This Year We Realized that All of Our Data was Stolen

A lot can happen in a year. In 2018, the bitcoin bubble popped (again), tensions between the U.S. and China boiled over into a trade war, and tech giants solidified their positions as the most valuable companies in the world (the top four in market cap are now Microsoft, Apple, Amazon, and Alphabet).

Behind it all, in some way or another, was our private data.

This year, people started to realize that their data is hacked, exploited, and manipulated on an industrial scale, either by criminals or the tech companies that power the modern economy. Governments do it too, of course. Just this week, news emerged that hackers linked to China’s Ministry of State Security reportedly broke into the networks of Hewlett Packard Enterprise and IBM, and used that access to penetrate their clients’ systems.

Here’s the thing: hacking is inevitable, so you should be prepared for when—not if—your data gets stolen. Though some say this fatalistic narrative is overdone, for now the epidemic of theft shows no signs of letting up.

Two of the biggest exploits in history were disclosed this year: a total of 650 million accounts were breached in attacks on the Marriott hotel business and the Under Armor apparel company. With a few days left in the year, there’s still a chance that hacks revealed in 2018 will surpass the 2.3 billion credentials that were “spilled” last year.

What's new?

It’s not that our digital privacy wasn’t violated before, but we’re beginning to realize how bad it is. “2018 was the year when people woke up to the fact that we can no longer rely on companies to protect our data,” said Andrei Barysevich, who works for the online investigation firm Recorded Future.

Your personal data is out there, somewhere, for sale on the dark web. For $40 to $200, a full package of an American’s personal data—from credit and criminal history to bank account numbers—can be purchased on the unindexed part of the internet, according to Armor research. For $100, you can buy 50,000 stolen airline miles from an American carrier; a cloned ATM card with a $4,000 balance can be bought for around $200.

To pay for it you need digital tokens. The crypto bubble may have popped, but it’s alive and well on the dark web, according to Barysevich. Bitcoin is the most popular means of exchange for these transactions, but hackers accept dozens of different crypto coins in exchange for stolen information, he said. Some of these digital bazaars can be accessed by anyone able to find them, while others require an invitation.

Oren Falkowitz, CEO of Area 1 Security, says we are not doomed to perpetual hacks and stolen data. His company uncovered and disclosed what it says a was a phishing campaign waged by the Chinese People’s Liberation Army. It allowed China’s government to snoop on confidential EU diplomatic cables.

Falkowitz says 9 out of 10 cyber hacks are rooted in phishing scams—phony emails that trick users into clicking dangerous links or revealing sensitive information. He says there is nothing particularly cutting edge about phishing, and the fact that so many hacks rely on it shows there’s vast scope for the improvement of digital defenses. The “cyber doom narrative” is false, says Falkowitz, a former National Security Agency analyst.

One problem is that for companies, cybersecurity is considered a cost center, not a profit center. Falkowitz optimistically likens online security to safety standards for automobiles, which improved after many years of refinement and missteps.

Recorded Future’s Barysevich, a former consultant for the FBI’s New York Cybercrime field office, says there’s already technology out there that could make personal data safer. Encryption works, but not every company knows how to properly manage it, he says. Many enterprises fail to even back up their data, which makes them susceptible to ransomware heists. He pointed out that Apple Pay and Google Pay wallets use one-time tokens for transactions that can’t be reused, even if they’re intercepted and stolen. Far more data could be anonymized, partitioned, and encrypted.

“In the long run, we don’t want companies holding vast stores of credit card information which can be used for future fraud,” said Shuman Ghosemajumder, CTO of Shape Security. “It maybe possible to tokenize or anonymize other types of information to similarly protect other classes of personal information,” said Ghosemajumder, who previously served as “click-fraud czar” at Google.

The End of Innocence

Stolen personal data is bad enough. The likes of Facebook and others store information that is far more granular. Most of us didn’t care what these companies were up to, until recently.

The Cambridge Analytica scandal may prove to be a turning point. To recap, Cambridge Analytica used data held by Facebook to build psychological profiles of individuals in the US prior to the 2016 presidential election. The data was reportedly used to deliver hyper-partisan messages to millions of voters. It was enough to get Facebook CEO Mark Zuckerberg hauled in front of Congress, where he avoided any real damage.

Then, just before 2018 was up, the New York Times reported (paywall) that Facebook, which has 2.2 billion users, also provided major tech companies like Microsoft, Spotify, and Amazon access to personal data that would otherwise appear to violate its own policies.

In some instances, these companies may not have realized they had access to an extra dose of Facebook data. But the bombshell hinted that Facebook and other big tech firms can’t be trusted with the personal data that their business models depend on.

Will the EU come to the rescue? Brussels is the birthplace of GDPR, which is perhaps the world’s most rigorous data privacy regulation. The sweeping law was implemented in May and requires companies to get explicit permission from people in the EU to use their information. It gave regulators the authority to levy fines for failures, and also has rules about disclosing unauthorized data breaches.

It’s too early to tell if it’s working. A type of online tracking for advertising declined in the EU after GDPR came into a force, while it has continued its upward climb in the US, according to data compiled in October by Cliqz. Facebook has lost EU market share, as have smaller adtech venders. Google, however, may have come out ahead. One possibility is that Google is able to use its deep pockets and scale to adapt to the regulation better than smaller companies.

Rahul Telang, professor of information systems at Carnegie Mellon University, thinks GDPR will have a middling effect. As with most regulation, there will be some benefits, but they could be offset by unintended consequences. “Sometimes regulations serve to entrench monopolies even more,” Telang said. “Facebook and Google have little competition, and they have incentives to abuse our data.”

GDPR’s hacking provision—which requires companies to quickly warn users when their personal information has been compromised, and features fines for data breaches—may spur some institutions to clean up their act. For instance, why continue to store unneeded personal information if there’s a risk it can get stolen, triggering bad press and a financial penalty? Deleting extraneous data is one way to avoid an embarrassing hack.

Barysevich is wary of the rules for rapid disclosure. He argues that quickly reporting a breach before the theft has been assessed and addressed leaves companies vulnerable to “highly motivated criminals.” When it comes to financial penalties, there’s a risk that companies handle it with an accounting solution. They could set up a rainy day fund in case they get fined, instead of beefing up security to avoid breaches in the first place.

Even if GDPR isn’t perfect, it has helped raise awareness that online privacy doesn’t really exist anymore. Maybe 2019 will be the year to do something about it.