In response to reports that financial technology company Revolut has suffered a cyberattack that gave an unauthorized third party access to personal information of tens of thousands of clients and relied on social engineering, an expert at cybersecurity firm offers the following comment.

Lately it seems like in addition to the normal approaches of stealing data and launching ransomware, attackers are doing their best to publicly embarrass their victims by leveraging access to internal systems or communication platforms to display, er, unexpected information. Also becoming more commonplace is for cybercriminals to immediately begin exploiting stolen personal information to launch highly targeted downstream social engineering campaigns. As organizations become more resilient to ransomware attacks and reticent to pay extortion demands for stolen data, cybercriminals are looking for more ways to diversify and monetize. Targeting customers of the compromised organization provides yet another avenue for attackers to generate more revenue. One of the most important steps that organizations can take to protect both their internal users and their customers is to clearly communicate exactly how they can be contacted by the organization and what data they can expect to never be asked for like account passwords.