“It’s Sort Of A Fog Of War”: An Expert Talks About Tulsans’ Data Theft
About 18,000 documents from the city of Tulsa have been released on the dark web after a ransomware attack on city systems in May. Some of the documents contained personal information.
The city said initially no personal data was compromised. However, the group responsible for the attack, Conti, has a history of threatening to release sensitive personal information. Conti notes published on the web declare data will be posted if the hackers are ignored.
KWGS’s Elizabeth Caldwell spoke to University of Tulsa's Tandy Professor of Cyber Security Tyler Moore about whether or not the city knew personal data was in the hands of hackers, and what people do with personal information posted on the dark web.
The below transcript has been edited for clarity.
Elizabeth Caldwell: Okay. So we're talking about the ransomware attack again.
And one thing that I've really been interested in is how likely is it that the city knew the hackers had personal data from the start of the attack?
Tyler Moore: Well, whenever there's a cyber attack, it's sort of a fog of war situation. You may have an indicator that your networks have been breached. Maybe somebody tells you, and then you're trying to scramble to figure out what needs to be done.
And so it's entirely plausible that the city found they were hacked, took precautions to take systems offline, and felt like most likely they got ahead of the problem. It sounds like we now know they didn't because this personal information has been posted.
It's really hard to know if someone has access to your data or not. It's pretty common to only figure out later on that someone gained access to your data. So we shouldn't be surprised there.
There are some surprises, though, in that typically the way ransomware works is the criminals get your data, and then they try to tell you they have it. So here there seems to have been some kind of communication breakdown.
So either the criminals were unable to find someone at the city to tell them that they had their data and wanted money, or maybe they only did that after the city had already taken precautions. And so they thought they were safe.
But in the end, the data's out there. So it turns out we have a fairly serious situation in front of us.
EC: Yeah. So you're taking the generous view of the release of the data that they didn't know, or it's confusing and there's a lot of parts to it.
So it's on the dark web, which I have a faint understanding of what that is, but for people who stay on the "clear web," I guess, can you explain those terms?
TM: Sure. Well, the dark web is kind of a term for places where cyber-criminals tend to congregate and they will do it in a way that is somewhat hidden from view.
So it could be using something called a Tor hidden service, which enables only anonymous access to this information. It could also just be that this is a website that is password protected. You have to be vetted to get into that forum.
But what's really going on is cyber criminals are stealing data all the time and they have to communicate over the internet. They communicate on these dark web forums and if you've acquired some personal data, your first step might be to go to the victim and try to sell that data. But if that doesn't work, you go to the dark web and try to sell it to somebody else and monetize it that way.
And so this is sort of a bazaar where buyers and sellers of stolen data meet.
EC: So you said that they try to sell your data back to you, is that what they do with it?
TM: No, no. The sale is between criminals, right? So what you have is, say one criminal has managed to obtain access to personal information of say, citizens of Tulsa. They will then sell that to other criminals who can then try to monetize it themselves.
So some people specialize on the dark web in obtaining compromised information, while other people specialize in taking personal information and then making money off of it.
So if you're an identity thief, you might want to buy a big database of stolen personal records that you can then use to take out new credit applications or make money in some other way. So you're willing to pay in order to gain access to that.
EC: Right. But so it depends on the kind of information that's out there for what they're going to do with it.
TM: Exactly. And so, you know, social security numbers are highly valuable because if you have social security numbers, and a name, and date of birth, then it's very straightforward to do identity theft because you can take out mortgages and all kinds of things in peoples' names.
If you only have the name and date of birth, it's a little harder. It's still valuable, but maybe a little less so. If you have credit card numbers, those fetch a different price. The value of the information depends upon how easily it can be monetized.
EC: Right. Okay. So just how would a name and date of birth be valuable?
TM: There are a few ways, I mean, it's definitely less valuable than when you have the social security number, but...
EC: That’s stuff you can get on Facebook, you could get that on Facebook.
TM: Well, I mean, I certainly don't share my birthday on Facebook.
Each additional piece of information adds value. Just knowing your name? Not super useful. Name and date of birth is a bit more valuable because then it's sometimes used to confirm your identity. Name, date of birth and home address is also even more valuable because you have more pieces of information that corroborate themselves, which make it easier to say reset an online account you have at your bank, reset that password, or you know, impersonate someone.
So if you know that this person has a bank account or credit card account, you could now interact with that service and say, pretend to be that person and reset the account. And they will ask for things like your date of birth and verifying your home address. It's useful for schemes like that.
