online in a nearly hour-long video by the ransomware group Medusa on Tuesday — it has since been removed. 
“All signs point to the Medusa ransomware group, conducting what's called double extortion on the school district,” said Mark Keierleber, an investigative reporter at The 74.
“They are downloading data, locking the district out of systems and threatening to release that data on the dark web if [Minneapolis school officials] don't pay what appears to be a million dollar ransom.”
Minnesota’s third-largest district had also warned families, students and staff that private information hacked from its computer system had been posted online. A statement from a district spokesperson did not offer details about what kind of information was posted or where it was posted to. 
What does that mean? The news, analysis and community conversation found here is funded by donations from individuals. Make a gift of any amount today to support this resource for everyone.
Public schools often have sensitive data on families and students, including financial information, health and discipline records and other identifying material.
The data in question, according to Brett Callow a threat analyst for the cybersecurity firm Emsisoft, can be used by ransomware attackers for illegal means. 
“If their data has been compromised, there is a real risk it could be misused for the purposes of identity fraud, for extortion attempts against those individuals, or the ransomware gang could try to weaponize those individuals,” Callow said.
“In other cases, people have been contacted by email or phone in some cases and the attackers have said, ‘We have all your personal information. We suggest you contact the organization and tell them that they need to pay us.’”
The Minneapolis district said they have reported the incident to law enforcement and are working with IT specialists to review the data in order to contact impacted individuals.
It’s also warning families not to respond to suspicious emails or phone calls and to report any threats or suspicious messages to the district by emailing: privacy@mpls.k12.mn.us
A district spokesperson says its communications to families about the breach are transmitted in English, Spanish, Somali and Hmong. 
District officials are advising students, staff and families to change all passwords for any online personal accounts that may have been accessed on MPS devices. They’re suggesting families reach out to credit reporting bureaus such as Equifax, Experian and TransUnion to freeze their minors’ credit accounts to prevent identity theft. 
“The best recourse that parents and educators and students really have is to look at bolstering your own security,” Keierleber said. “Don’t reuse the same passwords, implement a password manager, two-factor authentication.” 
Attacks like this one have become more common in recent years. Callow said close to 100 similar events have happened in school districts around the country every year since 2019.
But it can be difficult for districts to deal with the threats. 
“Cybersecurity spending isn't always a top priority for districts. They want to spend money on educating kids,” Callow said. “The ideal solution to my mind would be for the federal government to roll out a centrally managed solution that all schools could use because all schools need to do basically the same things.” 
(This story has been updated to include a district spokesperson’s response to an MPR News question about which languages the district uses to communicate messages with families.)

source

An official website of the United States government
Here’s how you know
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
WASHINGTON – Today, the Transportation Security Administration (TSA) issued a new cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced in October 2022 for passenger and freight railroad carriers. This is part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners. 
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
TSA is taking this emergency action because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector. The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. They must also proactively assess the effectiveness of these measures, which include the following actions:
This is the latest in TSA’s efforts to require that critical transportation sector operators continue to enhance their ability to defend against cybersecurity threats. Previous requirements for TSA-regulated airport and aircraft operators included measures such as reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment.
On Thursday March 2, the Biden-Harris Administration announced the National Cybersecurity Strategy to secure the full benefits of a safe and secure digital ecosystem for all Americans. With this amendment and other ongoing efforts, TSA will continue to work closely with the Department of Transportation, CISA and industry partners to strengthen the cybersecurity resilience of the nation’s critical infrastructure.
###

source

Whether it is writing essays or analyzing data, ChatGPT can be used to lighten a person’s workload. That goes for cybercriminals too.
Sergey Shykevich, a lead ChatGPT researcher at cybersecurity company Checkpoint security, has already seen cybercriminals harness the AI’s power to create code that can be used in a ransomware attack.
Shykevich’s team began studying the potential for AI to lend itself to cyber crimes in December 2021. Using the AI’s large language model, they created phishing emails and malicious code. As it became clear ChatGPT could be used for illegal purposes, Shykevich told Insider the team wanted to see whether or not their findings were “theoretical” or if they could find “the bad guys using it in the wild.”
Because it’s hard to tell if a harmful email delivered to someone’s inbox was written with ChatGPT, his team turned to the dark web to see how the application was being utilized.
On December 21, they found their first piece of evidence: cybercriminals were using the chatbot to create a python script that could be used in a malware attack. The code had some errors, Shykevich said, but much of it was correct.
“What is interesting is that these guys that posted it had never developed anything before,” he said.
Shykevich said that ChatGPT and Codex, an OpenAI service that can write code for developers, will “allow less experienced people to be alleged developers.”
Misuse of ChatGPT — which is now powering Bing’s new, already troubling chatbot — is worrying cybersecurity experts, who see the potential for chatbots to aid in phishing, malware, and hacking attacks.
Justin Fier, director for Cyber Intelligence & Analytics at Darktrace, a cybersecurity company, told Insider when it comes to phishing attacks, the barrier to entry is already low, but ChatGPT could make it uncomplicated for people to efficiently create dozens of targeted scam emails — as long as they craft good prompts.
“For phishing, it is all about volume — imagine 10,000 emails, highly targeted. And now instead of 100 positive clicks, I’ve got three or 4,000,” Fier said, referring to a hypothetical number of people who may click a phishing email, which is used to get users to give up personal information, such as banking passwords. “That’s huge, and it’s all about that target.”
In early February, cybersecurity company Blackberry released a survey from 1,500 information technology experts, 74% of whom said they were worried about ChatGPT aiding in cybercrime.
The survey also found that 71% believed ChatGPT may already be in use by nation-states to attack other countries through hacking and phishing attempts.
“It’s been well documented that people with malicious intent are testing the waters but, over the course of this year, we expect to see hackers get a much better handle on how to use ChatGPT successfully for nefarious purposes,” Shishir Singh, Chief Technology Officer of Cybersecurity at BlackBerry, wrote in a press release.
Singh told Insider these fears stem from the rapid advancement of AI in the past year. Experts have said that advancements in large language models — which are now more adept at mimicking human speech — have proceeded quicker than expected.
Singh described the rapid innovations as something out of a “science fiction movie.”
“Whatever we have seen in the last 9 to 10 months we’ve only seen in Hollywood,” Singh said.
As cybercriminals begin to add things like ChatGPT to their toolkit, experts like former federal prosecutor Edward McAndrew are wondering whether companies would bear some responsibility for these crimes.
For example, McAndrew, who worked with the Department of Justice investigating cybercrime, pointed out that if ChatGPT, or a chatbot like it, counseled someone into committing a cybercrime, it could be a liability for companies facilitating these chatbots.
In dealing with unlawful or criminal content on their sites from third-party users, most tech companies cite Section 230 of the Communications Decency Act of 1996. The act states that providers of sites that allow people to post content — like Facebook or Twitter — are not responsible for speech on their platforms.
However, because the speech is coming from the chatbot itself, McAndrew said the law may not shield OpenAI from civil suits or prosecution — although open source versions could make it more difficult to tie cyber crimes back to OpenAI.
The scope of legal protections for tech companies under Section 230 is also being challenged this week before the Supreme Court by a family of a woman slain by ISIS terrorists in 2015. The family argues that Google should be held liable for its algorithm promoting extremist videos.
McAndrew also said ChatGPT could also provide a “treasure trove of information” for those tasked with gathering evidence for such crimes if they were able to subpoena companies like OpenAI.
“Those are really interesting questions that are years off,” McAndrew said, “but as we see it has been true since the dawn of the internet, criminals are among the earliest of adopters. And we’re seeing that again, with a lot of the AI tools.”
In the face of these questions, McAndrew said he sees a policy debate on how the US — and the world in general — will set parameters for AI and tech companies.
In the Blackberry survey, 95% of IT respondents said governments should be responsible for creating and implementing regulations.
McAndrew said the task of regulating it can be challenging, as there isn’t one agency or level of government exclusively charged with creating mandates for the AI industry, and that the issue of AI tech goes beyond the US borders.
“We’re going to have to have international coalitions and international norms around cyber behavior, and I expect that will take decades to develop if we’re ever able to develop it.”
One thing about ChatGPT that could make cybercrime more difficult is that it is known for being confidently erroneous — which could pose a problem for a cybercriminal trying to draft an email meant to mimic someone else, experts told Insider. In the code that Shykevich and his colleagues discovered on the dark web, the errors needed corrections before it would be able to aid in a scam.
In addition, ChatGPT continues to implement guardrails to deter illegal activity, although these guardrails can often be sidestepped with the right script. Shykevich pointed out some cybercriminals are now leaning into ChatGPT’s API models — open-source versions of the application that do not have the same content restrictions as the web user interface.
Shykevich also said that at this point, ChatGPT cannot aid in creating sophisticated malware or creating fake websites that appear, for example, to be a prominent bank’s website.
However, this could one day be a reality as the AI arms race created by tech giants could hasten the development of better chatbots, Shykevich told Insider.
“I’m more concerned about the future and it seems now that the future is not in 4-5 years but more in like in a year or two,” Shykevich said.
Open AI did not immediately respond to Insider’s request for comment.
Copyright © 2023. Times Internet Limited. All rights reserved.For reprint rights. Times Syndication Service.

