Breaches aren’t simply security failures; they’re the inevitable result of a broken identity system

personal data

Recently one lady asked Tinder for her data — every European citizen is allowed to do so under EU data protection law, yet very few actually do. And it sent her 800 pages of her secrets.

“The dating app knows me better than I do, but these reams of intimate information are just the tip of the iceberg. What if my data is hacked – or sold?”

Some 800 pages came back containing information such as her Facebook “likes”, her photos from Instagram (even after she deleted the associated account), her education, the age-rank of men she was interested in, how many times she connected, when and where every online conversation with every single one of her matches happened.

Several weeks ago, Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months.

A bombshell report revealed that Deloitte was hit by a major cyber attack (major part of Deloitte’s business is selling cyber security) that compromised its email system and certain client records. The full extent of the hacking episode isn’t clear. The firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.” Other sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts. It appears the hackers transferred or copied a significant amount of that confidential data and had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security”.

This month saw the biggest public breach in the history of credit reporting, as Equifax reported a hack affecting as many as 143 million customers. The hack exposed Social Security numbers, birthdays, and, in some cases, even credit cards. The attackers gained access as early as May, so the data has now been circulating for months.

Also read: Can blockchains significantly improve e-commerce security?

Beyond the immediate damage, the breach reveals some deep absurdities in Equifax’s business model. The company was one of the central stores of personal data, the place you checked to make sure you weren’t writing a mortgage to an impostor. But now the impostors have the same data as everyone else. If you can’t keep it secure, why stockpile the data in the first place?

In June a marketing company Deep Root Analytics working for the Republican National Committee accidentally left sensitive personal details of almost 62 per cent of the US population exposed – reportedly the largest breach of electoral data in the US to date. Along with information on about 200 million US citizens’ home addresses, birthdates, phone numbers and political views, the information also included analyses used by political groups to predict where individual voters fall on controversial issues such as gun ownership, stem cell research and the right to an abortion. “This is deeply troubling. This is not just sensitive, it’s intimate information, predictions about people’s behaviour, opinions and beliefs that people have never decided to disclose to anyone,” Privacy International’s policy officer Frederike Kaltheuner told BBC News.

In July personal data of 6 million Verizon customers was leaked.  Chris Vickery, the researcher at UpGuard, told CNN that the data were exposed by NICE Systems, a company based in Israel that Verizon was working with to facilitate customer service calls.

In the same month Sweden accidentally leaks personal details of nearly all citizens! The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military’s most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more.

Swedish media reported of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military.

Two weeks ago WeChat confirms that it makes all private user data available to the Chinese government. With over 662 million users, the app, besides being the dominant messaging app in China, it is one of the largest in the world. A 2016 survey by Amnesty International ranked it lowest among popular messaging apps with regard to privacy protection of its users. The information that nearly all the private data in the app is accessible to the Chinese regime became evident.

Several days ago a rental appliance company has suffered a massive data breach that has leaked tens of thousands of Australian private customers’ records online, including identification documents, Centrelink records and financial information. Amazing Rentals – a company leasing televisions, fridges and other household goods – was last week revealed to have published 26,000 personal documents involving 4,000 customers on the internet.

In these terms Akim Arhipov, CEO of BAASIS ID, blockchain-based digital KYC solution, the recent winner of startup-battle Slush Singapore, told me regarding the success of their proposal for the market:

Our main target to teach individuals to take care about their digital presence and personal data sharing. I assume, you will never know how many times you log in to third-party applications using Facebook authentication method? What did you agree last time not reading Terms & Conditions by simply ticking a confirmation box? A terrible treatment of data, caused not by systemic errors, but mostly by human factors, like sending sensitive data by not encrypted e-mail. I want to impart the beginning of «personal data sharing literacy» age, where every peace of personal information controlled by individual, not a company.

“Big data is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone else is doing it, so everyone claims they are doing it. Admittedly, ‘blockchain world’ and ‘big data’ are two phrases that are about as buzzy as you can find in the modern business world. But that’s no reason to dismiss either one,” Vladislav Solodkiy wrote in his new book The First Fintech Bank’s Arrival.

Data is the new money, and data — like money before it — is only valuable if it’s being shared and rehypothecated through the wider network. Furthermore, we put our data into the safekeeping of cloud custodians for precisely the same reasons we put our money into the charge of banks: security, liquidity and utility maximisation.

Also read: Self-driving cars are in our midst, and the key issues are control and security

In Identity is the New Money, Dave Birch, a founding director of the specialist consultancy Consult Hyperion, lays out the extraordinary change in how we think about both identity and money that new technologies — especially mobile phones — are making possible.

We need intermediaries to manage, and money is one of them. If, however, technology gives us back that shared memory, then we don’t need intermediaries to enable transactions. It becomes what some people call a “reputation economy”.

And this reputation can be broken if we can’t create new tech advanced solutions to keep our personal data really safe.

Some experts like Akim Arhipov from BAASIS ID will tell you we should put it all on a blockchain, decentralising the system and querying discrete pieces of information as needed. But all these breach should wake us up to how fundamentally broken this system is, and how urgently we need to replace it. Breaches aren’t simply security failures; they’re the inevitable result of a broken identity system. There are so many new innovative technologies – there are so few real innovations from old players.

—-

Editor’s note: e27 publishes relevant guest contributions from the community. Share your honest opinions and expert knowledge by submitting your content here.

Featured Image Copyright: weerapat / 123RF Stock Photo

The post Who is next after Deloitte and Equifax to leak your personal data? appeared first on e27.