I try not to go off on security rants in the newsletter, but this week I’m unable to hold back. An apparent breach of a data aggregator has resulted in a monster dataset of US, UK, and Canadian citizens names, addresses, and social security numbers. As a number of reports have pointed out, the three billion records in the breach likely contain duplicate individuals, because they include all the addresses where you’ve lived, and there have only been on the order of 450 million US social security numbers issued anyway.
But here’s the deal. Each of these data aggregators, and each of the other companies that keep tons of data on you, are ticking time bombs. Maybe not every one of them gets breached, but there’s certainly enough incentive for the bad guys to try to do so. (They are looking to sell the NPD dataset mentioned above for $3.5 million.)
My gut feeling is that eventually all of the information on everyone will be released. Maybe then it will cease to be interesting to new crops of crooks, because there’s nothing new to learn.
On the other hand, the sheer quantity of identity thefts that this, and future breaches, will unleash on us all is mind-boggling. In the case of legitimate data aggregators like this one, requesting to have had your data out of their dataset appears to have been a viable defense. But for every one legit operator, there are others that simply track you. When they get hacked, you lose.
This breach is likely going to end in a large lawsuit against the company in question, but it almost certainly won’t be big enough to cover the damage to everyone in the affected countries. Is it time that companies that hold large datasets will have to realize that the data is a liability as well as an asset?
Maybe they can hide the data?
https://thecyberguild.org/blog-posts/invisible-data-raise-the-bar-on-the-cyberspace-attacker/
That seems like a technical “solution” to a human/social problem. How about not allowing the collection of the data in the first place if it’s not required for the job. And not allowing keeping the data unless absolutely necessary.
And finally requiring personal C-suite-level criminal liability for bone-headed mistakes, “business” decisions, and behaviors. Don’t pass the buck for bad business decisions to some programmer who wasn’t given the resources to successfully implement a complex/inefficient/ineffective technical solution.
If I’m as dumb as some of these companies and bad things happen, then I’m incarcerated or bankrupt. But if a company’s policies does it, at worst it’s a fine or some CEO loses a job. I’d love a framework where the past CEO/CSO/CIO/CFO goes to (real) jail or pays back 100%+ of all income they ever made at the company. Or their and the board’s financial stake is distributed the employees before the company is sold for scrap. If companies are people, treat their decisions equally.
That said your idea of ‘not allowing’ such things is never really going to work, there is too much power and money in knowing, being able to study trends, target your product advert etc. And yet it would be nearly impossible to prove from outside its genuinely from collected data that wasn’t ‘absolutely necessary’ (even if its obvious from the outside where is the proof) – So even if its entirely illegal they will find a way to use the data with nobody ‘officially’ knowing or on the hook for it…
How about not have the data in the first place. There is no legit reason (marketing, and sales are not legit reasons) to maintain my personal information without my consent.
Background check companies can actually do their jobs instead of maintaining a database as well.
Even worse nothing happens to these companies that accumulate information and then lose it. Experian anyone? Heck the damn military has leaked my information TWICE and I have been out of service for 6 years at this point.
I am really tired of it. Same with the Flock cameras, biometrics at airports, all new passport photos are being used for biometrics. Stop spying on me.
There is a simple fix, just require that everyone who stores your data and that data is stolen is required to pay every person $325.
This happened to me, there was a data breach, the settlement was $325. Of course then they started making up arbitrary requirements like you had to submit proof of something or other, then there was another thing, then it just all quietly went away after proper application of hookers and cocaine.
But the idea is simple and would be stunningly effective.
I suspect if something like this happened, the company would just declare bankruptcy, all the other debtors before anyone affected would get payouts, and the people running the company would just start a new business doing the same thing. It’s a mess.
But I like the idea – maybe even require companies to get insurance against a breach. Then they’d have to work pretty hard to make the insurer happy, and it would guarantee the payout when it does happen (and it always happens)
That would be nice. It would buy an awesome dinner out if hackers cleaned us out.
An investment fund that we had some money in, outsourced their data management/security to a 3rd party… who got hacked.
Red faces, apologies, and they gave us a free two years of enhanced credit monitoring at CU. Whoopee… Fortunately, we’re not much of a target, but still…
The EU is on the right track. I hope that N America catches up.
It seems you may have omitted a few words in you post:\
“There is no legit reason (marketing, and sales are not legit reasons IN MY OPINION)… ”
THEY think marketing and sales ARE legit reasons (it’s how they make a living after all). If you don’t like it, work to install politicians that will stand up for your rights – stop voting for the same people that continue to look the other way or merely pay lip service to the privacy of individual citizens.
(I found it quite amusing this week when Congress got all bent out of shape because one of their own (Ex-congress woman, Tulsi Gabbard) was on a list of people the government keeps an eye on. How’s it feel, folks?)
Aside from the fact that govs, military, intelligence agencies all want the data, if the polity and its citizens all got on board with stricter privacy laws and penalties it’s too late for most of us now with our data already out there. Changes may safeguard future gens, but probably only for a short period of time before it’s the same-old, same-old sh!t again.
so stop voting. got it.
It’s not an opinion. It’s MY information, not theirs.