EC: Okay. That's scary. So let's say I'm a Tulsan who recently filed a police report, or I guess it would be since May or before. What would I look out for, or what do I really need to know?
TM: So I think what you should do essentially is be on the lookout for email notifications that say we've reset your password, or here is the link to reset your password.
You know, whenever you forget information you go through that process and there's typically an email sent to the account of record. So if that starts happening, contact the the service provider by phone to make sure that nothing's going on.
The other thing to consider is freezing your credit. That's a bit more onerous. It doesn't cost anything anymore, but it can be useful to prevent identity theft.
For instance, my credit is frozen. So even though people might know my name and social security number on the dark web, they're not going to be able to open a fraudulent account in my name.
So it's possible some people should consider going to one of the three credit bureaus, Equifax, TransUnion, and Experian, and requesting a freeze. You can also place a security alert, which is a little easier to do and allows you to still open new credit, but it's not quite as strong of a protection as far as freezing the credit itself.
EC: Yeah. But probably not everybody needs to do this. Just people who have...but, oh, I don't know.
TM: I mean, generally speaking, I think it's good practice. I mean, I don't believe my information is contained in a police report recently, but, you know, my credit is frozen.
It certainly makes it harder for people to carry out attacks. And I think if you have the time and means it's something worth doing.
EC: They might have more files too, right? Is that a possibility?
TM: Absolutely. It's impossible to know when a criminal actor has gained access to personal information because all they've done is been able to read the data. It's still there. It doesn't go away.
So you see your data, everything looks fine. It's really impossible to determine whether or not someone has gained read access to that data who shouldn't have. We found out here because companies and organizations monitor the dark web.
And so the criminals decided they were going to offer this information for sale. The only information that's been observed on the dark web for sale for city of Tulsa residents has been related to police reports. But we don't know if there are more data out there that could be released at a later date.
EC: Right. I mean, well, I don't want to speculate too much, but they could even send another note and be like, well, we did it now. We might do more. That seems like effective ransoming.
TM: Yeah, yeah, of course. It is not uncommon to see repeat ransom attempts on the same victim.
This happens whether or not you pay actually. Sometimes when the victims do pay, then the criminals come back for more and say, well, actually you need to keep paying or we're going to release this other data. So it's not a good situation to be in.
EC: No. I feel people are a bit complacent because we hear about it all the time. Like Facebook is doing it, but people still use Facebook. How is this different?
TM: Well, what's different is that Facebook is a US company that acts as a steward of your data and only uses it in a way that is authorized by you.
So, sure, Facebook knows your personal information and they might use it to show you different advertisements. But Facebook employees are not going to take your data and commit identity theft.
The difference is when your data gets in the hands of cybercriminals, it's more likely to be monetized for some nefarious end that will cause you harm.
EC: What can you tell about this group? So they're saying that it's Conti, is there anything particular or special about them?
First of all, is this a group or is it a software? That's been something that I've been trying to figure out.
TM: So these names change all the time. We know that DarkSide was the name of the organization behind the Colonial ransomware. They got a lot of bad press, so now they have a different name. It's not Conti, but you know, these names are always evolving.
I don't put too much stock and tracking one name or the other. Sometimes the names are actually chosen for convenience by the security companies who are tracking them.
We don't know much about this group except it's yet another group that's trying to conduct ransomware attacks and make money where they can.
So first they go to the victim. If the victim won't pay up, then they find other ways to make money like selling it.
EC: So, well, I guess one last one. How can we - I think we covered this last time, but always good to wrap up - how can we stop this? Like "normal people," you know, me and you, or people listening to this, what can we do to help?
TM: I think the, the most actionable thing you can do is to take a look at your own security hygiene, right? Make sure that you have strong passwords, you know, consider a password manager.
And especially for this particular threat, consider freezing your credit, go to go to the credit bureaus. The nice thing about that is, you know, we never know when someone's going to try to file a credit report in your name, or try to get new credit in your name. But once the credit is frozen, then you have nothing to worry about. It's only when you sort of decide you need to apply for new credit that you take the control, you unfreeze the credit and apply. It's the single best way to really deter identity theft.
We really cannot control the release of our personal information. Our data, our personal information is in the hands of many third parties. And they're doing their best to protect the data, but it's inevitable that it's going to get breached. So all you can do is be resilient to and respond and protect yourself accordingly.