Via Bruce Schneier, two Harvard undergraduates have demonstrated that the volume of easily-obtainable information from multiple, large-scale data breaches makes targeting people for cybercrime easier than you could have guessed:
The students found a dataset from a breach of credit reporting company Experian, which didn’t get much news coverage when it occurred in 2015. It contained personal information on six million individuals. The dataset was divided by state, so [students Dasha] Metropolitansky and [Kian] Attari decided to focus on Washington D.C. The data included 69 variables—everything from a person’s home address and phone number to their credit score, history of political donations, and even how many children they have.
But this was data from just one leak in isolation. Metropolitansky and Attari wondered if they could identify an individual across all other leaks that have occurred, combining stolen personal information from perhaps hundreds of sources.
There are sites on the dark web that archive data leaks, allowing an individual to enter an email and view all leaks in which the email appears. Attari built a tool that performs this look-up at scale.
“We also showed that a cyber criminal doesn’t have to have a specific victim in mind. They can now search for victims who meet a certain set of criteria,” Metropolitansky said.
For example, in less than 10 seconds she produced a dataset with more than 1,000 people who have high net worth, are married, have children, and also have a username or password on a cheating website. Another query pulled up a list of senior-level politicians, revealing the credit scores, phone numbers, and addresses of three U.S. senators, three U.S. representatives, the mayor of Washington, D.C., and a Cabinet member.
"We're two college students. If someone really wanted to do some damage, I'm sure they could use these same techniques to do something horrible," [Metropolitansky said].
As Schneier points out, "you can be sure that the world's major intelligence organizations have already done all of this."
This is also why we need government regulation or stricter liability laws around data breaches. Experian's sloppiness imperiled six million people, and has probably resulted in crime already. But they have no incentive to fix their issues. In fact, they didn't even reveal the breach for years.