2014 has been a pretty brutal year for data breaches and hack attacks.
From eBay to Spotify and back again, it feels like there has been a total avalanche of data being pinched from under the noses of the companies that we have trusted to keep our information safe.
What astounds me, even more than the fact that companies don’t seem to be learning any lessons, is that the default response when an attack is revealed is that ‘no financial information has been compromised’. Clearly that is a good thing. No one can argue against that. However the fact that my personal information has been stolen and is most likely for sale on the deep web, is not a good thing. Far from it.
Whilst the online giants I interact with treat my email address, date of birth, address and name with little respect, there is a hacker somewhere that will pay a princely sum for them. These details might seem sparse and unimportant, but they can easily be used to assume an individual’s identity.
Not sure? These details would be all someone would need in order to set up a utility bill in your name, secure a mobile phone contract and register for a whole host of services. There is a story about a couple who once found out that their identity had been stolen when they ran into the post man who said that he would be sorry to see them leave the neighbourhood. Puzzled they asked what he meant. To which the postman replied: ‘Well you’re moving aren’t you? We’ve had a forwarding request down at the office’. Unbeknown to them, their identity had been stolen and their house sold from underneath them. It might sound implausible, but it can – and has – happened.
Translate that into the digital world and the stakes are significantly upped. We have so many different profiles that it can be hard to keep track of them all. This creates a window of opportunity for someone with malicious intent to capitalise on. Whilst your CVC number might not have been stolen, what are you most concerned about – that (where in the majority of cases the banks have processes in place to recoup your losses) or your Facebook log in being stolen? For a lot of people it would most definitely be the latter. Our social profile is in many ways to set of virtual keys to our lives.
These are just a few examples of how the information deemed OK to lose can be used and abused by those that manage to get their hands on it. When it comes to our data there shouldn’t be two tiers of protection, all data should be protected equally and with the same level of diligence.
This might seem idealistic. After all, you could argue that if a hacker has attacked and made off with personal data – which I have made the case for being extremely valuable – will they come back? Yes. Of course they will. It is naïve to think otherwise.
As breaches become more common place, so it is becoming clear that there is a lack of governance around data security. Target was warned about a potential breach by one of its security vendors systems, but ignored it until the US Government informed them about suspicious traffic leaving its network. It was a similar scenario with Home Depot. And eBay’s latest redirect attack required the BBC to apply the pressure in order for anything to happen.
The bigger issue here is trust. Online giants such as Amazon, eBay and Spotify exist and make money not just because they had a neat idea, but because we deem them as trustworthy to transact with. We trust them with a huge variety of data.
We also trust them to keep it safe. This is a duty that should be taken seriously. The information we share with these companies isn’t theirs; it’s ours. They have a responsibility to be more rigorous and proactive because no matter what they might think, no data is OK to lose.
Charles Sweeney is CEO of Bloxx