Data & Breaches: The Dirty Secrets

Data Breaches & Cybersecurity: What next?

Scare Tactics

As I was searching for an important email, I ran across something that sent chills down my spine. The,“Your data is being exploited. Click here now to see what sites may be exposing your information!” Yes, you all know the famous ‘identity monitors.’ They are hard to ignore in this day of cybersecurity breaches and sensationalism.

I am notified daily by this company of the ‘threats’ to my online identity. I am unsure where these companies fit into the law; I understand the concept of supply and demand. But companies such as this are capitalizing off of these breaches, creating a larger marketplace or drive for this information, while I could be incorrect, something seems amiss. To me, it is like having your cake and eating it too, and we all know how that ends, generally, not well.

While I appreciate the heads up, I am not keen on the idea of paying for a monitoring service that sees the need to send me these anxiety-inducing emails, then has me visit these malicious sites after it tells me they are exposing my information. Yes, since they are exposing my information, I am sure I will be perfectly safe venturing into their cyber lair. Of course, they are on the up and up, and my arsenal of encryption and firewalls will suffice, said no one ever.

Chicken v. Egg: Data Breach & Identity Protection

Perhaps this is a classic, ‘Which came first the chicken or the egg scenario?’ Have you ever looked at the information these companies tout? Most of it is inaccurate. I never thought to even check the validity until I was researching big data beneficence, AKA using big data for the betterment of society.

Yes, who knew, big data could be leveraged for good, it has such an ominous reputation of big brother watching, that the benefits are frequently overlooked. Mainly, big data is just that, BIG, which means it is less easily slanted, and according to the laws of gulp, <math>, more accurate; the larger the sample the more likely the information is accurate of the set. Yikes, I am having violent flashbacks to stats, but from what I recall it is defined as the law of large numbers.

In my research of the legal system, I discovered an entire niche that uses big data for Court & litigation reform. From value based billing to analytics for change, I discovered that law, just like every industry, is ripe with trends to improve. Enter the most innovative company who is using big data to fuel efficacy in litigation, Premonition Analytics. Premonition CIO Tony Unwin says it best, below. Mr. Unwin speaks candidly within the context of what information is actually known within publically available records and the coordinating lack of interconnectedness within the Courts.

“When they ask you where you have lived in the last 5 years in a background check, is because they do not know.”

It is clear from the information available on the ‘identity protection,’ site that Mr. Unwin is perfectly correct.

For more information on parsing the cost of justice, visit Premonition.ai

Please, Don’t Breach Your Own Data:

Data is one of our precious commodities; please, do not voluntarily give yours away. We must stop believing that our information is known. It is easy to be fooled into correcting data. However, this is a derivative of phishing.

At one time I believed what the endless emails stated, I know, I drank that Koolaid. I admit I sheepishly paid for a membership. It was very much like the sham company that stated I had an infected computer, yet, I had never had an issue. Coincidentally, after their tool popped up and on an autorun script, I had a record number of viruses. My computer was useless for weeks. I spent hours on the phone with Apple who stated this was a growing problem and even offered a solution, Malwarebytes, a company I am endlessly indebted to for undoing the damage done.

Whether a fake virus or ‘identity protection,’ both of these sites use the same scare tactics, which is unappreciated. ID theft is not a laughing matter. I have written on my own personal experience recently with a well-known freelance site, the coordinating, fraud that ensued, and the attempt at recovery, all through impersonated corporate messages. This is a nightmare to deal with, letters, wasted time, complaints, phone calls, phone calls, and more phone calls. Not for clients, but rather to deal with the fallout from this debacle. As most experiences inspire me, this led to research on what could be done to help others. See Cybersecurity: The New Face of Identity Fraud. Ironically, I was also taking my Cyberlaw course when it all came to a head, and thousands of dollars disappeared from my account. What I discovered through my research and analysis, coupled with class discussions made me sick to my stomach. I am not alone. The Federal Trade Commission (FTC) now has opened up a small business resource to educate the incubators, entrepreneurs, solopreneurs, and other small businesses of the latest trend in cybersecurity where corporate espionage meets identity fraud.

Perhaps a New Perspective

This experience also caused me to look at things in a new way. Many times I have been inundated with these emails they sound credible at first glance, “A new site is exposing your information, act now” or “5 new people checked out your background; find out now what private data they saw!” Previous to this I was like a little puppy. A poster child if you will, of their key demographic, uninformed and vulnerable, AKA clueless. I instantly fell for their threatening call to action. I was the Cult-Like Pop Up Follower I discuss in my article Cybersecurity the Next Public Health Epidemic Part I.

My experience and those of my classmates inspired research on the matter to dig deeper and question the ethics of these companies. First of all, should I be scared into a membership? Does that sound like an ethical business model or does it lead to the hypothesis of a red flag signaling identity theft? Are they really out to help? If they were really out to help would they charge me a fee? Or conversely, would they report that information to the proper regulatory bodies? Are these companies abiding by the FTC regulations and complex state statutes? Is there a duty to inform regulatory entities; is sending the email signaling knowledge?

So let me get this straight, you are safeguarding me, you say my information is exposed, you are going to extort money from me to check my data, and make me go to the suspicious sites and will in turn alert me routinely? Yes, that makes perfect sense… in Never Never Land.

