Skip to main content

Ransomware Gangs New Blackmail Tactics: March 2023 Newsletter

Ransomware Gangs New Blackmail Tactics: March 2023 Newsletter

DeleteMe

March 28, 2023

Reading time: 4 minutes

In the March 2023 edition of our business privacy newsletter, you’ll find our take on:


Ransomware Gangs Resorting to Personal Blackmail Tactics to Compel Payment

Double Extortion’ ransomware tactics are not especially new. Company data is first exfiltrated and then encrypted, allowing criminals to demand payment for the return of data access or to refrain from public dumps of information (or both).  

What is new is that with ransomware payouts declining, criminal gangs are now often skipping encryption, focusing on stolen, sensitive individual data, and selectively leaking it to create public embarrassment, exposing target companies to litigation risk.

Our Take

Similar incidents have occurred, like with the Washington DC police force in 2021, where selected personal details about officers and informants were leaked in advance to try and compel rapid payout. With companies getting better at technical protection of systems from encryption, direct blackmail is likely to become more common; recent IT surveys indicate more than a third of breaches are now being followed by extortion of customers.


Congress Experiences Data Breach, Telecoms Under Siege

Personal data for over 56,000 Federal workers—including house representatives, staffers, and senate members—was stolen in a breach of DC Health Link services in early March. Investigators warned that the information included the social security numbers of some capitol employees, and the FBI has already arrested people believed connected to the public sale of the data.

Meanwhile, security firm Cyble estimates that more than 74 million U.S. telecom customers have already had their data leaked on the dark web in 2023.  T-Mobile, AT&T, and Verizon all acknowledged significant data losses in 2023, even as the White House recently appealed to the industry to take more robust measures against growing cybersecurity risks.

Our Take

Now that Congress has joined the rest of America in the daily reality of PII risk, we hope it might motivate some of them to advance stronger privacy regulations that limit data-breaking fallout finally.


ChatGPT Experiences First PII Leak Incident

On March 20th, the world’s most-popular chatbot, OpenAI’s ChatGPT, suffered its first data-breach incident, exposing names, email addresses, payment-related information, and chat history of ~1% of its users during a 9-hour window.   Since its launch in November 2022, ChatGPT has become one of the fastest-growing consumer apps in history, hitting 100 million unique monthly users in January alone.

Our Take

While the scope of the breach is small, it highlights potential privacy risks associated with the rapid adoption of any new technology and serves as a warning for future implementation of AI tech at scale without strong user safeguards built in from the outset.


Utah Bans Minors from Social Media; State Age-Verification Laws Proliferating

On March 23rd, Utah signed legislation that would impose strict restrictions on minors’ use of social media. A growing number of states have similar forms of ‘child-protection’ legislation currently in progress, some of which are close to passage.  

Most of these laws share a common requirement for online services—from social media like Instagram and Twitter to adult-content sites—to impose stricter processes for positively identifying users and verifying their age. No law specifies how online providers are supposed to accomplish this, and technical hurdles for doing so remain significant

Our Take

While branded as Child Privacy” laws, the framework would require millions of adults to share official identification documents or other sensitive personal information with various new 3rd parties. And, as the French Data Privacy Authority (CNIL) has pointed out, all current age-verification technologies are both easily-exploitable and vastly increase user data risks.  We share the Electronic Freedom Foundation’s view that the proposed ‘solution’ in this case is worse than the problem.

Check Out Our Latest Blog Posts


DeleteMe in the News


Upcoming Events

SHARE THIS ARTICLE
DeleteMe was created in 2010 when we realized the difficulty of navigating privacy issues in today’s interconnected and digital world. Our mission is to provide everyone with the power to control t…
DeleteMe was created in 2010 when we realized the difficulty of navigating privacy issues in today’s interconnected and digital world. Our mission is to provide everyone with the power to control t…
How does DeleteMe privacy protection work?
  1. Employees, Executives, and Board Members complete a quick signup
  2. DeleteMe scans for exposed personal information
    Opt-out and removal requests begin
  3. Initial privacy report shared and ongoing reporting initiated
  4. DeleteMe provides continuous privacy protection and service all year
Your employees’ personal data is on the web for the taking.

DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.

Want more privacy
news?

Join Incognito, our monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Is employee personal data creating risk for your business?

DeleteMe provides business solutions for the enterprise, public orgs and public interest groups.

Is employee personal data creating risk for your business?

DeleteMe provides business solutions for the enterprise, public orgs and public interest groups.

Related Posts

10 Ways to Reboot Your Privacy at Work

When personal data is out there on the open web it can lead to privacy and security incidents at work that open you—and your company—up to risk. Fo…
DeleteMe
October 3, 2022

Our 2022 Cybersecurity Excellence Award Speech: How We Started, Where We’re Going

We are excited to announce that DeleteMe was recognized (twice!) with 2022 Cybersecurity Excellence Awards, an annual competition honoring ind…
DeleteMe
February 10, 2022

The Time is Now to Limit Russian Hacker Access to Publicly Available PII

Although the launch of ContiLeaks and the information revealed there didn’t slow the Russian Hacker gang down, it did provide everyone here a…
Will Simonds
March 10, 2022