Natural Disasters: A Perfect Storm for Data Breaches

Written by Rocco Alfonzetti, CCSK, CCAK, CDPSE, Security Officer at Paperclip, Inc. and Member of the CSA Data Security Working Group.

The recent wildfires on Maui have had a devastating impact on the island, both in terms of human life and property damage. However, the fraud implications of these disasters are often overlooked.

Wildfires, hurricanes, and other natural disasters present opportunities for bad actors to infiltrate and exploit the relaxation of security and the human condition to help. Recent articles like “Hurricane Idalia has left Floridians vulnerable to fraud” and “Be Alert to Fraud After Hurricane Idalia” cite false FEMA claims, and false disaster grants, among other fraudulent activity.

In the aftermath of a natural disaster, organizations often find themselves scrambling to recover their data. This is often a challenging task, as data may be damaged or lost forever, and IT systems required to utilize the data may be disrupted. In addition, organizations are forced to prioritize humanitarian relief efforts over fraud prevention and data security concerns.

This can lead to a number of fraud-related risks, including:

• Identity Theft: In the chaotic aftermath of any disaster, it can be easy for the criminal element to steal sensitive identity data. This happens through physical theft of documents or through targeted opportunistic cyber attacks.
• Fraudulent Insurance Claims: Scammers will often pose as victims (see Identity Theft) of a disaster in order to file fraudulent insurance claims.
• Fraudulent Donations: Scammers often create fake websites or social media accounts to solicit donations for disaster relief.
• Real Estate Fraud: Scammers may pose as real estate agents or contractors and offer to help people find new homes, sell their properties, or repair damaged homes. They then steal the victim's money and disappear.
• Fraud Involving Deceased Persons: Scammers will pose as family members of the deceased in an attempt to access the victim's bank accounts or other financial assets.
• Credit Card Fraud: Scammers will steal credit card information from people who were displaced by the disaster and use it to make fraudulent purchases.

The phrase “Never let a good crisis go to waste” is based on the idea that people are more likely to be vulnerable to fraud during times of crisis and chaos. It’s part of the human condition. People are naturally more vulnerable when they’re stressed, confused, and desperate.

Scammers know this, and they use it to their advantage as they prey on the victims of any natural disaster. This is why it’s important to remain vigilant during a crisis and exercise the Zero Trust model—never trust, always verify.

The connection between natural disasters and cyber attacks is so inherently linked that FEMA has invested over $165 million in grant funding to bolster state and local jurisdictions’ cyber preparedness over the past 10 years. FEMA has also trained more than 87,000 federal, state, local, tribal, and territorial officials on cybersecurity over that same time period.

The following are some statistics from a recent hurricane, Hurricane Ida, which made landfall in Louisiana on August 29, 2022:

• The storm caused an estimated $75 billion in damage.
• More than 1 million people were left without power.
• More than 100 people were killed.

During Ida there were numerous cases of fraud reported, including an insurance adjuster from Texas who was sentenced to 20 years in prison. He was found guilty of pocketing more than $200,000 in insurance payouts meant for St. Charles Parish residents who filed claims to repair damage to their property following Hurricane Ida, according to the St. Charles Parish District Attorney's Office.

There are also major physical security concerns related to the chaos that takes place before, during, and after a natural disaster.

• Tailgating: Tailgating is when someone follows an authorized person through a security checkpoint without being properly vetted. This is a common problem for law enforcement, businesses, and organizations managing the movement of people.
• Theft of Documents: Thieves will target businesses and organizations that have sensitive documents, such as financial records or customer information. Think about what happens during an evacuation when empty businesses are cut off from physical security controls such as security personnel and electricity.
• Unaccounted Visitors: Businesses and organizations must have a system in place to track visitors and documentation during a natural disaster. This will help to prevent unauthorized people from entering the premises and accessing sensitive data.
• Stolen Identification: Thieves will seek opportunities to steal identification cards, such as access cards, driver's licenses, and passports in order to commit fraud or gain access to secure facilities.
• Social Engineering: Social engineering is a type of attack in which the attacker deceives the victim into giving up sensitive information or taking actions that harm the victim. This includes manipulating an employee into giving up their login credentials or clicking on a malicious link that downloads malware onto their computer.
• Door-to-Door and Drive By Contracting and Disaster Assistance: Steer clear of any contractor who asks for full payment up-front, only accepts payment in cash, or refuses to provide a written contract.

Example of Fraud in the Maui Wildfires: A Real-Life Scenario from the Identity Theft Resource Center

After the wildfires on Maui, a group of scammers posing as real estate agents set up a fake website and social media account. They offered to help people find or repair homes, but they were actually stealing the victims' money through requesting deposits or up-front payments.

One victim, a woman named Sarah, was displaced from her home by the wildfires. Desperate to find a new place to live, she was approached by scammers. The scammers convinced Sarah that they could help her find a home; all she needed to do was pay a sizable deposit upfront. Desperate for assistance, Sarah paid the deposit. Of course, she never received any assistance from the scammers.

Sarah is just one of many early victims of fraud that have occurred after the wildfires on Maui. The scammers continue to take advantage of the chaos and confusion to prey on people who are trying to rebuild their lives, their businesses, and a path to normalcy.

In our expanded technological world, we all have access to more information than ever before. This can be a huge advantage in the scope of responding to and managing threats related to natural disasters. Of course, there is another, ugly side to that coin. The threat actors, scammers, and fraudsters all have access to some amazing technologies.

So, what’s the recommendation? How do we curb this type of threat activity?

Awareness training and incident response exercises extend beyond the walls of our companies. It’s fair to say that private individuals need to be aware of basic threats and how to avoid threat actor activities. Here are a few basic recommendations:

1. Don’t panic. Yes, take care of your family as a first priority. Just don’t forget to breathe and observe your surroundings. Remain suspect of the people you engage with throughout the disaster.
2. Have a personal disaster recovery plan. Know ahead of time what you will do in the event of a tornado, hurricane, fire, etc. This is an old-school approach, but know your escape (map your destination), know where you will go, and know what you will need. Then, once you’re in a safe location, take inventory of your family and your sensitive materials. Know how you will address any missing sensitive materials such as credit cards, bank account information, passports, etc. Don’t forget to test (roundtable) and communicate your plan with everyone involved.
3. Secure all documents and sensitive data. Use a fireproof safe for physical documents you need to maintain in physical form. Use encrypted cloud storage for all sensitive content. If you use an on-premises whole-house data storage device, I recommend that it is backed up to an encrypted cloud storage solution. As a general note, use multi-factor authentication (MFA) and complex passwords for any whole-house data storage solution.
4. This one recommendation breaks my faith in humanity, but it needs to be stated in very direct terms: Don’t trust anyone. Disasters tend to bring out the worst in people. I am not recommending that you don’t accept any assistance. I am recommending that you validate everything offered. Yes, don’t trust anything, and authenticate everything!
5. Be wary of untraceable purchases or exchanges. In a disaster, bad actors will attempt to offer assistance. Make sure all transactions are documented. Do not provide cash deposits or collateral, as this is a well-practiced method of fraud, after these incidents.
6. Be prepared, and don’t let the bad actors and scammers profit from your loss.

This article cites the following sources for its data:

• Identity Theft Resource Center
• Federal Trade Commission. "Fraud in the Aftermath of Natural Disasters." Federal Trade Commission, 2023
• National Association of Insurance Commissioners
• FBI New Orleans Warns About Hurricane-Related Fraud
• 20 years in prison for insurance adjuster who stole Hurricane Ida payouts
• Be Alert to Fraud After Hurricane Idalia
• Paperclip Inc Management and Professional Services Teams