When Your Personal Data Is Stolen, You’re the Last to Know

It’s a process that’s become depressingly routine. First, hackers steal a trove of personal data. Later, you are told to change your passwords and monitor your accounts for unusual activity. But by then, the damage has probably already been done.

A recent example is Ticketmaster UK, which disclosed on June 27 that personal information and payment data had likely been stolen by hackers. The ticket seller blamed malicious software that had penetrated a customer support product. However, the announcement may have taken longer than it could have: The company was warned of a likely intrusion more than two months earlier.

Monzo, a digital bank, says it detected suspicious activity stemming from some Ticketmaster customers’ accounts as far back as April 6. The London-based firm says it met with Ticketmaster to disclose its findings on April 12. A few days later, the ticket seller said its investigation hadn’t turned up anything, even though Monzo was still discovering compromised cards.

“When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf,” a Ticketmaster spokesman said in an email. “In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.”

This kind of pattern is not unusual. Consumer credit company Equifax first disclosed its data breach on Sept. 7 2017, but says it discovered the unauthorized access on July 29. Personal data for about half of all Americans was compromised in that intrusion, which likely began in May 2017.

Sometimes intrusions aren’t detected immediately, and there can be a delay before the public is informed. When the world at large learns about big breaches like Equifax and Yahoo, which impacted a whopping 3 billion user accounts, it’s usually months or years after the data are stolen, said Shuman Ghosemajumder, chief technology officer at Shape Security. The information gleaned from these hacks is often used for “credential stuffing,” a type of cyber attack that uses purloined information for high-volume automated login requests.

Shape has observed high levels of credential stuffing even years before the large data breaches were made public, said Ghosemajumder, who previously served as “click-fraud czar” at Google. He said these surges were almost certainly linked to large breaches reported publicly much later.

Hackers are, of course, looking for money, whether that’s by taking over bank accounts or stealing credit card details. Cyber crime has a global impact worth more than $450 billion as criminal activities like fraud, blackmail, and extortion go digital. Financial firms are a key part of this struggle; banks, which spent $360 billion on IT costs in 2016, allocate three times as much as non-financial companies to cyber security.

“Cyber criminals are demonstrating a growing knowledge of our financial systems and the potential weaknesses,” according to an April report by accounting firm KPMG and UK Finance, an industry association. “There is a worrying trend towards more targeted attacks, with a growing knowledge of how these systems work.”

Fortunately, there are some signs that progress is being made in disrupting these attacks. In the UK, losses from payment card fraud fell 8% last year, to £566 million ($745 million), according to UK Finance(pdf), even as overall card spending increased 7%. Banks and card companies stopped £2 of every £3 in attempted fraud.

And though the Ticketmaster breach appears smaller than the massive intrusions at Yahoo and Equifax—the company says fewer than 5% of its global customers are affected—the delay in getting important information to consumers is similar. While the company is offering free identity monitoring for 12 months, experience suggests that this may already be too late to prevent most damage.

The EU’s new General Data Protection Regulation (GDPR) may start to change these dynamics, as organizations are required to report data breaches within 72 hours of finding out that they’ve been compromised. But how these rules will play out in practice remains to be seen. People outside of the EU, meanwhile, have fewer such regulations to ensure they’re informed when important information about them has been stolen.