top of page

The nightmare before Christmas: data breaches typically rise during festive season

As we move into the holiday period and organisations begin to allow their staff to take annual leave, businesses should note that periods of lower manpower are prime time for threat actors to make use of breached sensitive information and launch attacks.

The use of breached credentials to either facilitate access or escalate privileges on a network continues to be the most popular attack vector for threat actors. This can explain why there is such a large marketplace for the selling of sensitive information.

Data is the most valuable commodity in the world, and organisations can expect at some point to face the impact of a data breach. So how are they protected against?

When a member of your organisation is found to be associated with a data breach, even if this breach was with a third party, it is important to review how long ago it occurred. This will help establish how relevant that information will be, and what information was likely to be taken.

Credentials should always be changed, and personnel should be encouraged to not reuse the same passwords across multiple accounts, as this is one of the first tasks a threat actor will set to find out.

If the breached information is not credentials, but relates to an individual working at the organisation, such as PII, their interests, which vendors they interact with etc. then they should be educated on social engineering and basic cyber security measures as they may, in future, be susceptible to a spear phishing campaign that uses the information to build familiarity between the threat actor and the potential victim.

Not everyone is familiar with simple cyber security concepts and by delivering effective, up to date training - which the EMCRC offer as a service - it can enable them to identify such attacks by remembering their involvement in a previous breach and partnering that against suspicious emails, text messages or other online interactions.

Particularly at this time of year, organisations are encouraged to disseminate education about social engineering techniques, not only how to identify a generic phishing email, but rather what information a threat actor would be interested in.

This can include credentials, PII, security classified information, frequently visited websites, types of devices used and third-party vendors employed by the organisation.

How might you be affected?

In a typical scam, you might receive a message claiming to be from an organisation that has suffered a recent data breach. The message could ask you to log in and verify your account because 'fraudulent activity has taken place', or similar.

These scam messages will typically contain links to websites that look genuine, but which store your real details once you’ve typed them in. Or these websites could install viruses onto your computer or steal any passwords you enter.

Like many phishing scams, these scam messages are hard to spot, and are preying on real-world concerns (in this case, a data breach) to try and trick you into clicking.

And it's not just emails or texts. If the information stolen during the breach includes phone numbers, you might receive a suspicious call. The approach may be more direct, asking you for sensitive information (such as banking details or passwords), or access to your computer.

Actions to take following a breach

If you're a customer of an organisation that has suffered a data breach, you should take the following actions.

1. Find out if you've been affected by contacting the organisation using their official website or social media channels. Don't use the links or contact details in any messages you have been sent. The organisation should be able to confirm:

  • if a breach actually occurred

  • how you're affected

  • what else you need to do

You can also phone the organisation directly but be aware that many won’t have the capacity to respond to all calls during a major breach.

2. Be alert to suspicious messages which may be sent some time after the breach is made public. Remember, your bank (or any other official organisation) will never ask you to supply personal information. Things to look out for include:

  • official-sounding messages about 'resetting passwords', 'receiving compensation', 'scanning devices' or 'missed deliveries'

  • emails full of 'tech speak', designed to sound more convincing

  • being urged to act immediately or within a limited timeframe

3. If you receive a suspicious message that includes a password you've used in the past, don't panic:

  • if this is a password that you still use, you should change it as soon as you can

  • if any of your other accounts use the same password, you should change them as well

  • check out our advice on creating strong passwords.

4. Check your online accounts to confirm there's been no unauthorised activity. Things to look out for include:

  • being unable to log into your accounts

  • changes to your security settings

  • messages or notifications sent from your account that you don't recognise

  • logins or attempted logins from strange locations or at unusual times

5. If you suspect an account of yours has been accessed, refer to the NCSC guidance on recovering a hacked account.

6. To check if your details have appeared in any other public data breaches, there are a number of online tools that you can use, such as Similar services are often included in antivirus or password manager tools that you may already be using.

Reporting suspicious messages

If you receive a message or phone call about a security breach that doesn't feel right, here's what to do:

If you've lost money

If you've lost money, tell your bank and report it as a crime to Action Fraud, the UK's reporting centre for cyber crime (in Scotland, contact the police by dialing 101). You'll be helping the NCSC and law enforcement to reduce criminal activity, and in the process, prevent others from becoming victims.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page