How to figure out if a data breach is a hoax

Deloitte has published ways to figure out if an organization has really been breached

The notoriety that comes with taking credit for a data breach is alluring. Declaring a successful data breach can suddenly bring a lot of attention, which is why posting bogus data is attractive.

For companies and organisations, it's a real headache, since an allegation of a breach can immediately pose public relations challenges.

"The speed of the news cycle is a lot faster than the speed of the incident response process," said Allison Nixon, a threat researcher with consultancy Deloitte.

Nixon wrote a paper describing some non-intrusive techniques for figuring out if a data breach is legitimate. The paper, she said in a phone interview on Wednesday, is intended to allow third parties to get a sense whether a leak is real.

Bogus data releases, or ones that recycle data from old breaches, are common. Since data breaches draw attention, it's easy for fame-seekers to insert a political message along with the data on sites such as Pastebin, a site for anonymously posting content.

"I would say that the motivations are really based on power, ego and fame," Nixon said. "The people that are releasing these leaks -- most of them are doing so under a handle, and they're trying to build a reputation.

"If you're unable to produce a real data breach, then I guess this is the next best thing," she said.

One of the verification techniques is figuring out if a particular email address really was used to register an account with a Web service. Some sites won't allow two accounts to be registered with the same email address.

"If the company does enforce e-mail uniqueness, the veracity of the leak can be tested by changing an account's e-mail to randomly selected e-mails in the leak," according to the paper. "Almost all e-mails should be traceable to the company's site; untraceable emails indicate that the leak is very likely fake."

Other Web services will also "leak" a bit of information, such as whether a username exists or not, which can also indicate if the published data is a true leak.

Nixon cautioned that it is not recommended to try the purportedly leaked username and password combinations to log in to a Web service. That could have legal ramifications.

"The techniques compiled in this paper were done so with the idea of causing minimal impact and causing minimal legal problems," Nixon said.

In other cases, just looking at username and password combinations and the service that the details purportedly came from can send up a red flag.

For example, websites that have restrictions on what types of passwords are acceptable can help to debunk a breach. If the results from a supposed breach contain simple passwords such as "123456" on a website that requires stronger passwords, "the leak should be treated with suspicion," the paper said.

Nixon said she came up with an idea for another test that might indicate a breach is real.

One leak she analyzed consisted of credit card data. She thought the data was fake because it was potentially valuable in the underground. It didn't make sense for someone to freely publish the data if it had value.

To test it, Nixon compared first names of people in the breach with a list of the most common names based on their birth year. The distribution of names indicated the breach might be legitimate.

"It would be interesting to see further research in that area," Nixon said.

However, further investigation showed the credit card data was old, as the expiration dates of the cards had mostly passed, Nixon said. The data had merely been recycled and didn't really come from its purported source.

"There was no new breach," she said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Deloittesecuritydata breach

More about Deloitte

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts