Data misuse: Misuse of personal data

Practical Examples: Data Misuse

Data misuse is usually preceded by the theft of personal data. This can vary – for example, there is

• Data theft from companies by (former) employees or by hackers
• Data theft involving public figures and
• Data theft involving individuals.

Data misuse can take many forms. For example, when companies like large hotel chains are hacked, attackers usually target payment and account details to steal money or sell them on the dark web. The same applies to all other data such as names, addresses, or social security numbers.

Data theft by employees or, more generally, the theft of business data also constitutes data misuse, as does the embezzlement of customer data.

Consequences of Data Misuse

For private individuals, data theft often has far-reaching consequences: from emptied bank accounts to identity theft, the severity of personal data misuse can vary greatly.

The same applies to businesses. Beyond the financial damage that data misuse of corporate data can cause, reputational damage must also be considered: a data theft can rarely be kept secret, as companies are generally obliged to report such a data breach, as soon as personal data of customers, employees, or partners are affected. If companies repeatedly fall victim to data misuse, it shows outsiders that data protection and data security are not taken seriously.

Common Data Misuse Tactics

Stolen data can cause enormous damage. But first, personal data needs to be obtained. There are numerous tactics to get hold of this coveted data – no wonder, as personal data is the gold of the 21st century and thus highly sought after. The most common attempts to steal data are:

• Phishing: By sending fake emails, for example from banks, fraudsters aim to 'phish' for other people's login credentials via email.
• Pharming: This scam also occurs via email, but in this case, malware is sent.
• Vishing: Similar to phishing, but vishing occurs over the phone. People are called, and login credentials are tricked out of them using confusing tactics.
• Snarfing: Here, security vulnerabilities in wireless networks (WLAN or WPANs) are detected and exploited. Data theft then occurs within these networks.
• DNS Spoofing or Cache Poisoning: The IP address / domain of a website is falsified in such a way that the user is unknowingly redirected to another computer, where the attack on their data takes place.
• Content Spoofing: The user is redirected to a meticulously recreated website that they originally intended to visit (this is often the case with banking sites). If the user then enters their data there, they are directly handing it over to the criminal.
• IP Spoofing: A computer is tricked into believing it is receiving data from a known, verified computer. In reality, however, the attacker intercepts communication between the sender and receiver and can capture or manipulate data.
• ARP Spoofing: This particularly affects IP telephony. Here, ARP tables in a network protocol are altered.
• Mail Spoofing: Employees are tricked into believing they are receiving emails from superiors through deceptively authentic-looking emails. This usually comes with a request for large sums of money to be paid.

Of course, there are many other forms of data misuse and ways fraudsters illicitly obtain data. Do you know them all and how you and your employees can protect yourselves from them?

How can data misuse be prevented?

To prevent data misuse, comprehensive corporate data protection is paramount. This has many facets, including:

• Raise awareness among your employees through Employee Training. Clicking on a dangerous phishing email happens quickly, but the damage can be long-lasting.
• Do you have a data protection management system in your company? With data protection management, you can control your company data, plan its security, implement data protection, and monitor and coordinate all these measures.
• Do you have a Data Protection Officer? Especially if you work with a special category of personal data, such as health data, one is mandatory. But even otherwise, they help you implement corporate data protection.
• What about your IT security ? For criminals, this is often the first point of contact for companies.
• It is also advisable to establish a data security concept . Data security and the overarching data protection are closely linked to corporate IT, which is why information security is also discussed in this context.
• Are your technical and organizational measures (TOM) up to date?
• Encrypt your files: From emails to PDFs, you should always encrypt important files.