How to figure out if a data breach is a hoax

Deloitte has published ways to figure out if an organization has really been breached

The notoriety that comes with taking credit for a data breach is alluring. Declaring a successful data breach can suddenly bring a lot of attention, which is why posting bogus data is attractive.

For companies and organisations, it's a real headache, since an allegation of a breach can immediately pose public relations challenges.

"The speed of the news cycle is a lot faster than the speed of the incident response process," said Allison Nixon, a threat researcher with consultancy Deloitte.

Nixon wrote a paper describing some non-intrusive techniques for figuring out if a data breach is legitimate. The paper, she said in a phone interview on Wednesday, is intended to allow third parties to get a sense whether a leak is real.

Bogus data releases, or ones that recycle data from old breaches, are common. Since data breaches draw attention, it's easy for fame-seekers to insert a political message along with the data on sites such as Pastebin, a site for anonymously posting content.

"I would say that the motivations are really based on power, ego and fame," Nixon said. "The people that are releasing these leaks -- most of them are doing so under a handle, and they're trying to build a reputation.

"If you're unable to produce a real data breach, then I guess this is the next best thing," she said.

One of the verification techniques is figuring out if a particular email address really was used to register an account with a Web service. Some sites won't allow two accounts to be registered with the same email address.

"If the company does enforce e-mail uniqueness, the veracity of the leak can be tested by changing an account's e-mail to randomly selected e-mails in the leak," according to the paper. "Almost all e-mails should be traceable to the company's site; untraceable emails indicate that the leak is very likely fake."

Other Web services will also "leak" a bit of information, such as whether a username exists or not, which can also indicate if the published data is a true leak.

Nixon cautioned that it is not recommended to try the purportedly leaked username and password combinations to log in to a Web service. That could have legal ramifications.

"The techniques compiled in this paper were done so with the idea of causing minimal impact and causing minimal legal problems," Nixon said.

In other cases, just looking at username and password combinations and the service that the details purportedly came from can send up a red flag.

For example, websites that have restrictions on what types of passwords are acceptable can help to debunk a breach. If the results from a supposed breach contain simple passwords such as "123456" on a website that requires stronger passwords, "the leak should be treated with suspicion," the paper said.

Nixon said she came up with an idea for another test that might indicate a breach is real.

One leak she analyzed consisted of credit card data. She thought the data was fake because it was potentially valuable in the underground. It didn't make sense for someone to freely publish the data if it had value.

To test it, Nixon compared first names of people in the breach with a list of the most common names based on their birth year. The distribution of names indicated the breach might be legitimate.

"It would be interesting to see further research in that area," Nixon said.

However, further investigation showed the credit card data was old, as the expiration dates of the cards had mostly passed, Nixon said. The data had merely been recycled and didn't really come from its purported source.

"There was no new breach," she said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Deloittesecuritydata breach

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?