How hackers could end the era of big data collection


When it comes to the security of our personal information, 2015 may be the worst year on record.

As of Dec. 29, according to a running tally kept by the Identity Theft Resource Center, the past year saw 780 data breaches at American corporations, government agencies, and nonprofits.

While not all of these breaches represented a definite case of nefarious activity, that number is an all-time high. More than 177 million individual personal records were exposed in one way or another. The ITRC only collects records for the United States, which has a population of around 319 million.

To top it off, these figures only include data breaches that organizations recognized and, in some manner, made public. They don’t account for all the sketchy malware-filled attachments people opened in the privacy of their own homes.

Stop and think about that for a moment.

Some of these breaches you’ve likely heard about. When hackers publicly released the information of millions of users of the adultery-themed dating site Ashley Madison, it made international news. However, it probably slipped under your radar when hackers compromised the data of customers who shopped at online at the American arm of the trendy, minimalist housewares company Muji. And you likely didn’t notice when the servers of the textile manufacturer Knit-Rite were infected with a virus designed to capture the personal and credit card information of an unknown number of users.

Of course, the main thing that makes data breaches matter is the data itself. As such, these data breaches, while often dangerous and damaging to Americans’ identities and finances, have sparked a surprising long-term effect: They will ultimately protect your privacy.

• • •

Inside the cybersecurity industry—that is to say, the people who periodically wake up in a cold sweat worrying about the consequences of the next Ashley Madison-style dataclysm happening on their watch—there’s been a growing realization: The big data revolution promised by the dual innovations of massive computing power and cheap, nearly unlimited storage capacity has a dark side. Each piece of personal data collected from a user or employee and then stored for safekeeping also has the risk of eventually being stolen.

As Sam Pfeifle, publications director at the privacy organization International Association of Privacy Professionals, notes, 2015 saw organizations accepting the conclusion that, in many ways, keeping 100 percent of their information safe 100 percent of the time is a losing battle. Instead, the way to manage the potential liability incurred from a data breach is not to collect the most dangerous pieces of data in the first place.

“Privacy is this really hard thing to pin down,” Pfeifle told the Kernel. “It’s different culturally, it’s different from person to person. … Some people are exhibitionists, some people don’t care if the NSA is spying on them. But, for everybody, there is some thing that hits home. I think the nature of the breaches this year has started to make it hit home as a real issue for a lot more people.”

Not all personal information is created equal. When brick-and-mortar retailers Target and Home Depot were hacked in 2014, the attacks were major events that cost the companies both cash and reputation. Yet, for most customers affected by those breaches, the negative repercussions were minimal.

If an identity thief steals your credit card number, it’s probably not going to be an enormous inconvenience. The credit card company notices a suspicious purchase, sends you a message asking whether or not it was legitimate, and you tell them yes or no. Either way, the financial institution likely won’t require you to pay the cost of any fraudulent purchases because a certain level of losses from fraud are built into their business models.

The big data revolution promised by the the dual innovations of massive computing power and cheap, nearly unlimited storage capacity has a dark side.

However, when hackers accessed the records of some 21.5 million current and former federal employees and government contractors by infiltrating the computer systems of the Office of Personnel Management, which essentially functions as the federal government’s HR department, it was another story entirely. Since OPM handles government background checks, much of the data it held was extremely intimate: names, current and former addresses, Social Security numbers, employment history, fingerprints, and much more.

The OPM hackers are believed to be from China, although Beijing officials have denied the attack was state-sponsored. Nevertheless, the CIA reportedly pulled its agents from the U.S. embassy in the Chinese capital as a precaution.

The OPM hack was a wake-up call for the entire tech sector. In the hands of an identity thief, that level of detailed information is essentially a license to print money at someone else’s expense. Armed with the data from the OPM hack, a criminal could do everything from taking out fraudulent loans in the victim’s name to using their identity to obtain free medical care or prescription drugs to filing their tax return and stealing the refund.

“When storage first started to get cheap, everybody was gleeful. They could collect all this information, store it forever, and then figure out how to use it later,” said Pfeifle. “Now, you look at that OPM breach, some of that data was from employees who haven’t worked [for the federal government] in years and years and years. That should be been deleted unless it was absolutely necessary.”

The concept is here is called data minimization—organizations thinking critically about what data they absolutely need to collect and what carries a significant enough risk that having it on their servers may ultimately be more trouble than it’s worth.

“When you’re doing some marketing campaign or a hiring for a job, are you deleting all those résumés after the fact? Are you asking for their occupation for a good reason? You never know what data might start getting really personal and might make you subject to some sort of liability,” Pfeifle said. “This concept of data minimization is starting to become much more commonplace in corporate America. Whereas, it used to be, that big data was always viewed as an asset. Now, you better have a good reason for how you’re going to monetize that data, or else it’s going to bite you in the butt.”

Read the full article here

Credit: The Kernel