Social media profiles are a goldmine of information for criminals, cybersecurity experts warn, outlining potential risks. Public vacation posts and location tags, showcasing home interiors, or posting videos with personal voiceovers can be exploited for planning burglaries or generating deepfakes. Meanwhile, EU legislation does not fully protect user data yet. One issue is that most platforms do not comply with European law.
One of the most frequent targets for cybercriminals is the medical sector, where highly sensitive patient health data is stored. According to the “Cyber Threats in Healthcare” report by Cyber360, the number of posts on the dark web containing healthcare data increased by 35% from April 2022 to March 2023, totaling 450 posts. During the same period, nearly 1,200 phishing attempts targeting healthcare entities were reported. 63.5% of phishing domains impersonating healthcare websites over the past year used the HTTPS protocol.
“There are absurd situations, like the now-famous meme-worthy patient queue lists in clinics, where patients are anonymized with pseudonyms. The question is whether this truly improves the comfort and protection of these patients’ personal data, especially when, just a few months later, we get information about data breaches, such as from ALAB. The medical sector is one of the most frequently attacked and one of the least protected. It’s not that companies don’t care about cybersecurity, but rather that the medical sector has many backdoors. For example, a simple Wi-Fi-connected printer can be a backdoor for cybercriminals to infiltrate our network,” explains Dr. Piotr Łuczuk, cybersecurity expert and deputy director of the Institute of Media Education and Journalism at the Cardinal Stefan Wyszyński University in Warsaw, in an interview with Newseria Innowacje.
However, this is a situation that we, as individuals sharing personal data, may not have much control over. Equally dangerous, according to experts, is the everyday carelessness we exhibit while using social media.
“We share a lot of information about ourselves online, including who we know, who we meet, where and what we eat, and where we are. These are all data points. In discussions about data, we need to reconsider the very concept of what data means to us, whether at the national, European, or global level, and protect it. Are we talking about sensitive data like name, surname, social security number, or bank account number? I think no one in their right mind runs down the street with a credit card shouting their ATM PIN. Meanwhile, on social media, we reveal a lot of such data about ourselves. Based on social media photos and videos, we can verify if someone is at home, if they have an alarm system, and where the alarm sensors are located,” says Dr. Piotr Łuczuk.
A potential thief can also learn from social media posts that the homeowner is on vacation and get to know the layout of the house to determine if someone is guarding it during their absence.
“In movies, spies or intelligence officers observed their targets to learn their daily routines, social circles, and find a breaking point. Nowadays, all this data is literally at our fingertips. With one click, we can conduct a quick search and learn a lot about our friends, enemies, business partners, or competitors. The digital trail we leave behind follows us for miles,” adds the expert.
Another dangerous situation is when cybercriminals gain access to social media accounts or devices, such as phones, which often contain photos of ID cards. Links in fake SMS messages can be used to capture bank login details. CERT Poland has created the Safe Mail service to protect email users. Since mid-August 2023, users have checked nearly 19,000 domains with this tool, with almost 8,000 checked more than once. CERT Poland also launched the Artemis project to strengthen capabilities in detecting, analyzing, and responding to cybersecurity incidents more effectively and automatically. In 2023, almost 51,000 domains and IP addresses and over 250,000 subdomains were scanned, reporting nearly 184,800 vulnerabilities or misconfigurations.
“The widespread acquisition of our data can result in the generation of numerous fake identities impersonating us to deceive others, legitimizing themselves online, conducting disinformation campaigns, and engaging in internet trolling. There are many ways to misuse our data, which we consider innocent, like our name and surname, easily found in milliseconds when browsing social media,” concludes the deputy director of the Institute of Media Education and Journalism at the Cardinal Stefan Wyszyński University.