So what’s the problem with data breaches?

There are data breaches happening all the time. I see a post every day from BreachAware on twitter which indicate:

Security Notice: x leaked credentials found within the last 24 hours.

Where x is some number, usually in the tens of thousands (although happily on 21st July this year it reported zero breached accounts ?). A lot of these breaches occur in the US and larger countries of the world. In some cases there has been very significant personal data breached.

OK, so the world didn’t end when 500m Yahoo! e-mail accounts were breached. Neither did the apocalypse loom when a further 1,000m Yahoo! e-mail accounts were breached. These were massive breaches of certain types of personal data, e.g. Names, Addresses, mobile phone numbers, e-mail addresses, date-of-birth. Significant pieces of data, but maybe not quite enough to hurt you on their own.

However in 2015, the US Office of Personnel Management (OPM) announced a significant data breach with an estimated 21.5m records stolen. This is the agency that manages the US Civil Service. Some of the data breached were background checks on federal employees. There could be some very sensitive data in that. So now there’s a load of government workers whose names, addresses, social security numbers, dates-of-birth, e-mails, telephones, security clearances, etc. are out there. There will also be details on their relatives included in the background checks.

Now we come to the Equifax breach which has recently surfaced. Equifax are a US Consumer Credit Monitoring Bureau. They are one of the big 4, along with Innovis, Trans Union and Experian (who suffered their own breach in 2015). The data compromised includes names, addresses, social security numbers and birth dates on 143 million Americans. All of this also includes the victims credit rating/score. This breach has been handled so atrociously by Equifax that it has become comedic in nature, but I won’t go into that here. Maybe a later post. ?

OK, these individual data breaches are terrible. But what’s the big deal?

One thing that evil doing hackers are good at is finding out lots of information about people and tying it together. They may have a specific target in mind. They then correlate as much information as possible about a particular company and it’s personnel. I have surprised some people by showing them how much information is available on them using legal sources. Imagine what I could find with illegal sources.

Up to this point, you are probably imagining an individual hacker in a bedroom, with lots of data on stuff on lots of monitors. Now re-imagine this as an office environment, in a building with open plan office space, belonging to the intelligence services of a nation state. Think GCHQ in the UK or the Russian FSB (previously KGB), etc. It is these that we should be concerned with too, as they have the resources and discipline required to exploit these breaches.

With the massive treasure trove of data from just the OPM breach and the Equifax breach tied together, they have got some serious intelligence right there.

They will be able to search the Equifax database for people with poor credit ratings. Then they can see if any of them are government employees working in or close to sensitive areas. If they come across some, they might try to subvert them because of their precarious financial situation and turn them into unwilling spies.

That’s all foreign. We’ve nothing to worry about here.

Maybe we do. You will have heard all the fuss about the Public Services Card (#PSC) recently. Most of the coverage was focusing on it being a National ID card and whether there was proper legislation in place to support it. I was always more concerned about the connecting of data. The concentration of and interlinking of all of this personal data makes it a juicy target for the bad guys. We still have no clear picture of how the personal data associated with the PSC:

• is stored
• who has access to it and why
• what purposes is it being used for

I really hope the Data Protection Commissioner gets a proper response from the Department of Social Protection which puts these concerns to bed. But because of the mess that has been made thus far by the civil service and politicians, it has made me cynical. ?

Let’s be careful out there.

The post Data Breaches – what’s the risk to you? appeared first on L2 Cyber Security Solutions Ltd..

What’s is the PSC?

According to the Department of Social Protection (DSP):

The Public Services Card (PSC) helps you to access a range of public services easily. Your identity is fully authenticated when it is issued so you do not have to give the same information to multiple organisations.

They started being rolled out by the DSP in 2011 and were used for people claiming welfare benefits.

What’s all the fuss about so?

Well one issue is it’s usage is expanding and it’s causing concern to data privacy advocates. As you can see from the DSP website (linked above) the PSC is now being used for the following purposes:

• Access to Social Welfare Services (including Child Benefit and Treatment Benefits)
• First time adult passport applicants in the state
• Replacement of lost, stolen or damaged passports issued prior to January 2005, where the person is resident in the State.
• Citizenship applications
• Driver Theory Test Applicants
• Access to high value or personal online public services, e.g. Social Welfare and Revenue services, via MyGovId, the mechanism for accessing public services online.