source

The impact of the Great Resignation and the Great Reshuffle is still strongly felt across many industries, including cybersecurity. There is a talent gap: Companies are struggling to hire enough talent to fulfill their needs and goals.

According to a McKinsey Global Survey, nearly nine out of 10 executives and managers say their organizations face a skills gap or expect one to develop by 2024. This means the talent they do have may not possess the necessary skills to excel in their roles.
However, another impact of these trends is that people who are resigning are also looking to change careers and industries entirely. This a shift that can help organizations minimize the talent and skills gap by looking at a new crop of job candidates who are searching for a different purpose. This is especially true for the cybersecurity field. As we’ve learned over the past couple of years, a cyber degree or typical cyber background isn’t a requirement to be a successful security professional. What arguably matters more are the characteristics or “soft skills” that an employee exhibits.
While I have a background in environmental science, I now lead the Cyber Protection Solutions team at Raytheon Intelligence & Space. Due to my own unconventional route into the field, I have seen firsthand the value of recruiting people with different skills and character traits that are transferable to a cyber role. As more people with unconventional backgrounds look to enter a new field, we can take advantage by identifying a few key traits that might make such candidates crucial to the cybersecurity industry.
Tenacity is a mix of traits including perseverance and grit – all of which can set a job candidate apart. When beginning a career in cybersecurity, with or without a degree or previous experience in the field, there are many learning opportunities, but also multiple learning curves. Tenacity is an important skill to push through these curves, while also being able to absorb new knowledge and apply it for future success.
Additionally, the threats cybersecurity teams face evolve continuously, which require them to pivot often and quickly look for the best solutions. Tenacity plays a key role in making sure that these pivots and solutions are impactful. As hiring teams look at new potential talent from a broader talent pool, identifying those who are tenacious is a great indicator of their potential success – especially for those with non-cyber backgrounds.
Curiosity is also critical when entering the cybersecurity field. Especially for those coming from an atypical background, curiosity can lead to the discovery of solutions that may have otherwise been overlooked. It can help them figure out how hackers think and behave, and influence proactive defense strategies after being able to step into their shoes.
Curious minds can further lead to the discovery of additional interests within the many facets of the field, making those individuals more well-rounded cybersecurity professionals. As hiring managers look to fill cybersecurity roles, identifying curios candidates can be just as – if not more – beneficial than looking for someone who has “typical” cybersecurity qualifications.
Another important quality hiring teams can look for in potential cybersecurity candidates is a strong willingness to learn. This encompasses both tenacity and curiosity: Those who are determined and interested in discovering new information are consistently willing and ready to face new challenges. Cybersecurity can be complex and multifaceted, and those who can be patient and take the time to learn the breadth and depth of the field can be successful in unique ways.
Cyber threat and defense strategies used to combat them are always evolving. Those who have a willingness to learn will be more adept at keeping up with these changes and learn how to adapt them into current processes. Many technical skills can be taught, but a willingness to learn comes naturally. Of course, it is a combination of these traits that widen the talent pool.
As organizations continue to feel the impact of the Great Resignation and the Great Reshuffling, they will face talent and skills gaps that can impact all facets of the business. When looking to hire new employees, the cybersecurity industry would be remiss not to consider talent from varying and unique backgrounds. It won’t be easy, and training will be necessary, but with the proper supportive environment, a diverse set of skills will help you build a stronger cybersecurity team.

