Zomato got lucky, you might not: Stolen data could make you vulnerable to extortion

Last week, cyber criminals hacked food and restaurant search engine Zomato's website and stole 17 million users' data.

The restaurant aggregator had to strike a deal with the hacker, who has agreed to destroy all data and not sell it over the deep net marketplace.

Data theft, malware attacks are gradually increasing are turning out to be a major threat to security. Most businesses so far have not prioritized cybersecurity and now face a rude awakening in the form of periodic hacking attempts.

"We can no longer look at cyber security as a ‘server room’ issue; it is a critical subject that needs the attention of the Boards of India Inc." Kartik Shinde, Partner – Cyber Security, Financial Services, EY had told Moneycontrol in an interview.

"Traditional security mechanisms no longer provide the organisations the protection that they need. Breaches will occur and when they do, leaders must ensure they’ve protected the most vital aspect to them and the core of their business - the data. Companies need to understand that being breached is not a question of “if” but “when”," says Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto.

He quoted Gemalto’s recently released 2016 Breach Level Index, which shows that in India, 36.6 million data records were compromised last year.

Zomato got lucky as they met a kind-hearted ethical hacker who's key request was to have the company run a healthy bug bounty program for security researchers.

Other companies or government organisations might not be this fortune and are more likely to have a run with hackers behind the WannaCry ransomware attack.

Even if a hacker is not able to get his or her hands on your financial details, personal details like email id and phone number hold a lot of value in the market and can be misused.

So what usually happens to the stolen data? Rana Gupta lists different scenarios in which stolen data is exploited:

-Bringing disrepute to the brand image of the organization that lost the data, in case the organization fails to pay in lieu of the hacker not releasing the data on the internet.

-Sale of the data to competitive organizations – e.g. the customer data for Maruti Suzuki shall be of great interest to its competitors in order to run marketing campaigns to upgrade the existing customers to newer brands.

-Use of the data to attack the individuals – e.g. in case the personal data and credit card data is stolen then the same can possibly be used to launch unauthorized transactions; another scenario can be to negotiate with individual customer in case of any harmful information (say in case of healthcare or extra-marital affair site) is found that can be highly embarrassing to the individual concerned.

"In case the data is modified then the consequences can be even more severe. Today, a data-set is used as an input for to derive decisions. For example, if the health-care history for an individual is modified in the Hospital Management System and that incorrect information is used by the doctor to make the decisions about next steps then it could well be fatal for a patient," Gupta says.

After the data is stolen and sold off over the deep net, an individual becomes vulnerable to various ways of extortion.

As per Rana Gupta, if the Income Tax filing details are shared over the deep net, there could be criminals interested in sniffing out the highest earning individuals and their contact details. They could then extort money from those people.

“Essentially, anything that can possibly be done in the standard criminal scenario can be much more easily done in cyber-crime,” Gupta says.

Follow @shukla_05sid