If we were to label 2014 in security terms, at this point where we are over halfway, then the year of “massive data breaches” may not be too far from the truth.
Following the announcement of the breach at Australian retailers Catch of the Day in 2011, Target, eBay, Office and this week, Goodwill, we have seen them over and over again. Yes we get the same message – “we apologise for this”, “we are investigating” and “your financial data is unaffected”. That last statement is what really bothers me, yes my financial data is unaffected, but what about the personal data which has been lost or stolen?
It is a lot easier for me to cancel a credit card than it is for me to move house, yet services and businesses do not seem to value personal data as well. Statistics from Symantec show that real names are the most commonly breached, and without wanting to live under witness protection or a false identity, that is hard to change also.
So should applications, websites and services treat personal details as they do with financial data? After all, personal data can be used as the source of identity theft, and allow for a fake profile to be built and your life to be turned upside down. So should this not be treated as well and as securely as financial data?
Australian security researcher Troy Hunt told me that as soon as he heard this, he said yes. “Of course the natural question that arises from this is how should you protect this customer data? Does there need to be legislation to properly encrypt this information? Of course you’re at the risk of key exposure plus there are risks in the processes that actually pull the data back out – you want to be able to edit those personal details, right?”
Charles Sweeney, CEO of Bloxx, said he found it interesting that when there is a breach, companies seem to be “bright and breezy” about the fact that no financial information has been stolen. “The fact remains however that for a criminal to commit identity fraud, all they need are some basic facts about you in order to assume your identity and do some real damage,” he said.
“They are experts at taking disparate pieces of a jigsaw and turning them into something meaningful, and it’s a job they are very good at. Personal data is just as valuable as financial information and should be protected in the same vein. Sure the latter is a short cut to financial gain, but the criminals can still do a whole lot of damage with just your name, address and date of birth.”
I asked Christian Toon, head of information risk at Iron Mountain, whether as a data protection company, it had a responsibility to protect user data as well as financial data. He said that there is an argument for it and the media do a job of reporting the financial impact of crime, but it is harder to quantify if your identity has been stolen.
“It is harder to justify margin and it follows the targeted attack model, but in terms of valuing information, maybe it is a societal challenge on placing more value on identity as we do our bank accounts,” he said.
“Information is information, and there are relevant structures and regulations on personal data that they need to protect and a more robust and rigorous classification scheme will say “it is per
sonal data but what does it means to us”. If you are a crisis charity it is more valuable to you.”
Rowenna Fielding is information governance manager at the Alzheimers Society. She said that this is an interesting question, as often, people think of financial data and financial impact in relation to breaches. She said: “I think that financial data gets talked up more because it is easier to see cause and effect whereas the potential consequences from a breach of email addresses, geolocation information, addresses etc are more difficult to evaluate.”
Yes it is, but surely as it is hard to value personal data, surely that makes it priceless? Toon said that in regard to eBay and Target’s breaches, they were about corporate information responsibility and not about taking more care of other data than another, but it is all information and organisations should play a key part in that.
“Organisations should not dictate on what information of their consumers should be valuable, it should be all about information and tied into that corporate information responsibility. It will be afforded different controls between a charity and a bank, but it is still important and the challenge is quantifying impact of identity theft. There is more to it than just safe guarding.”
It is a challenge, but I am not sure if anyone really agrees with me on the concept of securing personal data as much as they do financial data. An ICO spokesperson sent me the following statement to this question: “Businesses processing personal information in the UK must make sure that they are looking after this information correctly and keeping it secure. The ICO can, and has in the past, issued financial penalties when businesses have failed to protect personal information ranging from financial information through to account login details.
“Failure to look after any sort of personal information correctly not only leaves the business open to enforcement action by our office, but will also quickly result in the loss of consumer trust.”
Yes, if you do it wrong you will face the consequences, but let’s not forget that some of the major breaches, where losses have run into millions of records affected, have been with US businesses. Derek Brink, analyst at the Aberdeen Group, admitted that there is a problem with consumers not changing passwords, but at the same time, “please secure our personal information on your servers!”
He said: “In my own research, an analysis of some 325 organisations found that 85 per cent of common enterprise applications are still running within enterprise-managed data centres and server rooms (as opposed to in the public cloud), while the IBM X-Force Threat Intelligence Quarterly, 1Q 2014 notes that “attackers are increasingly going after central, strategic targets as a means to optimize their efforts and increase their return on exploit”.
“So it’s also worth re-examining the processes and technologies in place for data centre security – that is, for keeping your organisation’s data centre (both physical servers, and virtual servers) secure, compliant and well-managed.”
Another point I raised was if we as consumers are surrendering our privacy by signing up to these websites and applications? Fielding said that the vast majority of people will not deny Facebook/Amazon/eBay/etc their personal data no matter how many breaches occur. “This is because a) people don’t value their privacy until it’s taken away – by which point it’s too late to protect it; b) the instant gratification of being able to buy/click ‘like’ on something overrides the consideration of the longer-term effect; and c) the likelihood of any consequence at an individual level (fraud, ID theft) being traceable back to the company that had a breach in a way that makes the company accountable for the damage
is vanishingly small,” she said.
Like it or not, you hand your details over and you are a commodity of that service, and if it suffers a breach then yes the reputation of the service suffers, but only for a short term and you have to face the consequences.
I would like to see more controls placed around personal data – thankfully I have not been affected by many of the massive breaches, but as a consumer who feels a value over his personal information, I would appreciate it if more businesses did the same.