source

Cyber crime has risen 92% in past two years, while fraud cases are also becoming much more regular
We have more newsletters
Scotland’s business resilience organisation has changed its name to reflect a rising national threat from cyber crime and fraud.
The Scottish Business Resilience Centre (SBRC), the not-for-profit dedicated to helping educate and support Scottish organisations to avoid the fallout from cyber crime, will now be known as the Cyber and Fraud Centre – Scotland, as it extends its focus to also include financial fraud.
The new brand comes as cyber attacks and fraud are on the rise: latest figures from Police Scotland show the number of cyber crimes in 2021-22 was nearly double that of 2019-20, and fraud has increased 86% this decade.
Paul Atkinson, chair of Cyber and Fraud Centre – Scotland, noted: “Over half of reported crime is related to fraud or cyber, but they’re both hugely underreported – so it’s likely they pose an even greater threat than the numbers indicate.
“As a nation, we are handling support for cyber crime victims well, but victim support around financial fraud is severely lacking.
“We need to examine how to collectively prevent and protect from this type of fraud, and the Cyber and Fraud Centre – Scotland team is well equipped to lead the conversation around this.”
The centre's chief executive Jude McCorry said: “Financial fraud – including cyber crime – is set to be reclassified as a threat to national security, which will see it treated as seriously as terrorism and civil emergencies.
“We’ve seen a huge increase in this type of crime over the past year, and a lot of victims don’t get the support they need, which is why we’ve added fraud to our organisation’s purpose.
“Cyber crime such as cyber attacks and financial fraud often cause businesses to pause operations; ransomware attacks prevent them from accessing their systems and financial fraud could render them unable to pay wages and suppliers.
“This can be devastating for small businesses and charities in particular, who may end up ceasing operations entirely.“
She continued: “We’ve renamed ourselves Cyber and Fraud Centre – Scotland in recognition of our enhanced focus on empowering and educating organisations across the country on the risks caused by cyber crime and fraud.
“The name also clarifies what we do and means we are holding ourselves accountable and committed to tackling cyber crime and fraud to make Scotland a safer place to do business.”
Cyber and Fraud Centre – Scotland will continue its working relationships with partner organisations including the Scottish Government and Police Scotland, to ensure its members can access training progammes and industry experts as needed.
Don't miss the latest headlines with our twice-daily newsletter – sign up here for free.

source

By Apurva Venkat
Principal Correspondent, CSO |
DNA Diagnostics Center, a DNA testing company, will pay a penalty of $400,000 to the attorneys general of Pennsylvania and Ohio for a data breach in 2021 that affected 2.1 million individuals nationwide, according to a settlement deal with the states’ attorneys general. 
The company will also be required to implement improvements to its data security, including updating the asset inventory of its entire network and disabling or removing any assets identified that are not necessary for any legitimate business purpose.
Founded in 1995, DNA Diagnostic Center is a private DNA-testing company that offers diagnostic and genetic tests to help answer relationship, fertility, and health and wellness questions. 
DNA Diagnostics Center’s hacking incident involved legacy data from Orchid Cellmark, which the company had acquired in 2012 to expand its business portfolio. “Specifically, the breach involved databases that were not used for any business purpose, but were provided to DNA Diagnostic Center as part of a 2012 acquisition of Orchid Cellmark,” the settlement agreement said. 
DNA Diagnostic Center claimed that the breach impacted databases containing sensitive personal information, and that the data was accidentally transferred to the company without its knowledge. “DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach — more than nine years after the acquisition,” the settlement agreement noted. 
“Negligence is not an excuse for letting consumer data get stolen,” Ohio Attorney General Dave Yost said in a statement. 
The stolen data was collected between 2004 and 2012. The joint investigation by Ohio and Pennsylvania found DNA Diagnostics Center made unfair and deceptive statements about its cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, exposing its consumers to harm. 
The breach exposed the social security numbers and other personal data of about 33,300 consumers in Ohio, and about 12,600 in Pennsylvania. DNA Diagnostics Center will pay a $200,000 HIPAA fine to Ohio and a $200,000 HIPAA penalty to Pennsylvania.
DNA Diagnostic Center was alerted of suspicious activity by its third-party data breach monitoring vendor but the alerts were overlooked by the company. “The contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for over two months,” the settlement agreement said.
During this time period, the attackers installed Cobalt Strike malware in the company’s network and extracted data. 
Investigations revealed that the threat actor logged into a virtual private network on May 24, 2021 using a DNA Diagnostic Center user account and harvested active directory credentials from a domain controller that provided password information for each account in the network. 
The settlement agreement also noted that when the threat actor initially accessed the VPN, DNA Diagnostic Center had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access. 
On June 16, 2021, the threat actor used a test account that had administrator privileges to create a persistence mechanism that executed Cobalt Strike throughout the environment.
Between July 7, 2021, and July 28, 2021, the threat actor accessed five servers and collectively backed up a total of 28 databases from the servers using a decommissioned server. 
In September 2021, the threat actor contacted the company and demanded payment. The company made the payment to the hacker in exchange for the deletion of stolen data, the settlement agreement noted. 
The settlement requires DNA Diagnostics Center to maintain reasonable security policies designed to protect consumer personal information. It also requires the lab to designate an employee to coordinate and supervise its information security program. 
The DNA testing company will also have to conduct security risk assessments of its networks that store personal information annually, maintain an updated asset inventory of the entire network and disable or remove any assets identified that are not necessary for any legitimate business purpose. 
The company will have to design and implement reasonable security measures for the protection and storing of personal information, including timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication, and detect and respond to suspicious network activity within its network within reasonable means, the settlement statement added. 
Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