They also indicate that the future plans for the PSC are as follows:

• September 2017 – School Transport Appeal
• November 2017 – Treatment Benefit (DSP)
• March 2018 – Driving License Application
• April 2018 – Student Grant Application (SUSI)
• Quarter 3 2018 – Proof of Age card
• September 2018 – School Grant Appeal, Online Health Portal and individual access to AgFood.ie
• Quarter 4 2018 – Passport Application

That’s a lot of services being supported by this one card. A big issue from the data privacy types, is that there is no indication that any proper Data Privacy Impact Assessment (DPIA) has been carried out to show that the government/civil service has given data protection any consideration in the roll-out of this card. If you recall my recent post about what happened in Sweden, when a government/civil service fails at data protection, people’s lives can be put in jeopardy.

Wait! What was that MyGovID thing?

Yeah! I hadn’t heard about this either until this story took off. According to the FAQs on it’s website:

MyGovID is an online identity service that enables the access of online public services in a safe and secure environment.

That sounds nice. Why haven’t we heard about this more? Has there been any discussion on this? I think I’ll be coming back to this one soon.

We have a Data Protection Commissioner. What have they being doing about it?

According to an article in the Irish Times:

In a statement, the Data Protection Commissioner said that while a framework to authenticate identity for individuals availing of State services was “an entirely legitimate government policy choice”, the means of communicating what data was being collected, for what purpose and with whom it may be shared needed to be adequately addressed.

“We have strongly conveyed our views on numerous occasions to the Department of Social Protection and in a number of other fora that there is a pressing need for updated, clearer and more detailed information to be communicated to the public and services users regarding the mandatory use of the PPSN and PSC for the provision of public services,” it said.

At least the DPC statement finished with something hopefully positive:

At this point, DPC has now secured D/SP agreement to publish a comprehensive FAQ, the questions for which the DPC has supplied, that would fully clarify all of the arrangements around the personal data collected for the PSC i.e. How it is secured?, Who can access it?, How it interfaces with the Single Customer View & MyGovID? How it will interface with the published General Scheme of the Data Sharing and Governance Bill? etc.

What I found most concerning in the Data Protection Commissioner statement was the following:

The DPC is also aware that the 2015 Comptroller and Auditor General Report on the PSC specifically asserted that:
“There is no single business case document for the PSC, setting out at a high level all of the information needed to get the project started (scope, justification, funding, roles and responsibilities), and which communicated this key information to the project’s stakeholders”

That sounds to me like a bunch of bureaucrats had gathered in a pub one night, having just finished launching the PSC for people claiming benefits from the DSP and one of them saying “Right. We’ve got this card out there. What else can we use it for?” and the others start shouting out “Drivers Licenses!”, “Passports!”, “Student Grants!” and then they write them down on a beer mat (coaster to my foreign followers) and head off to Coppers for the disco.

If you recall the other recent story I posted about, where a different state agency was looking to spy on tourists, I’d be really concerned about what the civil service is up to and linking all of these services to one single card can be dangerous.

But won’t linking all these services together improve efficiency?

Theoretically yes, if it’s done properly and securely. However the government/civil service is not well known for doing things properly and we have no idea if this is being done securely, because they are not telling us anything about how they are securing the thing.

So what are the risks?

This card is the central key to a growing number of government services. If they do not properly secure the personal data that is associated with this card, then evil doers may be able to compromise crucial and sensitive parts of your life.

I would liken it to your main e-mail account. The one that you use all the time and is associated with all of your online life (social media, online shopping, travel bookings, etc.). If you don’t use a unique and super strong password and two-factor authentication on this e-mail account, then if somebody gets access to your e-mail account they can compromise everything associated with it. They can find all other services that you registered with your e-mail account and take these over, changing those passwords by using the forgot password feature to send password resets the e-mail account they have just taken over.

So with the PSC, if the personal data isn’t properly secured, the bad guys could potentially interfere with your social welfare benefits or the application for a passport. We just don’t know how well secured it is.

OK, you’ve convinced me, I won’t get one so.

Well you might not have a choice. They say you don’t have to get one if you don’t want to, but you won’t be able to draw benefits from the Department of Social Protection. For example there was the case of the pensioner who refused to get the card, who has been prevented from claiming some €13,000 in pension payments over a period of 18 months.

The Road Safety Authority won’t let people apply for the driver theory test without one, so it is kinda becoming something that is mandatory. There is a whole debate going on as to whether its compulsory or mandatory and whether there is any supporting legislation for the card in the first place. I’ll leave that to the legal minds of this country.

Where to now?

I would certainly not like to see the PSC usage expand until they have answered the questions set out by the Data Protection Commissioner to their satisfaction.

I also would like to see the legal types among the privacy advocates being satisfied that there is good and proper legislation put into place to correctly support the use of this card. That’s probably going to be a bit of a stretch.

So for me it’s a wait and see. But I will be keeping a close watch on this.

The post PSC – What’s all the fuss about a little card? appeared first on L2 Cyber Security Solutions Ltd..