Hacking the Dead

A recent large-scale data breach in South Africa had all the typical traits of a government or credit reporting service compromise. Within the compromised data, however, was an interesting field not commonly seen in other breaches: deceased_status. This raises a morbid question: “Can you hack the dead?” The simple answer is yes. Consider an individual who is recently deceased:

• Their bank accounts may still be open
• Their email and social media accounts are likely still active
• Their cell phones and landlines still work
• They may not have a will or clear accounting of their assets

Estates are prime targets for everything from identity theft to asset liquidation, since there is often a gap in monitoring the deceased’s assets. How often does it happen and will this be a new trend? The facts indicate that the deceased are easy targets for cybercriminals. For instance, CNBC reported on tax fraud involving the use of Social Security Numbers for almost 67,000 people who would be at least 113 years old. The State of California also provides tips for protecting the deceased from identity theft. Remember the email scams about the dead Nigerian prince who happened to be your distant relative? In reality, a deceased person’s contact list would be an easy target for phishing attacks targeting beneficiaries, next of kin, and others in vulnerable states. While we now laugh off the Nigerian prince scam, the fact is criminals can now launch convincing, multi-stage attacks at scale. The deceased pose the initial attack vector, with their surviving relatives, friends and colleagues facing subsequent threats. Banks, credit bureaus and government agencies all track whether you are alive or dead – information that can leveraged to jeopardize your identity and assets. You can protect yourself and the people you care about by planning ahead. Here’s some information on estate planning from the American Bar Association to get you started.