Countering Identity Takeover Incidents

Tara Kissoon
Author: Tara Kissoon, CISA, CISSP, LLQP, CEO-Director
Date Published: 5 March 2024

Stories like these are crippling and cause significant risks to organizations: “Met Police Officers at Risk After Serious Data Breach. London's Metropolitan Police Service is investigating a serious data breach that may have exposed names, ranks and photographs for potentially all 47,000 personnel. One concern with the breach is that undercover officers' identities may have been exposed.”

When an organization is attacked through a breach of information security controls, the law requires the organization to notify individuals that their personal identifiable information (PII) has been exposed. This represents a privacy risk and may cause significant harm to the individual.

When accessed data is transferred to unauthorized individuals for the purpose of fostering criminal activity, the personal identifiable data elements become extremely important. Criminals harvest and sell this information on areas of the internet known as the dark/deep web, to propagate further criminal activity. This is within this realm of the internet that data is repurposed to create identification for sale and reuse. 

Although the identification is used by a fraudster, the information used to create the ID (i.e. passport, drivers license, citizenship card, credit/debit card) is real and attached to a known individual within society. Creation of these types of identifications allow fraudsters to impersonate the individual and use their personal identified information to conduct criminal activity. 

In most cases, this is known as identity fraud and the rightful owner of the personal identifiable information is unaware that their information is being repurposed for reuse to support criminal activity. Usually, the individual eventually becomes aware through banking, credit, government or employment relationships. At the time an individual becomes aware that their data is accessed, it does not necessarily indicate that their data has been repurposed for criminal activity. 

There are many government organizations that provide information to an individual at the time a privacy incident is communicated to the victim, in which their personal identifiable information has been exposed. For example, the Office of the Privacy Commissioner in Canada and Federal Trade Commission in the US provide guidance and checklists as to the necessary steps required to ensure that the compromised individual remains intact and accessed PII is flagged in critical systems (i.e., government, financial, banking, etc.), with police reports filed in impacted jurisdictions to support prosecution of the criminal.

This is the primary reason why funding secure measures in organizations is important to protect organizations from data and privacy breaches that result in this type of impact to citizens. Business executives recognize the need to implement secure measures to address various privacy laws, regulations and industry standards to protect their organization from external and internal attacks (i.e., unauthorized users, malicious code, network/application layer attacks).

Here are some other areas that are important to consider in the context of protecting identities:

Digital Privacy

Digital privacy is the practice of protecting information that is accessible on the internet and facilitates mechanisms of using this information in a secure manner, without leaking or compromising the information. Digital privacy is inclusive of protection of an individual’s data that is created, accessed, collected and disclosed through electronic means. Throughout the years, use of the internet has transformed the way an individual manages their information, with rapid accessibility by unknown third parties. 

Data Protection

Data protection laws were put in place to protect the PII of citizens in response to technological and societal changes. The law requires organizations to notify individuals that their PII has been exposed at the time an executive uncovers that their organization has experienced a breach of information security controls: “1) compromised electronic information systems, 2) theft, 3) transmission errors, 4) social engineering, 5) phishing, 6) failure to secure, and 7) accident publication of personal information. It has a privacy risk and may cause significant harm to the individual”.

One of the most important data protection legislations enacted to date is the European Union’s (EU) General Data Protection Regulation (GDPR). Currently, there are more than 120 countries that have enacted legislation to secure the protection of data and privacy.

The GDPR, implemented in May 2018, brought data protection into the public and is considered a landmark privacy law with the introduction of new rights for individuals, such as the Right to be Forgotten and the Right to Portability. GDPR encompasses 10 key areas that apply to data protection. Within the scope of this regulation, there are three specific requirements that were taken into account when designing the Cybersecurity Risk Management Framework (published in Optimal Spending on Cybersecurity Measures) that is used to facilitate business-driven risk assessments: 1) personal data breaches, 2) privacy by design, and 3) data protection impact assessment.

Optimal Spending on Cybersecurity Measures

The book Optimal Spending on Cybersecurity Measures: Risk Management discusses the cybersecurity risk management process that facilitates business-driven risk assessments to meet current regulations and industry standards. There are eight case studies that are based on completion of business-driven risk assessments in a university setting.

Within the book, Optimal Spending on Cybersecurity Measures: DevOps, the Cybersecurity Risk Management Framework is shown through a case study methodology with the elements necessary to create a defensible way of assessing risk, with the implementation of adequate internal controls to ensure the protection of data and privacy as required by law. In addition, the framework provides the elements necessary to make sure secure measures are in place to address the potential exposure of PII and personal health information (PHI).

Editor’s note:Tara will be providing additional insights on this topic at ISACA Conference North America 2024, to take place 8-10 May in Phoenix, Arizona, USA, during her session “Identity Takeover – From the Lens of the Victim.”

Additional resources