To steal people's identities or commit credit card fraud, cybercriminals need a password, credit card or Social Security number, says Rasmussen. If they have people's email addresses, they can sometimes obtain that more sensitive data by sending phishing emails or distributing malware via email, says Sjouwerman. Some malware installs key-logging software that records usernames and passwords when they log on to their various online accounts, he says. If one of those accounts is a bank account, cybercriminals can quickly empty it.
If cybercriminals get only the last four digits of your credit or debit card, they may be able to use it to reset your password on an ecommerce site, says Rasmussen. Some companies use the last four digits of customers' credit cards as a PIN code, and they may ask for it if you need to reset your password, he says. So cybercriminals may use it to reset your password so that they can make purchases using your account. But more likely, adds Rasmussen, "They'll sell that information to someone else who will do some other attack."
When an organization gets hacked, how long does it take before cybercriminals start exploiting the information they obtain?
It depends on the criminal and the information they obtained, says Rasmussen. If credit card numbers are involved, fraudsters will start using that information immediately, he notes. Cybercriminals who use emails for phishing schemes may also act quickly. To trick more people into downloading malware onto their computers or giving out sensitive information, cybercriminals may send a fake breach disclosure notification asking victims to reset their passwords on a website that looks real but is, in fact, fake, before the company that was hacked sends out a disclosure notice, says Sjouwerman.
That's why it's critical for organizations whose customer information has been compromised in a breach to send notifications as soon as they know what happened and who was affected, says Rasmussen. He notes that the European Union is considering a law that would require companies to notify customers of breaches within 24 hours.
What's the risk to consumers when cybercriminals get this information?
If your email address was compromised in a security breach, you can expect more spam, phishing emails and malware sent via email. The malware could allow cybercriminals to take control of your computer so that it becomes part of a botnet, says Sjouwerman. It could allow them to activate the webcam or microphone on your computer so that they can spy on you. It could download key-logging software onto your PC so that the criminals can record your passwords and or financial information, he adds.