Impunity of online data breaches
This is a follow-up to my earlier post “Be aware of online data breaches” written on 5th June 2019.
Five years ago, in 2014 when two major cybercrimes happened, the stealing of 100 million credit card data at Target and about 100 terabytes of data of unreleased movies & more from Sony getting leaked, it shook the world and got everyone’s attention towards online data breaches. It felt like the awareness of being secure online was growing at every level of organizations, in the corner offices. Then in 2018, Facebook-Cambridge Analytica became known, a loud outcry followed and then total silence – everyone involved has been left off with a mild reprimand – and the world moved on.
The consequence has been, in my view, is that all the stakeholders at large companies have a sense of impunity. With the advent of cloud computing and hunger for collecting a large volume of data to feed their AI/ML models, designing any system has become extremely complex. Most often, management may not be informed fully, the cost of protecting the data that gets stored. There can never be a fool-proof software system, but when everyone involved strives for a secure one you can get to reasonable levels of safety.
In this piece, I am not talking about the rise in Government Surveillance. For that, read my earlier post titled “The San Francisco’s Facial Recognition Ban and the questions it raises“
Now in 2019, aside from the data breaches (this is when a cybercriminal breaks into a system just a thief does in real-world), the rate of data leakages (data that has been left unprotected and found by passers-by or was sold without the consent of the users) has been increasing. You had Brainwash, a café in San Francisco that had sold its live streaming camera’s footage to companies.
In the last few weeks alone, I have three notifications from Experian of data breaches of my email address from OxyData.IO (a company I never dealt with), Canva.com and ShareThis. I will urge those reading this to use the free service from Firefox called Firefox Monitor. It will let you know whether your email addresses are leaked or not. It is powered by have i been pwned?, a service run by my fellow Microsoft Regional Director and a renowned security expert Troy Hunt.
Finally, to appreciate the magnitude of this problem, see the report below for one of my email addresses. Over the last six years (2013-2019) one of my email address has been leaked in over fourteen known data breaches.
Today, I got the below email from Firefox Monitor. As described above the service constantly monitors to spot your email id, phone number or date of birth showing up on the data dumps online. It informed me of my email and password that I used to register in the site IIMJobs (I don’t remember why I registered on this site!) has got leaked due to a data breach. Just like in every data breach, once the cat is out of the bag, there is nothing you can do.
This is the reason security experts advise us to:
- Use a disposable email ID for these random websites & apps.
- Never use your primary email ID or mobile number to apps that are not from tech biggies (Microsoft, Google & FB are also vulnerable, but far lesser extent to the smaller players).
- Have a unique password for each website or app that you are using.
- Enable two-factor authentication wherever possible.
- Sign up to a service like Firefox Monitor – Microsoft Edge and Google Chrome are also bringing out similar features.
We have also seen the recent tussle between Apple’s new privacy settings in iPhone that Facebook has taken serious offense to. Democratic Governments seems to have given up to the reality that the ship has sailed and are limiting to make some noises just to placate their voters.