How are breaches published in the media?

Often we stumble upon news describing millions of users being exposed from social media platforms, open databases, or even governmental agencies. At the moment that information becomes public, the size and reach of the breaches are just estimations, as well the time they had the data exposed¹. The general feedback that I get from people worried about their data safety is related to privacy and money. If personal documents or credit card numbers are involved in the cases mentioned above, more attention comes from the public. The number of incidents is getting so frequent that it seems we are experiencing a kind of fatigue related to data breaches. Its numbing effects are even in the markets. After a couple of quarters, some C-level heads rolled and embarrassing public communications; investors get back the attention to profitability and other performance metrics. Even after compromising critical information, life goes on for the business. “Sorry, but now we are going to improve our services.” Insurance and legal battles take care of the rest².

What happens with the stolen data?

The motivation to break into a system is mostly for extortion or misuse, aiming for financial benefit. As soon as an organization recognizes the vulnerability, the stolen data becomes a clear proof of a crime and a kind of toxic material for criminals. The illegally-gathered information on the beginning is used by the people involved in the attack. But after some time, the breached data can pass through different hands while it becomes more popular and decrease its value in the black market. More copies, less value.

What kind of information about myself can it be out there?

The problem we are facing now is that these breaches are getting so popular that they are even available for free. I just came across a password and email dump of 1 BILLION records, all in plain text³. We have some tools to check if our credentials and networks are involved in public leaks. We rarely dig on the Internet to check on every incident and less likely to understand how we were exposed. In the best-case scenario, the company that had the issue communicate users on how their private data was disclosed. Of course, we rarely see these messages and warnings. Most of the companies have just a discrete public note after clear proof of the incident. Typically, the breaches involve name, email, passwords (encrypted or not), date of birth, physical addresses, and phone numbers. Social media profiles associations are also becoming more popular.

Don’t recycle passwords

As mentioned above, this stolen data loses its value in the black market as time passes by. It is hard to keep track of what kind of information we give every time we subscribe to a service. After being aware of our involvement in data breaches, a must-do is to change our password for that service. I won’t get into the details of how we use minimal effort to change passwords when needed or the convenience of reusing the same password for different logins. The main point here is, the chance is that one breach involving you is available out there in plain text is a reality. That password is not good anymore, anywhere.

From individuals to companies, the long-tail effect

Many people would say that they have nothing to hide, and therefore, the leaked information is not that critical. We forget that all our online information is interconnected. From one email (corporate or personal), I can guess or find other electronic addresses under the same identity. With one name, I can search for every partial or public profile on any platform. The critical link here is with one email and password; there is a broad range of places that an attacker could try to take over. In every step, more critical information can be raised, and higher is the risk that your private messages/data can be accessed. From blackmail to impersonation, different threats can be used against you or over your network.

Others’ business data breaches are your business

The biggest issue with companies is that they move way more money than individuals and also carry large important information in their servers. If one person affected by a data breach can be endangered, how about dozens of people from the same company being exposed? The risks of finding one illegal way into business’ data (and money) through several employees are much higher compared to an attack aiming only technical vulnerabilities of a corporate infrastructure. It is like having the key’s house of many employees. Why should criminals bother to break into the company’s door?

How companies react to this new reality?

After coming across to easy access to breaches’ data and knowing that people keep reusing passwords, companies should work to monitor critical information available from their employees. It is not hard to find how many people from the same domain are exposed. I am researching the biggest companies in Finland to check how many of their executives and employees were involved in data breaches. I will notify those companies and try to understand how CEOs are handling this issue.