One of the major knock-on effects of ransomware attacks is that of affected customers possibly becoming ‘pwned’. Getting pwned refers to an individual’s personal information being compromised in a data breach at an organisation where they are a customer (either currently or in the past).
Such information can then be used by hackers to target the individual with phishing or other types of attacks. Even when an organisation has the necessary backups to restore their systems and databases without paying any ransom, the leaked data is still out there for anyone with malintent to potentially use for criminal activities. In addition to phishing this can include anything from email spam lists to brute force attacks and fraudulent account creation with unauthorised billing, to mention just a few of the examples of how someone’s personal data can be abused.
An individual can check at any time to see if their personal data has been compromised by visiting the Haveibeenpwned.com website where the person can enter their various e-mail addresses (personal and work-related) to find out if they have been pwned. Most users who do these checks discover that they have in fact been pwned and some stage and the details of which organisations had data breaches resulting in their personal details being obtained are provided on the site. Users can also sign up to be notified if their email address appears in future dumps.
Dealing with being pwned as an individual and how organisations can prevent such data breaches were discussed in a very interesting webinar on both this topic and the topic of general vulnerability management presented by F-Secure’s Director of Vulnerability Management Teemu Myllykangas in November last year.