Carla Martín Ramírez

In recent years, there has been a notable increase in reported security incidents involving personal data leaks, where users' personal data has been exposed or compromised due to security breaches affecting companies or organisations. These incidents not only impact the entities responsible for data processing, but can also have a direct effect on the individuals whose data is involved. Recently, several security incidents have made headlines, in which companies across different industries and sizes have reported unauthorised and unlawful access to their customers' data. As a result, the confidentiality of customer personal data held by these companies has been compromised—ranging from basic identification details to payment-related information. But what is a data leak and what risks does it pose? A data leak occurs when personal or confidential data is accessed, copied or extracted by unauthorised third parties as a result of a security incident. These situations typically stem from a security breach caused by a cyberattack, human error or misconfiguration of security systems, ultimately leading to exposure or exfiltration of information. From a regulatory standpoint, these incidents are governed by the General Data Protection Regulation (GDPR). Under this framework, companies and organisations that experience a personal data breach are required to notify the incident to the Spanish Data Protection Agency (AEPD), unless the breach is unlikely to pose a risk to individuals' rights and freedoms. However, in cases where there is a high risk to those rights and freedoms, the data controller must also inform the affected individuals. As highlighted in several media reports, the types of data involved in a leak can vary widely: Personal data (full names, ID numbers) Contact information (phone numbers, email addresses or locations) Financial data (account numbers or IBANs) Passwords, contract-related data, service usage details or medical information, depending on the company’s operations and the nature of the exposed database Exposure of this kind of information can lead to significant risks for affected individuals. These include identity theft to open bank accounts, sign up for phone lines, apply for loans, or carry out fraudulent actions in the victim’s name; unauthorised access to social media accounts or profiles; or targeted fraud attempts using leaked data to make the deception more credible. These risks have already materialised in recent real-life cases, such as: Early last year, Spain’s National Police dismantled a criminal organisation that had defrauded more than €400,000 through fraudulent purchases on e-commerce platforms. The group illegally obtained the victims' banking data from databases leaked on the dark web. In another recent case, a scammer called a victim pretending to be a bank employee, warning them of a supposed fraud attempt on their account. To make the scam more convincing, the caller correctly provided the victim's personal details, such as their full name, account number and ID number—data that may have been sourced from previous data leaks. Given the risks, what general protection measures can be applied? The Spanish National Cybersecurity Institute (Incibe) offers a blog and several guides with information and training on cyber security for the general public. Among its resources are practical tips and steps to secure compromised accounts or simply improve their security. Some of the recommended measures include: Change all passwords, both for services that were compromised and for any other accounts where the same login credentials may have been used. Avoid weak passwords, as they are the easiest to crack. To reduce risk, use strong, unique passwords and password managers to handle different credentials across accounts. Enable additional security measures, such as two-factor authentication wherever it’s available. For email addresses, consider using alternative email accounts for signing up to services whenever possible. This helps avoid using your primary email—which likely contains more personal information—and reduces exposure to spam and potential leaks. In the case of banking data, if you suspect it may have been compromised, immediately notify your bank to assess the risk and follow their recommendations, which may include cancelling your bank card or reviewing suspicious activity. Additionally, whenever possible, use virtual cards for online purchases to enhance digital payment security. Lastly, try to find out which specific data has been compromised. As a precaution, it's safest to assume that any information shared with a breached company could be affected. As a final recommendation, it’s good practice to regularly check for potential data leaks and periodically review your accounts. You can also run a basic online search using your full name or ID number to detect fake profiles, identity theft or suspicious activity. This practice is known as egosurfing, and its purpose is to monitor what personal information is easily accessible online. There are also specific tools to check whether an email address has appeared in any known data breach, such as Have I Been Pwned or Google One’s dark web report, which will be available until 16 February. Additionally, Incibe offers a citizen support service that provides free and confidential guidance through different communication channels, under the name Tu Ayuda en Ciberseguridad.

The exposure of information on the network, as well as every online interaction and action, leaves a trail that forms a digital footprint and that is relevant for both individual users and business environments. In the case of companies, regardless of their sector and size, it is essential to identify and protect the information exposed to preserve its integrity and prevent possible security attacks. The digital footprint study is not limited to the information that the company decides to make public, such as its website, social networks or official images, but covers any type of data that can be collected in order to obtain more information about the company. Such data can include employee and customer comments and images on social networks, financial and business information, metadata, operating systems and corporate tools used, vulnerabilities, or unprotected information in repositories. The digital footprint not only affects the company's reputation, as it is closely linked to its brand and digital identity but can also be analyzed and used by threat actors for malicious purposes. The following are some examples of this: CEO fraud: this fraud aims to trick employees who have access to the company's financial resources into transferring money from the company's bank account or paying a false invoice, for example. To commit this fraud requires, among other things, extensive knowledge of how the company works, the management and middle management positions and the types of corporate communications. A well-known case of this type of fraud occurred earlier this year at a Hong Kong multinational. The company was the victim of a sophisticated fraud that combined in-depth knowledge of the company with the use of deepfakes. The fraudsters impersonated the image and voice of the CFO and other employees in a video call, managing to deceive a worker who made a fraudulent transfer of 24 million euros. CEO fraud can involve deepfakes and detailed knowledge of the business. Another significant case was published in November of this year, although on this occasion it was not completed. A popular restaurant in Cartagena (Murcia) was the victim of this type of scam, including the use of artificial intelligence to clone the manager's voice. The fraudsters also managed to gain access to security cameras to monitor the place in real time. The scammers called the venue with the falsified voice of the manager and requested a bank transfer, describing specific details of the situation to lend further credibility to the scam. However, on this occasion, the employee targeted by the scam became suspicious of the deception because some aspects did not match the usual work dynamics. Impersonation of social networks or web pages : impersonation consists of appropriating the identity of a person or company with malicious motives, in order to obtain some benefit or cause some kind of reputational damage. To do this, using the information collected about the company on the network, such as brand image, communication style and products offered, a fraudster can create a web page or profile very similar to the original one in some social network to impersonate the company with the aim of deceiving its customers to obtain an economic benefit. Incibe, for example, reported a recent case in which a website impersonation scheme was dismantled in Spain. The criminal organization carried out impersonations of legitimate online stores dedicated to the sale of high-end electronic products and the fraudulently created websites were identical or very similar to the originals. Another example of this was published in October this year, when a group of fraudsters fraudulently created a website of a home appliances and electronics business in Vigo (Spain). The fraudsters also impersonated the company on WhatsApp and Wallapop and used, in addition to the image of the company, the specific details of the store, address and VAT number to appear more truthful. These cases represent only a sample of the many potential attacks or frauds that could affect a company and that could have a higher probability of success when there is greater exposure of accessible information. Impersonation on social networks and websites can cause reputational and economic damage to companies. The importance of the digital footprint in corporate security In this context, the Spanish Association of Companies Against Fraud recently published the Report on Fraud Trends in Companies 2024-2025. According to the report, the companies surveyed recorded a 78% increase in attempted fraud compared to the previous year, and 61% more fraud consummated. Regarding the fraud channels used, online fraud accounted for 62%, and added to the 20% of the telephone channel, non-face-to-face fraud amounted to 82% of the total. Knowing the digital footprint should be part of the strategy to protect business integrity and prevent attacks. The report highlights a growing concern about fraud and its impact on companies, in addition to the fact that fraud through non-face-to-face channels has become a major risk for companies. For this reason, knowing the enterprise digital footprint and continuous monitoring of exposed information plays an important role in a company's security strategy, as inadequate management of accessible information not only makes it easier for criminals to access it, but also increases the likelihood that attacks will be more specific, sophisticated and targeted, raising the risk that potential fraud or attacks will be successfully consummated. Cyber Security How Clean Email Business protects SMEs from email cyber-attacks September 13, 2023

Brad Smith, Microsoft's president and vice president, told U.S. lawmakers a few months ago that one of his biggest concerns is related to the proliferation of deepfakes, and urged U.S. lawmakers to create new laws to protect their national security, as well as to take measures so that people know how to recognize this type of counterfeiting. Deepfake is a method of impersonation in which an advanced AI technique is used to collect data on physical movements, facial features and even voice, to process it and create fake audio-visual, graphic or voice content, with a hyper-realistic result.  Several types of deepfakes can be identified, used together or separately, for example: Deepvoice: in which fragments of a person's voice are replicated to broadcast another message or content. Deepface: in which through multimedia content in which a person appears, it is possible to impersonate his face and gestures to broadcast a different content. The first time this technique was used by a particular user was in 2017, by a Reddit user whose profile name was Deepfakes. Since then, and especially during the last few years, deepfakes have gained great relevance and accessibility, being nowadays much more available to the general public through commercial applications, which increases the risk of this type of technology being used with a fraudulent or malicious intentionality. ◾ A recent case is that of some thirty minors in Almendralejo (Badajoz), who reported that photographic montages of themselves made through artificial intelligence, created, and disseminated by other underage children, were circulating. ◾ In addition, an increase of scams has been alerted through calls impersonating the identity of family members, in which money is urgently requested because they are in some urgent situation. Deepfake in the corporate environment This, however, can be directly related to security in the corporate environment, since by modifying the voice and/or image of a member of a company's board of directors, cybercriminals could impersonate their identity and make calls, or even video calls, making decisions that could be harmful or fraudulent for the company. And we have previously commented on the use of deepfakes for this purpose, for example, in CEO Fraud scams. As we have already mentioned, over the last few years deepfake methods have become much more accessible and also, with the rise of artificial intelligence, they have advanced at a dizzying rate, becoming more and more realistic. Focusing on voice deepfake, this category of simulation has achieved that in recent months the reproduction of the artificial voice has a much more natural sound, increasingly resembling the human voice, and therefore making it difficult to discern whether it is a simulation or a real human voice. An example of this is the tool announced by Microsoft earlier this year, called VALL-E, a language modeling tool that can be used to synthesize high-quality custom speech with only a 3-second recorded recording, even supplanting cadence, voice pitch and acoustic environment. While this tool is not yet in circulation, there are many others that can currently be used, although they require a longer voice recording, such as Resemble.ai or CereVoice Me, among others. A recent application of this method for fraudulent use occurred during the spring of this year, when a Florida investor contacted his local Bank of America representative to inform him of a large money transfer. However, during the process a second call was made, in which the investor's identity was impersonated through voice cloning, with the goal of tricking the bank representative into transferring the money to another recipient. In this case, the fraud was quickly detected and was never completed. Another recent case in which money was actually transferred occurred in Baotou (Inner Mongolia, China). This time the technology was used to convince a man to transfer money to a supposed friend who needed 4.3 million yuan to make a deposit during a bidding process. However, cybercriminals had impersonated his friend in order to get the money transferred to them. Ways to Prevent and Detect Deepfakes Some emerging technologies are helping to make deepfakes detectable: Cryptographic algorithms can be used to insert hash values at set intervals during video; if the video is modified, the hash values will change. AI and blockchain can record a tamper-proof fingerprint for videos. Another way to neutralize deepfake attempts is to use a program that inserts specially designed digital "artifacts" into videos to hide the pixel patterns used by facial detection software. These slow down the deepfake algorithms and generate poor quality results. Biometric voice recognition: this recognition uses unique characteristics of a person's voice, such as pitch, cadence, and rhythm, to verify their identity. Spectrogram analysis: voice spectrograms can reveal signs of tampering, such as overlays or edits. Blockchain: some solutions use blockchain technology to track and verify the authenticity of images from their origin. Technology, however, is not the only way to protect against counterfeiting techniques, be they image, video or voice. Here are some useful techniques to effectively detect and prevent deepfake fraud attempts: Multifactor identity verification: combine voice recognition with other verification methods, such as password authentication or facial recognition, to increase security. The presence in any business organization of automatic controls integrated into all processes involving disbursement of funds is also very relevant. Education and awareness: ensuring that both employees and other users are aware of how a deepfake works and the challenges it can pose. Make good use of the media and use good quality sources of information. It is important to note that, given the constant advancement of technology, detection and prevention methods are also constantly evolving. This makes it very important for business organizations to keep up to date with the latest techniques and tools available, and to adapt their security strategies accordingly. AUTORES CARLA MARTÍN RAMÍREZ Intelligence analyst at Telefónica Tech DANIEL SANDMEIER Analyst at Telefónica Tech Cyber Security IA & Data Cyber Security Evolution: AI as a Tool for Attack and Defence June 28, 2023