[BreachExchange] Depressing lessons 2018’s endless data breaches taught us

Destry Winant destry at riskbasedsecurity.com
Mon Dec 31 08:48:48 EST 2018


https://thenextweb.com/contributors/2018/12/28/depressing-lessons-2018s-endless-data-breaches-taught-us/

In the days after Facebook‘s September announcement about a bug that
may have compromised 90 million users – yes, that was three months and
several earth-shattering Facebook headlines ago – someone asked me
what consumers could have done to avoid being caught up in yet another
data breach.

“They could not use Facebook,” I said.

Every time a major breach occurs, we look for answers about what
consumers can do differently. What can I do to protect myself? Can I
stop criminals from stealing my data? How do I fix it? I’ve gotten
these questions from friends, family, colleagues, and journalists over
the past few years, and my answers are getting increasingly
pessimistic: there’s nothing you can do, not really.

You can change your passwords. You can freeze your credit (seriously,
freeze your credit). But you don’t control the systems on which your
data is stored, so you can’t fix it, and you can’t stop it.

The answer doesn’t lie with the consumers. This is not something for
the consumer to solve. This is not something that we – you and I – can
fix. We need to be looking at the tech giants that have been amassing
our data instead.

That will be $5 and your mother’s maiden name

The average consumer has no real ability to opt out of putting their
data in compromising situations. Engaging with the world, or at least
transacting with the world, creates countless opportunities for data
collection and subsequent compromise: buying gas, getting groceries,
going to the movies, checking your email – all of these activities
require sharing, transmitting, and recording information about you.

This data contains a wealth of information: personal data, medical
histories, financial details, preferences, behaviors, movements, and,
increasingly, biometric data – think of face recognition, voice
technology, and DNA from genetic or ancestral testing services.

Even if the security community warns consumers against entering
personal information on unsecured websites, it’s unreasonable to
expect people to abandon their online shopping or social media
accounts – for many, the most reliable source of connection with
friends, family, and the rest of the world.

At every turn, companies look to record, collect, and connect data.
Technology runs the world, and data is the fuel – data is a commodity,
and the tech giants understand that.

These companies rely on user data for increased market share and
broader monetization, with many companies even incentivizing users
into additional data sharing in exchange for special rewards.

In exchange for increased data access (read: increased surveillance),
companies serve up highly customized user experience, pulling in
preferences and browsing history from multiple sites and accounts,
using predictive analytics to identify needs and prompt purchases.

These customized feeds and personalized recommendations are part of
what create addictive user experiences – and higher revenues.

We’ve gotten used to these services that collect our data. We rely on
them — and the tech giants know that. They know that once these
technologies become a regular part of the flow of life, commerce, and
information, they’re very difficult to give up.

For every new feature, users trade a little bit more data and a little
bit more privacy, all in the name of convenience or a dopamine hit.

It’s getting harder and harder to opt out.

What does that have to do with data breaches?

If 2018 taught me anything about data breaches, it’s this: we’ve
reached a whole new scale of compromise. In the last few weeks alone,
we’ve seen multiple breachesimpacting hundreds of millions of records
each. Just in the last few weeks. And those are just the ones we know
about.

These last few weeks aren’t an anomaly. 2018 also brought us a breach
at the Sacramento Bee (19.5 million records), Ticketfly (27 million
records), Panera (37 million records), Under Armour (150 million
records), and Aadhar, India’s national ID database (1.1 billion
records) just to name a few.

We saw huge third-party data breaches at sales engagement startup
Apollo (200 million records) and at marketing firm Exactis (340
million records). Exactis follows in the wake of Equifax – who, by the
way, announced in March 2018 that the initial breach impacted 2.4
million additional customers – by having data on nearly every US
citizen.

While Exactis didn’t include the financial details that drove the
concern and attention around Equifax, it did include personal data and
detailed profile information: the age and gender of children in a
household, smoking habits, religious affiliations, pet preferences,
hobbies, and interests. Everything about your life, nicely aggregated
and cross-referenced.

A few years ago, we would flinch at the news of a breach that impacted
100,000 customers. Exposed records now regularly number into the
millions or even hundreds of millions. When we thought of data
breaches, we thought of usernames, passwords, and maybe contact
details.

Now, we have to wrestle with the compounding effects of personal
information, digital profiles, financial data, location tracking,
passport information, and even DNA. We’re facing a steeper trade-off,
where consumers are forced to choose between participation and
privacy, and where participation involves signing over a considerable
amount of data that, realistically, isn’t going to be secure for very
long.

The stakes are significantly higher.

Aren’t the lawyers going to save us?

No. I mean, maybe. But no. Legislation incentivizes better security
practices for corporations – good for all of us – but ultimately rules
and regulations will not solve the problem on their own. Consumers are
trapped between the high data appetites of the tech giants and the
growing fraud economy, with a ready collection of cyber criminals
eager to cash out on compromised data. Legislation will only get us so
far.

If you’re looking for optimism on the future of data security, I’m not
the right person to ask. As someone who sees stolen data traded every
day on the dark web, I have a firm practicality about the scope of the
data compromise problem: it’s bad, and it’s getting worse.

The only consolation I have in our ongoing and inevitable data
exposure is that, to quote one of the transformative musical
productions of our time, we’re all in this together.

Executives, consumers, legislators, world leaders, college students,
kindergarten teachers – everyone is at risk, everyone is exposed, and
everyone is facing the same fallout from data compromise. Eventually,
the weight of worldwide data exposure will sink in, and leaders,
legislators, and, yes, even the tech giants might just try to do
something about it.


More information about the BreachExchange mailing list