Perfect example: Classified information is property of the U.S. government, it doesn’t matter if it is leaked to the public, it still isn’t theirs.
Unfortunately, we give away our consent frequently: because we don’t realize it, because we (at the spur of the moment) think it’s worth it, or because it’s required to play. Heck, we even “allow” car manufacturers to collect data on our sex lives (and that of our passengers) as a requirement to purchase a new car (see https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/).
Obviously, this should all be illegal. But in addition to limiting data collection and sharing, we should be enabled to rescind permission.
And lets not forget those Arbitration Agreements that are always in there with the data mining consent, aka “sharing with our partners and affiliates”.
cough facebook/meta aka “Your Web Portal”.
Check your consent papers at your medical clinics.
They always have unnamed partners and affiliates.
If you doubt it happens, simply try asking who the partners are and see if you can get a –printed– up to date, list of –all of– them.
Ken Paxton, yeah that guy, is suing GM for their data collection
https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-sues-general-motors-unlawfully-collecting-drivers-private-data-and
Amen!
We need to make this kind of stuff illegal.
They’re putting pressure on gun manufacturers to have accountability for how their weapons are used, and the vast majority of guns are never used to harm people or stolen. (Not debating here the rights or wrongs of that approach, just raising it for comparison) –
These datasets are abusing us even when used as they intend them to be, and as you say, the majority will be stolen or leaked eventually. We need to hold them to account and stop them doing this.
Just make any dataset containing any data of a person paid per day to the person in question by the company behind the dataset.
Even $ 0.50 will do.
And if the data is stolen then de data is presumed stored forever.
Maybe a solution would be to make it legal to delete their data. These brokers never ask permission to arbitrarily gather it, maybe we should have the right to arbitrarily delete it. If their security isn’t up to scratch wiping it all rather than trying to sell it should be fair game.
I guess that means Im going to dispute any and every negative report on my credit file going forward.
i have a problem with companies, namely manufacturers of consumer tech products, using data mining as a side hustle. i should be able to buy products and use them without having to sign up for another damn account. they only seem to do this to farm personal data, as its usually an arbitrary gotcha that has no technical basis.
im also convinced that two factor, especially phone based two factor, is more about mining personal data than security. you do not need a second device for totp, and sms is know to be bad. you just need a system with good security settings. besides we all know that phones are literally the mark of the beast.
If people would exercise their rights given by data protection laws, data hoarders would no longer have an easy life. For example, the EU GDPR allows you to request information on data stored, how it is used, how it was acquired and of course the data itself. Also you can request the deletion of your data. An answer must be made within a month. This is a costly process for a data aggregator and even more costly if they lie or omit something. A high number of requests within a short timeframe could drive a data dealer out of business.
Any chance of someone setting up a proxy or pass-through system in a data rights protected country?
let’s see if a trip through the protected countrys wires (physically routed circuits ), might trigger a coverage under their rules.
Kind of a bit like how the data miners were crying the blues about not being able to operate in those countries, due to the rules applying in that case, even though the companys were US based?
Prison, lots and lots of prison.
Define legal standards including regular external audits, make it law that named responsible people have to either uphold the standards, or inform with whistle-blower protection, whence the liability would fall on the next levelof management or the company board as a whole: I would chuck in a guaranteed ten year salary compensation for anyone who came forward with evidence a company was breaking the law or forcing them to sign off on something unlawful, as compensation for losing their job as well as a really strong incentive for the higher ups not to do it.
Prison! Oh yeah, I’m totally for this one! Although as EB notes above, it should be for the CEOs, CTOs and upper management that design and implement these horrible and invasive policies and then cut corners on privacy and security that face the [lots and lots of] prison time. The poor underpaid overworked undertrained junior programmers trying to implement these policies so they can feed their families should also face some- but minimal- sanctions for agreeing to perform such an immoral job. Sometimes it may be better to starve.
It’s easy to tell a consumer “just call XYZ”. The problem is that there are hundreds.
Huge penalties are the only answer.
Now that we know breaches are common and almost easy. From this point in time, any company with even a minor beach should be fined $1000 per name or more.
It’s inexcusable for any enterprise to have such lax system that unauthorized people can get in.
There is no such thing as a “legitimate data aggregator” when it comes to personal data.
We are never told if breaches are due to software bugs – the sort reported in this column – and if so whether the software being used is up to date, or whether by incompetence. I suspect a lot of the latter.
There’s a difference?
Shutting down data aggregators will make it a lot harder for us stalkers.
💯 The only way to prevent data theft is not to have the data!
For starters, new SSNs issued to everyone affected, and make it dead easy to get a new SSN at will… or issue new, regularly. Make it a moving target. Change on every use. Static data is one thing, but what must be static, and what could be… something else entirely? Solvable problem with many ways to address various issues.
From an European viewpoint: stop using SSNs as an authenticator, this is silly.
I’m guessing nothing will be done about this – there’s too much money to be had. However when the government itself gets caught out (like for instance if the entirety of congress got their identities stolen as a result) they will RACE to get it fixed / outlawed!
You make the impossible assumption that congress is capable of actually recognizing the problem, then actually fixing it