Data breach vs. data misuse: Reducing business risk with good data tracking
Imagine this, and let’s face it, this isn't too hard: your personal data, including financial information, has been stolen in a major data breach. You’d be pretty worried. Unfortunately, this scenario plays out too often.
Some of the biggest breaches of all time have happened in the last few years. Breaches that expose the personal and often highly sensitive data of countless millions of individuals. Breaches like the Capital One cyberattack that exposed over the data of over 106 million people, including names, addresses, dates of birth, credit scores, Social Security numbers and bank account details. And the situation is only getting worse. In the first half of 2020, 27 billion data records were exposed: double the numbers for the whole of 2019.
Data breaches are painful on a corporate and personal level. But some breaches are seen as less harmful than others … is it all about data misuse rather than data breach? And can an enterprise reduce risk by tracking data?
Data breach examples
To set the scene, here is a snapshot of data breaches in 2020.
Magellan Health (365,000)
April 2020 saw the health data of 365,000 patients exposed via an initial exfiltration attack followed by a ransomware infection.
Zoom credentials (500,000)
In April 2020, over half a million previously stolen Zoom passwords and other account details were up for sale in dark web forums.
Easyjet (9 million)
May of 2020 saw an external hack with the theft of personal and travel details of 9 million customers. The attack metrics are still under investigation.
Experian South Africa (24 million individuals and 800,0000 businesses)
Personal details were exposed in a hack in August 2020. The metrics of the attack are not fully disclosed but it has been described as a social engineering attack.
Future crimes and data breaches
When data is breached, there is an expectation that legal repercussions will be brought against the offending company. These legal challenges are often class actions but can also be complicated by regulatory fines, such as those handed out by the GDPR or CCPA for non-compliance.
Legal actions related to data breaches are evidenced by several class actions in recent years. A data breach litigation typically uses the allegation of “future harm.” This is harm, usually taking the form of identity theft or financial loss at some point in the future. However, the court does not always accept that it must follow, that a breach will result in material harm to the individual.
This was the case in a recent action against the Sarrell Regional Dental Center for Public Health. The center had been a victim of a ransomware attack, affecting around 391,000 individuals. A class action brought by Lindsey Blahous against the company relied on past examples of data breaches and identity theft to evidence a future threat. The papers specify that:
“Plaintiffs do not allege any facts of actual theft (beyond alleged access) of their personal data and subsequent misuse of it — or even a specific future criminal intent to misuse it — by the ransomware perpetrators. Instead, Plaintiffs rely on data breach statistics generally to allege that they will suffer future harm specifically.”
This lawsuit was dismissed by a judge, who ruled against the class-action because they could not prove the data was used by cybercriminals to put victims’ identities at risk. The judge in the case, Austin Huffaker, described the situation as "the extent and depth" of the breach is still "murky," and that there was no evidence to show "at least some plausible specific allegation of actual or likely misuse of data."
This is an important point of law. Proof of future harm is always complicated. However, data breach and identity theft statistics should provide, at least, a smoking gun as evidence that cyberattacks lead to damage at an individual level.
Reducing the risk of a data breach by keeping track of data
Damage to customers should never be an option. Even if a court case rules that future harm is “not likely,” this should not be a reason to not care about data protection. But as we have seen, protecting data is complicated. This is becoming even more difficult as the COVID-19 pandemic requires working from home, which expands endpoints and challenges IT infrastructures to the limit.
Keeping track of data is where data protection starts. Knowing where data is at any point in its lifecycle gives an organization the information to determine risk, and in turn, understand the right security measures to put in place.
Data tracking policies should be a part of a corporate defense strategy. Data tracking is a way to manage enterprise risk and should be part of a wider enterprise cybersecurity strategy and culture. A November 2019, McKinsey survey, “McKinsey on Risk,” asked security executives about their use of SaaS platforms. Respondents said they used several measures including data usage tracking tools to manage data security risks. Data tracking can ensure that gaps are not allowing exposure or malicious exfiltration.
It is worth noting that data security risks within a complex cloud ecosystem can also have impacts on regulatory compliance. For example, under GDPR there is a right to be forgotten. An individual may request that a document containing personal data must be deleted. If this document is deleted from one place, without knowing of other instances of the same document or having a synchronization system in place, this means that the regulation has not been adhered to properly and leaves a gap in security.
Data tracking beyond a breach
Stolen data often ends up on dark websites for sale — see the Zoom credential breach above as an example. Being able to see where data goes post-breach can help to alleviate the harm potential of these data.
There are a variety of services that offer analytics and insights into dark web data stores and sales. These services offer dark web monitoring and perform searches that look for brand names hacked and associated data for sale. A company can share this information with law enforcement. They can also ensure that customers are aware of data tracking finds and can then change passwords, cancel credit cards and so on.
When data tracking goes bad
It is important to note that data tracking can itself be vulnerable to misuse. This is true in the case of consumer data used for marketing purposes. Data tracking has also been hotly debated in the case of COVID-19 trace-and-track apps across the world.
Mobile devices have been shown consistently to have harm potential when tracking of data is used. An example was reported by the New York Times Privacy Project in an article, “One Nation Tracked.” When given access to files, the article researchers found “50 billion location pings from the phones of more than 12 million Americans”. The users’ mobile devices were automatically tracking their daily movements.
Conclusion: Harm by default?
A report from Javelin Research, “2020 Identity Fraud Report,” discovered that losses from identity fraud have increased by 15% and the consumer is paying for this with a doubling of out-of-pocket costs. We need to remember that our customers are our bread and butter. Also, the last thing that any organization wants is to end up in costly court battles with customers. Even a win such as that seen in the case against Sarrell Regional Dental Center for Public Health ends up as a loss for everyone involved. The only winners in the data breach arena are the cybercriminals and fraudsters.
A data breach is data misuse, no matter how tenuous the connection between exposed data and individual harm. The bottom line taken by an organization should be the protection of data no matter what. None of us have crystal balls; we should assume harm by default.
2020 Mid Year Data Breach QuickView Report, RiskBased Security
One Nation, Tracked, The New York Times
Digital Data Tracking and Privacy: The Future Implications of COVID-19, SocialMediaToday
McKinsey on Risk, McKinsey & Company