The right customer data, in the right hands, can have a transformative impact on businesses. But in the wrong hands, the same sensitive information can be leveraged by bad actors and cybercriminals with catastrophic and increasingly costly outcomes.
“If you think about what bad guys are doing, they are putting together a picture of us — and using that information to figure out new ways to trick us,” Bryan Lewis, CEO at Intellicheck, told PYMNTS’ CEO Karen Webster.
That’s why, with recent data breaches such the one affecting over 100 million AT&T customers, understanding what criminals can construe from stolen data, as well as embracing best practices for protecting sensitive information, is now table stakes for businesses.
As Lewis explained, call logs, while not containing direct personally identifiable information (PII), can reveal a vast amount of data about an individual’s network, habits and daily routines.
“They know who you called, how long you spoke to them, how often you pick them up, how often you texted them. So, they know your network,” he said.
And this information can be pieced together to create a detailed picture of an individual’s life — along with its strike surfaces — by gathering and combining publicly available data, breached data, and data from other sources.
In the age of digital communication, our mobile phones have become more than just connected devices; they are repositories of our personal lives. By analyzing call logs, criminals can map out a person’s social network, identifying close contacts, family members, and frequent associates.
Lewis drew a parallel between the motive behind the AT&T breach and the game of Clue, noting that by assembling various pieces of data, “asking questions,” cybercriminals can identify and exploit vulnerabilities, leading to sophisticated social engineering attacks.
The fact that AT&T delayed in disclosing the breach not only undermined consumer trust, he added, but also gave attackers a head start in exploiting the stolen data.
One particularly alarming trend is the use of artificial intelligence (AI) to fraudulently clone and mimic voices. As Lewis explained, with access to call logs, attackers can identify close contacts and use AI-generated voices to deceive victims, making these schemes alarmingly effective.
“Criminals are using AI to call someone in a family and say, ‘Oh no, I’ve been arrested and I need $5,000,” he said. “That causes a problem not only to me, but to people that I am close to or care about.”
Read more: AT&T Breach Demands Vigilance as Fraudsters Leverage ID Data, Says Intellicheck’s Lewis
Because many fraudsters are ultimately after an easy target, effective data security is paramount for maintaining customer trust and ensuring business growth.
“What I recommend to everybody, again, the same simple stuff: change all your passwords all the time,” Lewis said, stressing also that continuous employee training and rigorous security audits are crucial in preventing breaches.
“It’s the data and security audits that you go through, and that our banking clients put us through,” he added.
The AT&T hack itself was the result of a breach at a third-party provider that was storing their data. That’s why prioritizing cybersecurity should extend to those third-party business relationships, too.
Consumers are becoming resigned to the frequency of data breaches, resulting in a growing mistrust of businesses. This can impact both future consumer behavior and business operations, as customers fail to do certain things they used to do because they’re afraid of providing information.
As Lewis explained, the path forward rests upon the twin pillars of trust and verification.
“Companies are understanding that 20-30% of people will say, ‘I’m moving my business away from you if you have compromised my data,’” he said, noting that the demand for secure transactions and proof of identity is rising, compelling businesses to adopt more stringent measures.
And against this backdrop, the reliability of government-issued IDs remains paramount in establishing trust and authenticity.
“How do you check each and every time that somebody is real, with an easily provable way that doesn’t make them feel like a criminal? It all goes back to the government-issued ID as the ultimate source,” Lewis said.