Data breaches

15th March, 2014

Ah, data. Data data everywhere and not a drop to drink. Or something like that.

It is true that this blog has been featuring a higher than average number of postings concerning data: the rise of, the use of and the next stage of data. Data holds sway over our lives; it is the chosen career path for many individuals involved in this industry. And as such, it commands time. Hence my eagerness to continue covering an ever evolving subject.

I recently read an interesting titbit of information – on Wikipedia no-less – that stated ‘a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.’ A whopping 227 million sensitive data incidents in just over 3 years without considering the exponential growth in data collection we are now aware of. Throughout the last year many international companies have been compromised: Adobe, Ubisoft, Target, Apple, Blizzard, Steam, LinkedIn, Evernote, Facebook, Yahoo Japan, Scribd, Snapchat Zappos – and these are just the technology companies. If we begin to factor in the numerous public source data leaks available to us: the NHS, various US state departments and several banking institutions the range of leaks becomes an all-encompassing issue.

Of course, the sensitivity of the data released makes a significant difference in the renown of the release, as does the method of appropriation. When hackers such as Antisec, Lulz Sec or Anonymous breach digital security protocol the information was actively being sought, defences tested and unfortunately, broken. The public can share in the disdain for black-hat hackers seeking their information and the company at hand whilst chastened can point to the global uprising in compromised data. Conversely, when the breach is a result of an individual leaving their laptop on the 19.09 train to Sevenoaks, the public and those with vested interests are less likely to be appeased.

Of course there is reprisal. Those who have lost their data seek it returned, usually somewhat pointlessly. By now large companies should realise, like lessons taught to small children, that once it’s gone, it’s gone. We have seen but a handful of pan-Atlantic arrests through cooperative criminal investigations – Dmitriy Guzner, Chris Doyon, Christopher Weatherhead, Barrett Brown, the internationally recognised PFC Chelsea Manning, and the presumably permanently exiled Edward Snowden. These are the physical faces of data breaches merging from different factions in the data race.

What strikes me though is the disparity in government punishment, or punitive punishment for multi-billion revenue companies who through one way or another see our data fall into criminal hands. I say punitive, as fines ranging from 50,000 USD or GBP even into millions is but a drop in the ocean to the massive funds available to each vendor – unlike public services such as the NHS, fined on the same scale with a fraction of the budget. Sometimes equality doesn’t equal fairer. Whilst public services cannot be exempt from recourse perhaps the consequences metered out should include improved understanding and increased security infrastructure rather than removing from an already decreasing pot. Perhaps in a gesture of community data breach spirit the multinational technology companies found guilty of data mishandling could assist the public enterprises with their own data handling to deter future attempts at data theft. This is probably just wishful thinking on my part.

But as we see more and more companies are beginning to take out cyber insurance policies to protect when they do get breached it is a clean indicator that many believe it is not if, rather when it will happen. So up to that point companies both public and private need to continue to educate employees and maintain security, heed advice offered from white-hat hackers to any exploit uncovered and remain vigilant.

Incidentally, the number of individual data sets released by the technology companies mentioned above totals 265,642,232 – an increase of over 38 million in just one year. Hold on to your data, folks.