Media giant Paramount Global and fashion retailer Forever 21 have both fallen victim to data breaches, resulting in the exposure of personally identifiable information (PII) for thousands of individuals. The breaches have raised concerns about the potential for follow-on attacks targeting the affected individuals.
In the case of Paramount, a data breach notification letter revealed that cyber attackers gained access to PII for specific individuals between May and June of this year. The compromised data included names, birthdates, Social Security numbers, driver’s license numbers, passport numbers, and information related to the individual’s relationship with Paramount. The notification letter, written by an operations executive at Nickelodeon Animation Studio, did not provide further details regarding the affected individuals or their profiles.
On the other hand, Forever 21 disclosed in a data breach notification that hackers accessed PII belonging to 539,000 consumers. The compromised information included names, Social Security numbers, birthdates, and bank account numbers. Additionally, the unauthorized access also extended to “information regarding your Forever21 health plan,” suggesting that employees were also impacted. The retailer discovered the intrusion on August 4, but the unauthorized access occurred between January 5 and March 21.
The theft of PII, particularly Social Security numbers, can facilitate identity theft and various forms of fraud. However, the breach at Forever 21 exposed more personalized information, such as data on the health plans of the victims and descriptions of their relationships with Paramount. This type of information can enable cyber attackers to launch convincing follow-on phishing attacks, targeting victims for even more valuable data. Furthermore, even the initial cache of stolen information can lead to account takeovers.
Erich Kron, a security awareness advocate at cybersecurity company KnowBe4, commented on the severity of the breaches, stating, “This is a significant number of records that contain very sensitive information that have been potentially compromised. The data could easily be bundled and sold on the Dark Web and not used for months or even years. Information such as a Social Security number does not expire and can be useful for attackers for decades.”
The specific security vulnerabilities that enabled these cyber intrusions and the systems that were accessed remain unclear. Nevertheless, these incidents serve as a reminder to companies that handle PII to prioritize security measures. This includes patching vulnerabilities, ensuring cloud instances are properly configured to prevent open access, and strengthening authentication methods for databases and servers that store PII.
Stuart Wells, the CTO at Jumio, emphasized the importance of robust identity verification measures for organizations in light of data breaches. He stated, “Data breaches, while detrimental to the organization breached, have severe repercussions for companies who encounter fraudsters leveraging the stolen data. This underscores the necessity for robust identity verification measures across all organizations – companies must establish every user’s true identity to ensure that the user accessing an account is not a fraudster.”
As the affected individuals await further information and potential consequences, it is crucial for them to remain vigilant against potential attack methods. Cyber attackers may attempt to exploit the stolen information through various means, emphasizing the need for individuals to be cautious and proactive in protecting their personal information.