source

February 24, 2023
You must be a member of ACAMS to read this article. Please login or join today for full access to www.ACAMSToday.org and other exclusive member-only content.
You must be logged in to post a comment.




View Poll Archive
Post a Job | More Jobs
ACAMS is the largest membership organization dedicated to enhancing the knowledge and skills of financial crime detection and prevention professionals worldwide. Its CAMS certification is the most widely recognized anti-money laundering certification among compliance professionals. Visit the ACAMS website at www.acams.org.

source

Nearly Rs 1 crore on an average was stolen every day by cyber fraudsters in 2022 from individuals in Karnataka, recording a surge of 150 per cent in the money lost in internet crimes, according to the data shared by the state home department. Karnataka lost a whopping Rs 363 crore in 2022, and since 2019 the scamsters have managed to siphon away Rs 722 crore.
Responding to a question raised by MLC M Nagaraj at the legislative council, the home department said that in 2022, Karnataka lost Rs 363,11,54,443, while the officials also managed to recover 12 per cent of the sum; ie; 46,87,89,415. In 2021, the state lost Rs 145,05,85,810 to cyber crimes. There has been no let up in such crimes even in 2023, as the state registered 1,325 cybercrime cases in January alone and several individuals lost Rs 36.63 crore to the scamsters.
According to the official data, Bengaluru topped the chart with victims losing Rs 266,70,35, 040 followed by Mysuru city at a distant second (Rs 14,07,03,467) and Mandya district in the third spot (Rs 13,82,22,366).
In 2022, the number of cyber crime cases in Karnataka skyrocketed to 12,551 compared to the previous year’s 8,132.
According to a police officer, the recovery of money in cybercrime cases is really hard because of various factors, including digital wallets, delay in reporting the crime and lack of coordination among states. “Whatever recovery has been made is with the help of Cyber Crime Information Report (CIR). Also we need to accept that the state has a good mechanism to report cyber crimes with CEN police stations at every division level in Bengaluru and one each at the districts of the state, said a police officer.
A senior police officer said that the mode of cybercrimes has changed due to the increasing dependence of digital payment applications post Covid-19.
“Like earlier days, cyber criminals won’t be asking for One Time Password (OTP) or engaged in Skimming, largely. Cyber education is very much essential at schools as internet crimes are likely to increase in the days to come,” said the officer.
The Home Department in its response said that it has been making efforts to create awareness among the public by distributing cyber awareness books and is also trying to educate children against cyber bullying.
Year-wise data on cyber crime cases in Karnataka:
2019
Total money lost in cyber crime cases: Rs 71,27,19,806
Total money recovered in cyber crime cases: Rs 8,59,45,570
2020
Total money lost in cyber cyber crime cases: Rs 1,05,99,55,357
Total money recovered in cyber crime cases s: Rs 14,83,49,627
2021
Total money lost in cyber crime cases: Rs 1,45,05,85,810
Total money recovered in cyber crime cases: Rs 25,96,33,607
2022
Total money lost in cyber crime cases: Rs 3,63,11,54,443
Total money recovered in cyber crime cases: Rs 46,87,89,415
2023 (Till end of January)
Total money lost in cyber crime cases: Rs 36,63,82,797
Total money recovered in cyber crime cases: Rs 1,03,44,045
Total number of cyber crime cases registered:
2020: 10,738
2021: 8,132
2022: 12,551
2023 (till the end of June): 1,325

