The other sextortion: Data breach extortion and how to spot it
Sextortion is a serious crime that has negatively impacted thousands worldwide with an estimated 10,000 or more currently at risk. While this crime has garnered some headlines, there is a different type of sextortion that has been plaguing the cyber world — that of data breach extortion.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
What are sextortion and data breach extortion?
Sextortion refers to a crime that involves an abuse of power through coercion, and this coercion is sexual in nature. The criminals may demand nude photographs or some other kind of sexual act in exchange for not violating the victim’s privacy. This catastrophically impacts the lives of victims and can have far-reaching emotional consequences for the victim.
Data breach extortion is the other type of sextortion that falls within the realm of information security. It is when cybercriminals claim that they have exfiltrated sensitive data from the victim, typically an organization, and demand that a payment is made to them in exchange for them not leaking the information to the public. This payment is normally made in bitcoin and the payment demand can range from $1,000 to $3,000 worth of bitcoin.
Cybercriminals engaging in data breach extortion are following in the footsteps of ransomware that I wrote about a couple of years back called Maze. The functionality of Maze was a departure from other ransomware where ransomware up until that point was encrypting the victim’s data and then demanding a ransom to decrypt the data. Maze added another action to this list: exfiltration. And they were not exfiltrating mundane information available to the public. Instead, they were exfiltrating sensitive organization information that would damage the reputation of the organization.
Is data breach extortion a crime?
Yes. Both of these are serious crimes and the FBI as well as local and state law enforcement are not only aware of these crimes, but they actively investigate, arrest and prosecute those that engage in them.
What to do if data breach extortion happens to you
The unfortunate thing is that data breach extortion can happen to any organization. The good thing is you can disarm the strongest weapon in the hands of data breach extortion attackers, which is their ability to throw deception into the mix. When cybercriminals threaten data breach extortion they operate based upon the premise that they have exfiltrated your data and the key to this working is your belief that this data has been exfiltrated.
The unfortunate thing for would-be cyberattackers is that you can spot whether the data breach extortion attempt is legitimate without having to rely on the attacker’s claims. Organizations that have an IT department or even a sole IT/information security professional can determine if data has been exfiltrated. They would have to conduct a forensic audit of the network and databases that would have been impacted by this exfiltration without difficulty.
How to deal with Facebook sextortion
Of the sextortion cases that bleed into the realm of information security, Facebook is a platform that has been hit especially hard with sextortion. Remember, if this happens to you, you do not have to give in to their demands. Please visit the Facebook Stop Sextortion hub here if you believe you may be facing Facebook sextortion yourself.
Do data breach extortionists follow through on their threats?
There is no clear answer whether the extortionists will make good on their threats. If we are talking about the first data breach extortion in its early days, such as in the heyday of Maze in 2019. Maze was known for making good on their threats of releasing the sensitive organizational information of their victims and the attack group made millions in bitcoin from organizations that paid up the extortion.
Data breach extortionists that have followed in the footsteps of Maze have operated less on actual data exfiltration and more on deception. Where Maze would actually exfiltrate sensitive organizational data, current data breach extortionists may be just pulling your proverbial chain. This claim would read something like, “Please forward this email to someone in your company who is allow to make important decisions! We have hacked your website and extracted your databases.”
As scary as that may sound (and not I am not talking from a grammar perspective), you can prove whether this actually occurred with a fairly basic audit of your network and systems. Once you have determined that this exfiltration has not occurred, you will be in a strong position when it comes to the next steps in dealing with the data breach extortionists. Remember, if they don’t have your data, they cannot damage your organization’s reputation.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
What to do when faced with data breach extortion and sextortion
Sextortion is a crime where, instead of demanding money, criminals demand something sexual in nature, such as sexual images of yourself or possibly even acts. Data breach extortion is the other sextortion, so to speak, where cybercriminals claim that they have exfiltrated sensitive information about your organization and will damage your reputation unless you pay up in bitcoin. Remember, unless you are dealing with the Maze attack group, chances are that your data has not been exfiltrated, thus taking the wind out of the attacker’s sails. This will have to be confirmed by your IT department to see if your data has actually been exfiltrated.
Sources:
Maze Ransomware, InfoSec
Data Breach Extortion Campaign Relies on Ransomware Fear, Data Breach Today
In this Series
- The other sextortion: Data breach extortion and how to spot it
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness