Nine months after a massive hack stole data from Truist Bank customers, reports are surfacing that the information is still for sale on the dark web. A threat actor calling themselves “Sp1d3r” appears to be selling what they claim is stolen data containing information on 65,000 individuals, priced at $1 million.
Truist claims that there has been no evidence of fraud resulting from the hack. “In October 2023, we experienced a cybersecurity incident that was quickly contained,” the bank said in a statement to tech news website Bleeping Computer. “In partnership with outside security consultants, we conducted a thorough investigation, took additional measures to secure our systems, and notified a small number of clients last Fall.”
But customers of Truist and other financial institutions may not feel entirely reassured. Many likely believed that the notification last fall marked the end of their problems—yet the data remains exposed.
“This information can sit on the dark web forever,” said Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “It’s just out there waiting to be used, whether it’s five days after the breach, six months after the breach, or four years after the breach.”
Defending Against Hacks
The hack is a reminder that having data stolen is not a one-time occurrence. Once individuals are aware of the situation, they must take a defensive position, assuming their information is permanently at risk on the dark web.
One important step is to set up not just fraud alerts but account alerts. These will notify them if their email address or phone number is updated, or if one-time passcodes are used without their knowledge.
“You don’t know what you don’t know,” Sando said. “If something is getting changed in the background without you knowing about it, that could be the thing that leads to account takeover.”
For anyone who has been a victim of a data breach, a few protective steps include changing passwords and monitoring their credit rating for any unauthorized purchases. Sando also recommends using an identity protection services provider, which can be a huge help in detecting suspicious activity.
“You’ve got someone else now, who is a professional at this, able to let you know when they see something that might be wrong,” Sando said.
“The possibilities are endless for what can happen to a consumer’s identity at this point,” she added. “Once that breach happens, it’s not just a breach of your data, it’s a breach of your trust.”
