Data Breaches – what’s the risk to you?

You probably keep hearing about data breaches. For example the AIB customer data breach that came out today. The recent Equifax data breach in the US (it’s only for Americans, so not your problem – or is it?). I even talked about the Swedish Government’s serious breach that happened back in 2015, which was only discovered earlier this year. So this is something that happens … a LOT! However you may not have given any thought to what the risk is to you, if you’re personal data was breached.

So what’s the problem with data breaches?

There are data breaches happening all the time. I see a post every day from BreachAware on twitter which indicate:

Security Notice: x leaked credentials found within the last 24 hours.

Where x is some number, usually in the tens of thousands (although happily on 21st July this year it reported zero breached accounts ?). A lot of these breaches occur in the US and larger countries of the world. In some cases there has been very significant personal data breached.

OK, so the world didn’t end when 500m Yahoo! e-mail accounts were breached. Neither did the apocalypse loom when a further 1,000m Yahoo! e-mail accounts were breached. These were massive breaches of certain types of personal data, e.g. Names, Addresses, mobile phone numbers, e-mail addresses, date-of-birth. Significant pieces of data, but maybe not quite enough to hurt you on their own.

However in 2015, the US Office of Personnel Management (OPM) announced a significant data breach with an estimated 21.5m records stolen. This is the agency that manages the US Civil Service. Some of the data breached were background checks on federal employees. There could be some very sensitive data in that. So now there’s a load of government workers whose names, addresses, social security numbers, dates-of-birth, e-mails, telephones, security clearances, etc. are out there. There will also be details on their relatives included in the background checks.

Now we come to the Equifax breach which has recently surfaced. Equifax are a US Consumer Credit Monitoring Bureau. They are one of the big 4, along with Innovis, Trans Union and Experian (who suffered their own breach in 2015). The data compromised includes names, addresses, social security numbers and birth dates on 143 million Americans. All of this also includes the victims credit rating/score. This breach has been handled so atrociously by Equifax that it has become comedic in nature, but I won’t go into that here. Maybe a later post. ?

OK, these individual data breaches are terrible. But what’s the big deal?

One thing that evil doing hackers are good at is finding out lots of information about people and tying it together. They may have a specific target in mind. They then correlate as much information as possible about a particular company and it’s personnel. I have surprised some people by showing them how much information is available on them using legal sources. Imagine what I could find with illegal sources.

Up to this point, you are probably imagining an individual hacker in a bedroom, with lots of data on stuff on lots of monitors. Now re-imagine this as an office environment, in a building with open plan office space, belonging to the intelligence services of a nation state. Think GCHQ in the UK or the Russian FSB (previously KGB), etc. It is these that we should be concerned with too, as they have the resources and discipline required to exploit these breaches.

With the massive treasure trove of data from just the OPM breach and the Equifax breach tied together, they have got some serious intelligence right there.

They will be able to search the Equifax database for people with poor credit ratings. Then they can see if any of them are government employees working in or close to sensitive areas. If they come across some, they might try to subvert them because of their precarious financial situation and turn them into unwilling spies.

That’s all foreign. We’ve nothing to worry about here.

Maybe we do. You will have heard all the fuss about the Public Services Card (#PSC) recently. Most of the coverage was focusing on it being a National ID card and whether there was proper legislation in place to support it. I was always more concerned about the connecting of data. The concentration of and interlinking of all of this personal data makes it a juicy target for the bad guys. We still have no clear picture of how the personal data associated with the PSC:

• is stored
• who has access to it and why
• what purposes is it being used for

I really hope the Data Protection Commissioner gets a proper response from the Department of Social Protection which puts these concerns to bed. But because of the mess that has been made thus far by the civil service and politicians, it has made me cynical. ?

Let’s be careful out there.