Countdown to Ruin: Hacked Data Goes Public in As Little as Nine Minutes

How quickly do you think you can cancel your credit card in the event of a hack? In the time it takes you to reach the automated number and enter the right sequence of numbers and options, it may be too late.

Image: Max Pixel

According to a new alert from US-CERT (the Computer Emergency Readiness Team of the U.S Department of Homeland Security), nine minutes is all it takes for your compromised personal information to be widely accessible and for sale to the hacker universe, and for criminals to start trying to use your stolen information. If that information includes usernames and passwords that you use for multiple sites, are you confident that you could change the passwords to all those sites in under nine minutes? Chances are, you won’t even know your information has been hacked in the first nine minutes following the hack.

Your personal information, once hacked, is typically posted online in hacker forums and paste sites such as Pastebin. There, the data is quickly accessed by other criminals in as little as nine minutes, according to FTC researchers who conducted an experiment to track attempts to use stolen information.

Your account information by itself may be worth as little as $2, but it may be very valuable to criminals who can exploit the stolen information while it is still valid. And your information might be packaged with other compromised information in baskets of stolen data for sale – like an Amazon or eBay for hacked data – but accessible to criminals using specialized browsers such as Tor.

To mitigate the risk of identity theft, the FTC recommends using multi-factor authentication where feasible. Passwords are a typical form of single-factor authentication. Multi-factor authentication requires one or more additional pieces of information, such as a PIN or one-time code, to verify your identity. This also makes it more difficult for someone who has stolen your username and password to monetize or use that information effectively – because they do not have all the necessary pieces to be able to get into your account.

Latest Content

Schedule 13D/13F Clarity on ETF Issues

Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF? Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate … Continued

New Remedy Coming for SEC’s Custody Rule?

The SEC’s Custody Rule continues to be a common source of confusion and a landmine for noncompliance. Custodial paperwork has caused huge headaches for investment advisers, who are not a party to the agreement and may not even have a copy of the custodial new account paperwork. The issue with existing guidance is that it … Continued

SEC Issues MiFID II No-Action Relief

Some industry anxiety was assuaged on October 26 with three no-action letters that offer relief for some US regulated broker-dealers and investment advisers regarding European MiFID II regulations. The letters followed consultation with the European authorities, and are designed to address concerns that investors could lose access to valuable research. MiFID II is a series of regulations … Continued

Regulatory Changes Impacting RICs and Service Providers

A year ago, the SEC adopted Investment Company Reporting Modernization Rules and Forms, as well as rules pertaining to liquidity risk management programs and swing pricing. New forms N-Port and N-Cen along with amendments to Regulation S-X significantly change the current reporting regime for most registered investment companies (RICs) because they require more comprehensive disclosure and … Continued

Publicly Available Information Heightens Need for Cybersecurity Vigilance

For any business, “ports” that allow for communication generally need to be open (for example, ports 80 and 443 for websites, and port 500 for VPN access). While most of these ports allow you to engage in critical functions, there are often ports that remain open despite being unneeded or unused. These available ports present … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.