The Dangerous Data Hack That You Won’t Even Notice

OnpraW/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
By Betsy Cooper,
Quartz

By Betsy Cooper ,
Quartz

|

By focusing only on hackers’ efforts to extort money or mess with our political process, we may have been missing what is potentially an even scarier possibility.

A recent wave of cyberattacks—from WannaCry and Equifax to the alleged Russian influence on the US election—has demonstrated how hackers can wreak havoc on our largest institutions. But by focusing only on hackers’ efforts to extort money or mess with our political process, we may have been missing what is potentially an even scarier possibility: data manipulation.

Imagine that a major Big Food company gets hacked. But this time, instead of leaking the company’s proprietary information to the public or freezing its systems with ransomware, the hackers subtly manipulate the data on which the company relies. Expiration dates on milk cartons get scrambled so that some are thrown away early while others make drinkers sick, despite appearing within their use-by date. Figures are tweaked slightly on pending invoices to vendors, altering the company’s balance sheets by hundreds of thousands of dollars. Small changes are made to food-safety tests so that a dangerous product that was failing suddenly looks like it is passing regulation tests.

Would the company even notice such changes happening? Could it still have the confidence that its backups were uncompromised? How could its investors accurately assess the company’s value when all of its financials might suddenly be based on faulty information? And how might its customers and suppliers respond?

Now apply this thought experiment to banks, medical institutions, and government organizations. It’s pretty scary.

Unlike “information-gathering” hacks (where data is stolen because it is valuable) or “hold hostage” attacks (when data is imprisoned until someone pays to release it), “manipulation hacks” are hard to detect: They result when individuals (or bots) illegally change vital information below the threshold of attention.

Take the recent Equifax breach as an example. A software engineer set up a fake website claiming to help customers—and even Equifax linked to the fake site. The site’s contents made clear it was not real (the purpose was to expose how easy it was to “phish”), but Equifax fell for cybersecurity’s equivalent of fake news, and it took 200,000 clicks before the company noticed.

In the most extreme cases, such hacks could have deadly consequences. A paper in the New England Journal of Medicine recently reported on the risks of data breaches in health systems, noting that a hacker could in theory change a single data point, such as the level of potassium in a patient’s blood, leading caregivers to provide incorrect and potentially lethal treatments. Given that medical errors are now the third leading cause of death in the US, there is plenty of reason to worry.

More broadly, data manipulation breeds uncertainty. When a hacker’s goal is to leak stolen information or hold data for ransom, their success depends on their ability to prove the information they hold is real. But with data manipulation, the goal is to call the underlying information into question. And uncertainty is its own weapon. Ten years ago, an announcement by the banking group BNP set the 2007 financial crisis in motion because they said they didn’t know what securities linked to subprime mortgages were worth. In today’s data-driven markets, the consequences of uncertainty for the financial industry might be far greater.

Admittedly, data-manipulation hacks are not as easily monetizable as ransomware, nor do they produce as much buzz as the public release of sensitive data. But that doesn’t mean they can’t have serious financial repercussions. When hackers took over the Associated Press’s Twitter account in 2013, a few fake tweets about a terrorist attack caused the stock market to take a nosedive. A future attack could call the quarterly earnings of a publicly traded company into question, and benefit from the postponement of that company’s earnings call.

There are also deep-seated political implications to data manipulation. The data on the servers of state election boards are an obvious target; in at least one US county in 2016, a hacker manipulated the voter data, though the issue was corrected before the election actually occurred.

Because of the opportunity that data manipulation provides, we need to take simple steps now before this kind of hack becomes more common. First, we need to design systems that are carefully watching for manipulation: Hard or offline backups are essential, and data holders should develop systems to regularly compare live versions of their data to their backups. (According to Osterman Research, most companies don’t do this continuously, and some don’t do it at all.)

We also need better database oversight, such as systems designed to identify precisely when data has been manipulated. For example, in the art industry, collectors use provenance documents to verify who has owned an artwork and how it has changed over time. Perhaps a similar system to verify the provenance of data could help us tell when a data manipulation hack has occurred.

But there’s is a small silver lining: One of the easiest ways for organizations to defend against hackers is to beat them at their own game. When infiltrators can’t tell what data is real, they won’t know what actually might be of value. Emmanuel Macron’s French presidential campaign, for instance, purportedly distracted hackers with fake data, which limited the effectiveness of campaign hacks as a result.

Perhaps this really is an instance where fire(wall) can be fought with fire(wall).

NEXT STORY: Tech Industry Insiders Want to Standardize Data Scientists

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.