The massive data breaches at Sony and the US organisers of the X-Factor reality television show, indicate cyber criminals may be changing tactics, says security firm SecureEnvoy.
The hack of the Fox television network's database of competition entrants is the latest in a string of attacks on corporate servers to extract personal data, suggesting cybercriminals are now building information profiles on people, rather than developing frauds around available credentials, says Andy Kemshall, technical director of SecurEnvoy.
Attacks on Sony's PlayStation Network and Online Entertainment services and the Epsilon systems are the most high-profile reports of corporate servers being hacked, he says, but there have been many more less-reported intrusions, suggesting cybercriminals are now actively compiling data on large numbers of people for longer-term fraud.
Over 100m user records were potentially exposed in data breaches at Sony. Some reports say up to 250,000 people have been affected by the X-Factor breach, others quote Fox as saying the figure is around 70,000.
The X-Factor data should have been encrypted, says Carole Theriault of security firm Sophos, especially as the US rules have changed to allow children as young as 12 to enter.
"I wonder what efforts are being made to contact the parents and guardians of these children to explain what happened?" Carole Theriault wrote in a blog post.
Andy Kemshall says it is easy to see a pattern emerging in these attacks. "Previously, frauds were card-centric and built around opportunistic database hacks, but the sheer volume of the system hacks in recent months suggests a longer-term strategy."
Security researchers are already reporting that names and unique identifiers such as social security/national insurance and address details, are being bought and sold on underground forums, along with dates-of-birth, e-mail addresses and other personal data.
"Our observations suggest this data is being compiled into one or more databases, meaning low-level frauds can be carried out on a steady basis, bursting into periods of high activity when the people's debit or credit card details become available," said Kemshall.
This is something the IT security industry has not seen before, he says, but cybercriminals have never had it so good, with the wealth of data on millions of people available to them.
Kemshall says the constant stream of corporate hacks in recent months indicates cybercriminals are conducting these attacks on a carefully planned basis, with the longer-term strategy of building their own fraudulent database on as many people as possible.