Does Crime Pay?

This week we saw jail terms announced for Matthew Hanley and Connor Allsopp who were complicit in the 2015 hack on the TalkTalk website.

In sentencing these criminal adversaries to paltry 12 and 8 month jail terms respectively – yes, by Christmas 2019 these two will be back out on the streets – Judge Dhir QC said “The total loss to TalkTalk as a result of this overall attack is estimated to be ￡77 million but the loss does not end there. Given the scale of the attack, the number of people whose confidential information was stolen and then passed on to others, I'm sure that your actions caused misery and distress to many thousands of the customers of TalkTalk.”

For me the impact has much wider and longer term ramifications than most people see.

PII data is stolen because it has intrinsic value: not against the company from where it was stolen but elsewhere, typically in the financial services ecosystem. As adversaries look to monetise the theft, they will use the data to create fake accounts (which can be used for Money Laundering), apply for lending products (credit cards, loans and mortgages which is money in their pocket) or to socially engineer the data subjects to gain access to both consumer and business accounts from where they can either launder or steal money.

This stable, well-funded criminal ecosystem is both based upon and dependent on this constant flow of PII data from reputable business – consider the recent incidents at British Airways and Vision Direct. Whilst this trend continues, those helping to prevent fraud and financial crime face an ever growing challenge.

Financial crime fighters know this data exists in the dark web and recognise it represents a significant risk however because the data itself doesn't really change, when presented it is incredibly difficult to ascertain and establish the true identity of the individual presenting the data: this is consistent whether the interaction is online, over the telephone or in branch.

Why is that? Consider this. When was the last time you changed your name or moved house? When did you change your date of birth? The fact is that as soon as this data is out there we are at risk and that has far reaching long term ramifications.

Records show 945 data breaches which led to 4.5 billion data records being compromised worldwide in the first half of 2018.

Compared to the same period in 2017, the number of lost, stolen or compromised records increased by a staggering 133 %, though the total number of breaches slightly decreased over the same period, signalling an increase in the severity of each incident.

A total of six social media breaches, including the Cambridge Analytica-Facebook incident, accounted for over 56% of total records compromised.

Of the 945 data breaches, 189 (20%) had an unknown or unaccounted number of compromised data records.

As individuals the perceived lack of security at reputable companies puts our data at risk every day whilst as financial crime fighters it makes the job we do harder and more complicated. We facing motivated and committed individuals set on manipulating and stealing from the financial services system and it is our collective responsibility to educate and enlighten our community into the different attack vectors and how we can help them moving forward to reduce the overall impact of financial crime.

The fight will not be short nor will it be easy but unless we remain focused and committed, it will continue to the detriment of society as a whole.

Feel the crime. Shape the fight.