The last decade has seen a staggering number of high-profile security breaches, resulting in billions of records being compromised. The Equifax data breach alone compromised millions of records. Companies such as Target Stores, Home Depot, eBay and Marriott also have suffered massive financial loss and irreparable damage to their reputations as a result of these breaches. But as devastating as these high-profile security breaches can be, the one question that I never hear anyone asking is: What is the hackers’ true motivation for breaching these companies?
Every hacker is different, and so there are almost certainly varying reasons why they do what they do. For some, high-profile security breaches such as the Equifax data breach are probably about gaining notoriety. Consider, for example, that at one time it was common for hackers to remove the copy protection from PC games, and then modify the game’s opening screen to display a message such as “Cracked by Blackbeard the Pirate.” I’m using a fictitious hacker alias here, but the point is that cyber criminals would use this method to gain notoriety. By attaching their alias to their work, everyone would know that they had managed to beat some gaming company’s copy protection mechanism.
Another reason why a hacker may choose to attack a large corporation is to cause financial damage. Hackers may have some sort of personal vendetta against the company, or they may just want to inflict harm on anyone that they can.
Perhaps a bigger motivating factor, however, is the potential for financial gain. Of course, many companies do not retain their customer’s credit card numbers, so it is worth considering how a hacker might financially benefit from a hack when they fail to acquire any credit card numbers.
For example, imagine that a hacker manages to access the customer database for a Fortune 500 company. The hacker manages to download hundreds of millions of customer records, but does not acquire any credit card numbers as a result of the hack.
In this type of situation, there are two main ways in which the hacker could financially profit from the hack.
The hacker might financially benefit by selling the stolen records to someone else. All of us have probably heard those late-night commercials talking about criminals selling our data on the Dark Web. Although many of these commercials are using overhyped scare tactics in an effort to sell a product or service, stolen data is often sold online. Selling stolen data might not net hackers nearly as much money as they could potentially make by actually exploiting the data, but selling data poses significantly less risk than actually using the data.
The other way in which a hacker might profit from stolen data is, of course, to actually use the data. Even if the data does not contain credit card numbers, there are still ways for a hacker to capitalize on the data’s contents. One such method is to engage in social engineering schemes in an effort to get what it is that the hacker really wants.
Suppose for a moment that a hacker steals customer records from a large chain of hotels, but does not gain access to any credit card numbers. If the hacker has the guests’ names and contact information along with all of the information about their stay at the hotel, then it would be relatively easy for the hacker to engage in a social engineering scam.
The scam might begin with the hacker purchasing a subscription to a virtual PBX, and then setting the virtual PBX system’s caller ID information to display the name of the hotel. That way, when the hacker calls hotel guests, the call appears to be originating from the hotel.
At that point, the hacker simply poses as a hotel employee and begins calling guests on the phone. The hacker might begin the conversation by saying something like, “I see that you stayed with us on Monday and Tuesday night last week. Was everything OK with your stay?”
After engaging the guest in a bit more friendly banter, the hacker might say something like, “As a way of thanking you for your business and for the 38 times that you have stayed with us since becoming a rewards member in 2006, I want to refund your room service and parking charges from last week.”
Remember, the hacker has all of the customer records, and can therefore appear to be completely legitimate by dropping in bits of information, such as when the guest became a rewards member or how many times the guest has stayed at the hotel in the past. At this point, the hacker simply asks the guest, “Which credit card do you want me to credit the amount to?” The hacker does not have the credit card number, of course, so he or she says something like, “That card isn’t showing up in the system for some reason. Would you mind giving me that number again?”
By using this type of social engineering scheme, the hacker can easily gain access to credit card numbers, even though credit card numbers were not included in the stolen records. Although I used a hotel as the basis for this particular example, the technique could conceivably be adapted for use with nearly any type of business.
You can see how easily this kind of hack could be perpetrated--and how hard companies need to work to protect--and educate--themselves, their employees and their customers.