Maharashtra State Council of Examination Commissioner Shailaja Darade, brother booked in teacher recruitment racket

source

By Andrew Leahey
Personal data is big business. Recent news of the 2017 Equifax data breach settlement checks reaching the 147 million Americans affected focused on the paucity of the per-consumer amount—which were mostly in the single-digit-dollar range. The settlement pool was more than $380 million, but when the breach included just a shade under 45% of the US population, even hundreds of millions of dollars doesn’t go very far.
But we still need entities such as Equifax, and we can’t shut them down simply because they leaked out just under half of our identities. After all, what about the other 56% of the population that the company presumably didn’t have information on or somehow didn’t leak? Isn’t that worth something?
Sure, and so are Equifax Inc., Experian PLC, and the like. Experian is an information company similar to Equifax that, in 2015, leaked out a mess of data on T-Mobile customers and paid about 0.0004% of its value—derived chiefly from said data—to do so. Experian offers a protection plan that costs about $25 per month. If the Equifax payout is any indication, most folks’ settlement checks will cover about a week of that plan. And if you purchased said plan immediately in the wake of the breach news, you’d have paid in just shy of $1,500 by the time you’re reading this.
Credit reporting agencies may need to be incentivized through a fine or excise tax. Because unlike the tech companies, there isn’t a tremendous amount of competition. It isn’t as though, in light of the Equifax and Experian breaches, one can simply take their consumer credit report information elsewhere.

Companies such as Apple Inc., Google LLC, and Meta Platforms Inc. will often offer what’s called a bug bounty, or a fund for ethical white hat hackers that report discovered vulnerabilities to be patched rather than sold on the open market. This motivates hackers who would prefer to operate above board to act as a nefarious hacker might—but to lay out what they found to the company itself rather than to the dark web.
Perhaps we should ask why we’re considering reorienting a policy to reward the hackers who necessitate the policy to begin with while putting money in the hands of those who would gleefully leak our information if we didn’t pay them not to. But protecting the status quo is to make permanent the identity of winners and losers. It’s hard to tell who the winner is, but it’s crystal clear who the losers are.
Offering incentives to white hats corrals market forces to put a value in the legitimate economy on something that only had value in the underground economy. The same approach needs to be taken here. If credit reporting agencies need to exist, they need to have incentives to offer bounties on confirmed exploits.
A completed portfolio or tax return for an individual shouldn’t be selling for $70 apiece on the dark web; the individual who found the vulnerability that led to the leak should already have been paid hundreds of thousands of dollars by the credit agency through a legitimate channel.
There’s a theory in tort law that, to ascertain the fairness of compensation after the fact, one might reimagine an exchange between two parties that gives rise to a claim as a pre-negotiated contract.
In this case, one party theoretically approaches 147 million Americans one at a time and informs them that they would very much like to leak their information. The individuals theoretically hear the request and agree to the contract but respond that they’d need to be paid about $7 for their troubles.
Imagine if you approached people on the street and asked if they’d be willing to share a piece of identifying information, such as a driver’s license or Social Security Number, for $7—you wouldn’t get a lot of takers. And yet, it seems this has been deemed fair compensation for having that information taken from you and made public.
One might also look to the value of that information in the marketplace. In this case, the “marketplace” would be the dark web, where 2022 individual completed 1040 forms with proof of identity are selling for about $70. The entrepreneurs peddling these portfolios indicate much of the information was gleaned from the 2017 Equifax breach.
Whether or not that’s true, it is true that personal information being sold in bulk is almost certainly from some sort of breach—Experian, Equifax, or one of the myriad others. And if that breach ended in a settlement, there’s no reason to believe it would lead to more favorable compensation terms for the victims.
Suffice it to say, then, that the justice system values our personal information at a bit under $10, while fraudsters value it at around $70. And we would each likely pay 10 times that to avoid the hassle and headache of having to deal with identity theft.

This is a regular column from tax and technology attorney Andrew Leahey, principal at Hunter Creek Consulting and a sales suppression expert. Look for Leahey’s column on Bloomberg Tax, and follow him on Mastodon at @andrew@esq.social.
To read more articles log in.

source