There’s no such thing as a no-damage breach
Office supply retail giant Staples has informed some customers that their order data has been accessed without permission, and hardware giant Razer has confirmed that it’s exposed customer emails, phones, shipping and billing addresses and more online.
The two brand leaders are among the latest in an unending stream of organizations whose lapses in data security have put their customers at heightened risk of malicious cyberattack campaigns such as targeted phishing.
Many people will see this as a relief that “only names, email addresses and phone numbers” were shared — their credit cards are safe and their transactions remain a secret.
However, this is not the case. These pieces of PII still have value on the black market and can be used in order to gain access to other, and perhaps more sensitive, information. The combination of "email address and telephone number," for example, would be a great start for anyone attempting takeover attacks on personal data.
To think it’s not serious because no credit card information was stolen downplays the situation. Stolen credit cards can be canceled and payments are usually covered by the card company. However, the email addresses and telephone numbers in a system are likely to be current for the users. That makes the stolen data more valuable in the short term because people will not want to change their number or get a new email address.
Moreover, many people use two-factor authentication (2FA) with their mobile phone to recover passwords against email addresses. Consumers should be warned to watch for password reset requests, or 2FA codes on their phones, as these could indicate someone is attempting to use the stolen data to gain access to other sites/applications.
Additionally, as with every breach, these events certainly raise regulatory flags relating to customers in Europe or California, where GDPR and CCPA, respectively, may come into play.
It’s about time that we stopped ranking personal data theft on perceived severity. Any breach in which personal data is stolen needs to be treated as highly serious and punishable. Maybe then people will be more careful about what databases are left around for people to find.
Today, there’s no such thing as a breach where "no major damage is done."