At the end of January, alleged data from around 50 million Europcar customers was offered in an underground forum. Europcar reacted quickly and denied that it was a real file.
The data is neither consistent nor are the email addresses in particular known to Europcar. While Europcar suggested that this data was generated using generative AI (e.g. ChatGPT), other security researchers are of the opinion that no AI was at work here. What they all have in common, however, is the opinion that this data was generated by machines. The suspicion quickly arose in the forum that the data offered for sale was not authentic, which ultimately led to the seller being blocked in the forum. As interesting as the story may be at first glance, a look “behind the story” reveals other interesting aspects:
Honor among criminals
A narrative in the ransomware environment in recent years is the supposed “honor” of cybercriminals: If you pay for decryption, the criminals’ “honor” dictates that they also hand over the key; Only “honor” really isn’t the right word here. Giving up the key for a ransom has nothing to do with honor. This is simply the business instinct of criminals: If word got around that no key was given out despite payment, it would be damaging to business, i.e. pure self-interest and no “honor”.
The opinion that criminals don't cheat on each other is more due to a glorified Robin Hood narrative than to the facts: In the case above, a criminal tried to cheat other criminals. One can only hope that there were no buyers yet. And just because buyers are barred from going through the official justice system doesn't mean that there aren't any consequences to be feared. In the past, similar actions have led to very disreputable results. “Doxing” (the virtual exposure of the fraudster by hacking the email account, publishing the real address, persoscans, publishing references, etc.) is just the beginning. Doxing information is what you see in the forums. You don't see what a potentially deceived criminal does with this information in the real world... perhaps fortunately.
Do you know your data?
Perhaps the more interesting aspect from a defense perspective is Europcar's reaction. Europcar quickly and very clearly made it clear that the data was not real. But the incident also shows that criminals do produce fake data - be it to sell it (as in this case) or to blackmail potential victims with it. And this is exactly where things get exciting. Imagine a company receives (e.g. after a ransomware incident) another blackmail message like “We have your data! Attached an example. If you don’t want these to be published…”.
And now the crucial question: Is the company able to check (in a timely manner) whether the data is real or not? The longer the decision-making process takes, the more nervous management can become. And this nervousness may increase the likelihood that payment will be made - just as a failsafe solution.
This leads to two important conclusions for the defense side. Firstly, this scenario of being blackmailed with (allegedly) stolen data must be included in the risk assessment. Secondly, risk-reducing measures or verification measures (processes, access rights, people) should also be defined in advance. Otherwise, it can happen very quickly that, for example, the assigned incident response team cannot verify the data quickly enough because, for example, the databases are not technically accessible. Another aspect, especially when it comes to personal data, is certainly the GDPR. In such a case, how can you verify personal data without violating the GDPR?
Both are things that can be defined relatively easily *in advance*: In the event of an emergency, the corresponding process can then be carried out in an orderly manner. If the process is not defined, great chaos and panic often breaks out - with the effect that the statement as to whether the data is being blackmailed cannot be made in a timely manner. This in turn increases the likelihood that the blackmailers will pay.
Two tips
1) Prepare to be blackmailed with (allegedly) stolen data.
2) Define processes in advance with which incident responders can quickly (technically) and legally access data (read) in the event of an incident in order to verify the authenticity of a dump.
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.
Matching articles on the topic