How to figure out if a data breach is a hoax

Deloitte has published ways to figure out if an organization has really been breached

The notoriety that comes with taking credit for a data breach is alluring. Declaring a successful data breach can suddenly bring a lot of attention, which is why posting bogus data is attractive.

For companies and organisations, it's a real headache, since an allegation of a breach can immediately pose public relations challenges.

"The speed of the news cycle is a lot faster than the speed of the incident response process," said Allison Nixon, a threat researcher with consultancy Deloitte.

Nixon wrote a paper describing some non-intrusive techniques for figuring out if a data breach is legitimate. The paper, she said in a phone interview on Wednesday, is intended to allow third parties to get a sense whether a leak is real.

Bogus data releases, or ones that recycle data from old breaches, are common. Since data breaches draw attention, it's easy for fame-seekers to insert a political message along with the data on sites such as Pastebin, a site for anonymously posting content.

"I would say that the motivations are really based on power, ego and fame," Nixon said. "The people that are releasing these leaks -- most of them are doing so under a handle, and they're trying to build a reputation.

"If you're unable to produce a real data breach, then I guess this is the next best thing," she said.

One of the verification techniques is figuring out if a particular email address really was used to register an account with a Web service. Some sites won't allow two accounts to be registered with the same email address.

"If the company does enforce e-mail uniqueness, the veracity of the leak can be tested by changing an account's e-mail to randomly selected e-mails in the leak," according to the paper. "Almost all e-mails should be traceable to the company's site; untraceable emails indicate that the leak is very likely fake."

Other Web services will also "leak" a bit of information, such as whether a username exists or not, which can also indicate if the published data is a true leak.

Nixon cautioned that it is not recommended to try the purportedly leaked username and password combinations to log in to a Web service. That could have legal ramifications.

"The techniques compiled in this paper were done so with the idea of causing minimal impact and causing minimal legal problems," Nixon said.

In other cases, just looking at username and password combinations and the service that the details purportedly came from can send up a red flag.

For example, websites that have restrictions on what types of passwords are acceptable can help to debunk a breach. If the results from a supposed breach contain simple passwords such as "123456" on a website that requires stronger passwords, "the leak should be treated with suspicion," the paper said.

Nixon said she came up with an idea for another test that might indicate a breach is real.

One leak she analyzed consisted of credit card data. She thought the data was fake because it was potentially valuable in the underground. It didn't make sense for someone to freely publish the data if it had value.

To test it, Nixon compared first names of people in the breach with a list of the most common names based on their birth year. The distribution of names indicated the breach might be legitimate.

"It would be interesting to see further research in that area," Nixon said.

However, further investigation showed the credit card data was old, as the expiration dates of the cards had mostly passed, Nixon said. The data had merely been recycled and didn't really come from its purported source.

"There was no new breach," she said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitydata breachDeloitte

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?