February 28, 2024 6m read

Fake Data Breaches: Why They Matter and 12 Ways to Deal with Them

Vitaly Simonovich
Vitaly Simonovich

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

As a Chief Information Security Officer (CISO), you have the enormous responsibility to safeguard your organization’s data. If you’re like most CISOs, your worst fear is receiving a phone call in the middle of the night from one of your information security team members informing you that the company’s data is being sold on popular hacking forums.

This is what happened recently with Europcar, part of the Europcar Mobility Group and a leading car and light commercial vehicle rental company. The company found that nearly 50 million customer records were for sale on dark web. But what was even stranger was that after a quick investigation, the company found that the data being sold was fake. A relief, no doubt, but even fake data should be a concern for CISO. Here’s why and what companies can do to protect themselves.

A screenshot from an online hacking forum indicating a data breach at Europcar.com, with a user named “lean” offering personal data from 50 million users for sale.

Why Care About Fake Data?

The main reason for selling fake data from a “breach” is to make money, often in ways potentially unrelated to the target enterprises. But even when attackers are profiting in a way that doesn’t seem to harm the enterprise, CISOs need to be concerned as attackers may have other reasons for their actions such as:

  1. Distraction and Misdirection: By selling fake data, threat actors could attempt to distract the company’s security team. While the team is busy verifying the authenticity of the data, the attackers might be conducting a more severe and real attack elsewhere in the system.
  2. Testing the Waters: Sometimes, fake data breaches can be a way for hackers to gauge the response time and protocols of a company’s security team. This can provide them valuable insights into the company’s defenses and preparedness, which they could exploit in future, more severe attacks.
  3. Building a reputation: Reputation is highly esteemed in hacker communities, earned through past successes and perceived information value. While some may use fabricated data to gain notoriety, the risks of being caught and subsequently ostracized are significant. Maintaining a reputable standing requires legitimate skills and access to authentic information.
  4. Damage the company’s reputation: Selling fake data can also be a tactic to undermine trust in a company. Even if the data is eventually revealed to be bogus, the initial news of a breach can damage the company’s reputation and erode customer confidence.
  5. Market Manipulation: In cases where the company is publicly traded, news of a data breach (even a fake one) can impact stock prices. This can be exploited by threat actors looking to manipulate the market for financial gain.

How are threat actors generating fake data?

Fake data is often used in software development when the software engineer needs to test the application’s API to check that it works.

There are multiple ways to generate data from websites like https://generatedata.com/ to Python libraries like https://faker.readthedocs.io/en/master/index.html.

But to make the data “feel” real and personalized to the target company, hackers are using LLMs like ChatGPT or Claude to generate more realistic datasets like using the same email format as the company.

More professional attackers will first do a reconnaissance of the company. The threat actor can then provide more information to the LLM and generate realistic-looking and personalized data based on the reconnaissance. The use of LLMs makes the process much easier and more accurate. Here is a simple example:

A screenshot of ChatGPT displaying an example of creating fake company data using information from reconnaissance.

Cato Networks SASE Threat Research Report H2/2022 | Download the Report

What can you do in such a situation?

In the evolving landscape of cyber threats, CISOs must equip their teams with a multi-faceted approach to tackle fake data breaches effectively. This approach encompasses not just technical measures but also organizational preparedness, staff awareness, legal strategies, and communication policies. By adopting a holistic strategy that covers these diverse aspects, companies can ensure a rapid and coordinated response to both real and fake data breaches, safeguarding their integrity and reputation. Here are some key measures to consider in building such a comprehensive defense strategy:

  1. Rapid Verification: Implement processes for quickly verifying the authenticity of alleged data breaches. This involves having a dedicated team or protocol for such investigations.
  • Educate Your Staff: Regularly educate and train your staff about the possibility of fake data breaches and the importance of not panicking and following protocol.
  • Enhance Monitoring and Alert Systems: Strengthen your monitoring systems to detect any unusual activity that could indicate a real threat, even while investigating a potential fake data breach.
  • Establish Clear Communication Channels: Ensure clear and efficient communication channels within your organization for reporting and discussing potential data breaches.
  • Monitor hacker communities: Stay connected with cybersecurity communities and forums to stay informed about the latest trends in fake data breaches and threat actor tactics.
  • Legal Readiness: Be prepared to engage legal counsel to address potential defamation or misinformation spread due to fake data breaches.
  • Public Relations Strategy: Develop a strategy for quickly and effectively communicating with stakeholders and the public to mitigate reputation damage in case of fake breach news.
  • Conduct Regular Security Audits: Regularly audit your security systems and protocols to identify and address any vulnerabilities.
  • Backup and Disaster Recovery Plans: Maintain robust backup and disaster recovery plans to ensure business continuity in case of any breach, real or fake.
  1. Collaborate with Law Enforcement: In cases of fake breaches, collaborate with law enforcement agencies to investigate and address the source of the fake data.
  2. Use Canary Tokens: Implement canary tokens within your data sets. Canary tokens are unique, trackable pieces of information that act as tripwires. In the event of a data breach, whether real or fake, you can quickly identify the breach through these tokens and determine the authenticity of the data involved. This strategy not only aids in early detection but also in the rapid verification of data integrity.
  3. Utilize Converged Security Solutions: Adopt solutions like Secure Access Service Edge (SASE) that provide comprehensive security by correlating events across your network. This streamlined approach offers clarity on security incidents, helping distinguish real threats from false alarms efficiently.

As technology advances, cybercriminals are also becoming more sophisticated in their tactics. Although fake data breaches may seem less harmful, they pose significant risks to businesses in terms of resource allocation, reputation, and security posture. To strengthen their defenses against cyber threats, enterprises need a proactive approach that involves rapid verification, staff education, enhanced monitoring, legal readiness, and the strategic use of SASE. It’s not just about responding to visible threats but also about preparing for the deception and misdirection that we cannot see. By doing so, CISOs and their teams become not just protectors of their organization’s digital assets but also smart strategists in the ever-changing game of cybersecurity.

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Vitaly Simonovich

Vitaly Simonovich

Vitaly Simonovich, Threat Intelligence Researcher, Cato Networks. Member of Cato Ctrl. He is based in Israel and has more than eight years of experience in the field of cybersecurity, with a focus on application and data security. Previously, Vitaly worked at Incapsula and Imperva, where he led teams of security analysts and researchers. Apart from his work, Vitaly is an active contributor to the cybersecurity community. He regularly publishes research blogs and webinars, and also presents at various security conferences. He is passionate about teaching cybersecurity to others and is teaching at local colleges. In his free time, he enjoys solving Capture The Flag (CTF) challenges, which helps him to enhance his skills.

Read More