Personal data leakage

Metaratings
12 Jun 2015
00:00
Article

ITEM: "Hackers stole personnel data and Social Security numbers for every federal employee...the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."

Hardly a week goes by without a dramatic announcement of data intrusion. A firm's attacked, a government website's defaced by hacktivists, a new malware package for Android phones is discovered "in the wild."

We've become frankly bored by news of cyberwrongs. The strategies change: the breach of US-based retailer Target (remember that?) involved compromised point-of-sale terminals – a swipe of a credit card and the bad guys snapped up the magstripe data with no internet involvement.

But fire up the DDoS tools (like the wonderfully named Low Orbit Ion Cannon) and you get Sony-level hacks. That Japanese firm has been smacked, hacked and cracked like a cyberpiñata over the last decade. Those are brute-force attacks, but a recent scare – interrupting both a live press conference at the White House and a Congressional hearing – requires more creativity and greater skills.

The real problem: we experience all these security-intrusions simultaneously. Our eyes are starting to glaze. We tend to shrug our shoulders, extend our selfie-sticks, and upload personal data by the gigabyte regardless.

Are we all burnt out on data intrusion? Has it faded to the background – a droning pattern of Bad Things Happening, relegated to the status of teens-in-trouble or pets-damaging-furniture?

Has it? We assume that Telecom Asia readers are savvy enough to set their own ringtones, yet everywhere we go, the Samsung default "dog-whistle" tone sounds with depressing regularity. If a smartphone user's not smart enough to change their ringtone (hint: it's really, really simple), how can they manage to safeguard their personal data?

Give me your passport number
How bad can it get? In March, The Guardian newspaper revealed that attendees of the G20 summit had had their passport numbers and other details were disclosed by the Australian immigration department. That's right: Obama, Putin, Merkel, Cameron, Xi, Abe, and others.

According to the Guardian, "an employee of the [Australian Immigration] agency inadvertently sent the passport numbers, visa details and other personal identifiers of all world leaders attending the summit to the organisers of the Asian Cup football tournament."

So far, we're in Fantasyland, right? Who of us has a spreadsheet with the dates of birth, passport numbers, and visa particulars of the world's most powerful executives? Perhaps we can relate better to the way in which the information was compromised.

"In an email sent to the [Australian privacy] commissioner's office, obtained under Australia’s freedom of information laws, the breach is attributed to an employee who mistakenly emailed a member of the local organising committee of the Asian Cup," said the Guardian article.

How on earth could such an error occur? "The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field," said the Guardian.

Now does THAT sound familiar? We've all said "Oops!' right after hitting the "send" key as an email flies to an incorrect destination or worse yet, destinations. Sent a sensitive list "in-the-clear" have you? You just exposed an entire batch of email addresses to at least some of the wrong people.

We've all done it. But you can bet that ["Redacted]" no longer uses the same computer at Australian Immigration.

Breach? What breach?
One of the more significant details: The breach happened in November 2014, and the immigration officer [who wrote the commissioner’s office email] then recommended that the world leaders not be made aware of the breach of their personal information, said the Guardian.

“Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach,” she wrote.

But the Guardian article says the recommendation not to disclose the breach to the world leaders may be at odds with privacy law in some of their countries. Britain, Germany and France all have different forms of mandatory data breach notification laws that require individuals affected by data breaches to be informed.

Cybersecurity tsunami
If all that's not enough, you've got "Fake mobile towers being used for spying in UK." You've got Microsoft and Adobe still patching their software on a regular basis. You've got Moscow-based antivirus firm Kaspersky Lab being hacked by malware dubbed 'Duqu 2.0' – CEO Eugene Kaspersky described it as "almost a mix of Alien, Terminator and Predator." ... "It spreads through the network pretending to be a system administrator," Kaspersky said. "It's almost not possible to see it, because there are no disk files created, no [Windows] Registry changes. It's invisible, very aggressive, very effective."

In the beginning were the script kiddies – seeking notoriety and lulz. Then there were credit-card thieves – seeking payoffs. Now, it seems, everyone from state-sponsored players to rogue operators is keen to snaffle up your data and bludgeon you with it.

There's no advice except the obvious: stay alert. Strong passwords, one password per site, don't click on embedded links, be vigilant. We are all one-person-fortresses these days. Focus on what you can protect: your personal information. Just because governments and software firms are getting burned, don't burn out on yourself.

Related content

Tags: