This Year We Realized that All of Our Data was Stolen

VectorKnight.Shutterstock.com

Hacking is inevitable.

A lot can happen in a year. In 2018, the bitcoin bubble popped (again), tensions between the U.S. and China boiled over into a trade war, and tech giants solidified their positions as the most valuable companies in the world (the top four in market cap are now Microsoft, Apple, Amazon, and Alphabet).

Behind it all, in some way or another, was our private data.

This year, people started to realize that their data is hacked, exploited, and manipulated on an industrial scale, either by criminals or the tech companies that power the modern economy. Governments do it too, of course. Just this week, news emerged that hackers linked to China’s Ministry of State Security reportedly broke into the networks of Hewlett Packard Enterprise and IBM, and used that access to penetrate their clients’ systems.

Here’s the thing: hacking is inevitable, so you should be prepared for when—not if—your data gets stolen. Though some say this fatalistic narrative is overdone, for now the epidemic of theft shows no signs of letting up.

Two of the biggest exploits in history were disclosed this year: a total of 650 million accounts were breached in attacks on the Marriott hotel business and the Under Armor apparel company. With a few days left in the year, there’s still a chance that hacks revealed in 2018 will surpass the 2.3 billion credentials that were “spilled” last year.

What's new?

It’s not that our digital privacy wasn’t violated before, but we’re beginning to realize how bad it is. “2018 was the year when people woke up to the fact that we can no longer rely on companies to protect our data,” said Andrei Barysevich, who works for the online investigation firm Recorded Future.

Your personal data is out there, somewhere, for sale on the dark web. For $40 to $200, a full package of an American’s personal data—from credit and criminal history to bank account numbers—can be purchased on the unindexed part of the internet, according to Armor research. For $100, you can buy 50,000 stolen airline miles from an American carrier; a cloned ATM card with a $4,000 balance can be bought for around $200.

To pay for it you need digital tokens. The crypto bubble may have popped, but it’s alive and well on the dark web, according to Barysevich. Bitcoin is the most popular means of exchange for these transactions, but hackers accept dozens of different crypto coins in exchange for stolen information, he said. Some of these digital bazaars can be accessed by anyone able to find them, while others require an invitation.

Oren Falkowitz, CEO of Area 1 Security, says we are not doomed to perpetual hacks and stolen data. His company uncovered and disclosed what it says a was a phishing campaign waged by the Chinese People’s Liberation Army. It allowed China’s government to snoop on confidential EU diplomatic cables.

Falkowitz says 9 out of 10 cyber hacks are rooted in phishing scams—phony emails that trick users into clicking dangerous links or revealing sensitive information. He says there is nothing particularly cutting edge about phishing, and the fact that so many hacks rely on it shows there’s vast scope for the improvement of digital defenses. The “cyber doom narrative” is false, says Falkowitz, a former National Security Agency analyst.

One problem is that for companies, cybersecurity is considered a cost center, not a profit center. Falkowitz optimistically likens online security to safety standards for automobiles, which improved after many years of refinement and missteps.

Recorded Future’s Barysevich, a former consultant for the FBI’s New York Cybercrime field office, says there’s already technology out there that could make personal data safer. Encryption works, but not every company knows how to properly manage it, he says. Many enterprises fail to even back up their data, which makes them susceptible to ransomware heists. He pointed out that Apple Pay and Google Pay wallets use one-time tokens for transactions that can’t be reused, even if they’re intercepted and stolen. Far more data could be anonymized, partitioned, and encrypted.

“In the long run, we don’t want companies holding vast stores of credit card information which can be used for future fraud,” said Shuman Ghosemajumder, CTO of Shape Security. “It maybe possible to tokenize or anonymize other types of information to similarly protect other classes of personal information,” said Ghosemajumder, who previously served as “click-fraud czar” at Google.

The End of Innocence

Stolen personal data is bad enough. The likes of Facebook and others store information that is far more granular. Most of us didn’t care what these companies were up to, until recently.

The Cambridge Analytica scandal may prove to be a turning point. To recap, Cambridge Analytica used data held by Facebook to build psychological profiles of individuals in the US prior to the 2016 presidential election. The data was reportedly used to deliver hyper-partisan messages to millions of voters. It was enough to get Facebook CEO Mark Zuckerberg hauled in front of Congress, where he avoided any real damage.

Then, just before 2018 was up, the New York Times reported (paywall) that Facebook, which has 2.2 billion users, also provided major tech companies like Microsoft, Spotify, and Amazon access to personal data that would otherwise appear to violate its own policies.

In some instances, these companies may not have realized they had access to an extra dose of Facebook data. But the bombshell hinted that Facebook and other big tech firms can’t be trusted with the personal data that their business models depend on.

Will the EU come to the rescue? Brussels is the birthplace of GDPR, which is perhaps the world’s most rigorous data privacy regulation. The sweeping law was implemented in May and requires companies to get explicit permission from people in the EU to use their information. It gave regulators the authority to levy fines for failures, and also has rules about disclosing unauthorized data breaches.

It’s too early to tell if it’s working. A type of online tracking for advertising declined in the EU after GDPR came into a force, while it has continued its upward climb in the US, according to data compiled in October by Cliqz. Facebook has lost EU market share, as have smaller adtech venders. Google, however, may have come out ahead. One possibility is that Google is able to use its deep pockets and scale to adapt to the regulation better than smaller companies.

Rahul Telang, professor of information systems at Carnegie Mellon University, thinks GDPR will have a middling effect. As with most regulation, there will be some benefits, but they could be offset by unintended consequences. “Sometimes regulations serve to entrench monopolies even more,” Telang said. “Facebook and Google have little competition, and they have incentives to abuse our data.”

GDPR’s hacking provision—which requires companies to quickly warn users when their personal information has been compromised, and features fines for data breaches—may spur some institutions to clean up their act. For instance, why continue to store unneeded personal information if there’s a risk it can get stolen, triggering bad press and a financial penalty? Deleting extraneous data is one way to avoid an embarrassing hack.

Barysevich is wary of the rules for rapid disclosure. He argues that quickly reporting a breach before the theft has been assessed and addressed leaves companies vulnerable to “highly motivated criminals.” When it comes to financial penalties, there’s a risk that companies handle it with an accounting solution. They could set up a rainy day fund in case they get fined, instead of beefing up security to avoid breaches in the first place.

Even if GDPR isn’t perfect, it has helped raise awareness that online privacy doesn’t really exist anymore. Maybe 2019 will be the year to do something about it.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.