At first, it sounded logical, but wait, how is this company getting this data without seeking breached dark web information?

It is akin to the big, bad wolf becoming a housing inspector in Three Little Pig Land.

How do I know my information is even safe? Further, knowing what I now have learned about bots, worms, ransomware, and other malware, how do I know that going to these unethical sites to request they stop is not actually breaching my data?

Therein lies the quandary. This caused me to do more research, and what I found was more than a bit troublesome. While I tend to not be the corporations champion, rather a social justice advocate, I smell a rat here.

Case Study Target Corporation: What They Knew When They Knew It, & What We Can Learn for the Future

First, it has been all over the news and our class did a large analysis on the case. See my article entitled the same. In short, The Corporation paid out exorbitant amounts of money for their actions. But what about those that are now profiting from this same breached data?

If Target had to pay out so substantially, and we have all these sites that warn of breaches, what is the due diligence of those entities? Should they be allowed to send anxiety provoking emails, yet not retain a duty to inform the corresponding regulatory body? Again, Is sending that email, enough to create the implied duty? The Federal Trade Commission (FTC) offers some great resources for small businesses and consumers alike such as Identity Theft Recovery Steps | IdentityTheft.gov:


Penny For Your Thoughts

Here is what I wrote in a comment on my ‘profile.’ I will not disclose the site, until I determine if they are offering an explanation that perhaps I misunderstood, however I am becoming more skeptical the deeper I delve into my privacy research.

I will wait for comment, yet at this time I do not see any differential policy addressing companies such as this. While I do not blame the creator/CEO who developed this niche, I do blame them for what I would refer to as propagating such. That is the entire point we are creating the demand.

Question the Altruism

If you have questions or concerns about me, I invite you to visit my website. LulaEduBlog.Org/policy. You can message me there. Ask me any questions you like. You may also be interested in my cybersecurity articles and how to protect yourself from identity theft. I research and write about matters such as these.
I find it disconcerting that anyone would rely on information deemed Personally Identifiable Information (PII) and would further want to find information via websites that may or may not be involved in passing along information from a data breach.

Ethical Responsibility & Increasing the Demand:

What is the responsibility if this is obtained? If there is no market for this, then will data breaches decrease? I wonder how it is okay for Target Corporation to bear a consequence, but anyone profiting off of the same to be immune, not to mention welcome to continue the damages.

Less Than Transparent

If you are combing through “public” records to gain information, perhaps you are the one that lacks transparency. I am quite open and honest about anything. I am not perfect; I seek to learn from anything that did not go as planned. I call that the #silverlining. Some things are a matter of public record, but not all. Do you know the difference?
We as consumers do not yet retain the right to be forgotten in the U.S., though other countries do retain this right. One must question the legitimacy of such sites that require a membership to safeguard ‘your profile,’ and further offer information that may or may not be accurate and may or may not have been illegally obtained.
It is my hope that at some point it will be just as inappropriate to know that breached data is available and further capitalize off of that breach. If you read the latest about the data Breaches, which have highlighted the vast differences between what is and is not considered a ‘breach,’ the coordinating variance between states, and the reporting requirements for such are complex to say the least. At some point will consumers and other businesses be responsible for continuing to propagate the crime versus seeking to stop and refusing to use the service that profits off of the crime?

Ahoy There Matey: ID Theft Compared to Piracy

In other words, if you purchase a pirated DVD and further use it to gain consideration of some type tangible or not, are you now also a party to the act?

Where is this information parsed from? I did not know until taking my cyberlaw course that PII was so well defined. In terms of the ‘identity protector,’ before information is garnered from sites, what is the practice? 1. How is it marked as ‘ethically obtained?’ 2. If it is breached data is there liability when seeking to use it for your own personal gain? 3. Which state statute governs? 4. Once you have it, do you know how to destroy it based on regulation of which there are plenty?

You may want to consult the National Conference of State Legislatures Security Breach Notification Laws, (NCSL.org) before you take that information and use it to your advantage. The FTC (Federal Trade Commission) also has many great resources.

Data Breaches Defined by State from NCSL:

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).
PLEASE NOTE: NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice.

Breaches are Ubiquitous: Did You Make the List?

This is an interactive interpretation that may be the most innovative use of data I have ever encountered. The data links back to the original story. and is also available to download. The bubbles are interactive and representative of the quantity of data breached and the number of records. Each bubble has it’s own link to the original story. Are these breaches the source of these companies ‘warnings?’ Do they even know?

A database that actually gives you the details of which breaches your email was associated with, what was compromised, the level of the breach, and remedies at no cost. This should be the next Health Risk Assessment everyone should check yearly if not more often.

As an aside for every educator I got the lovely news not from Edmodo, where I retain a teaching membership, but from this site, haveibeenpwned.com that Edmodo had a data breach.

This is highly upsetting. Taken from the search by email.

This is how I found out I was in a data breach in May 2017; I spent the day securing my passwords and usernames.

The sophistication of Botnets, DDoS, DOS, Whaling, Ransomware, Spear Phishing, and other Malware is eerie. How do you not become a victim of a phishing attack yourself when visiting these sites?

This is a great article, the video is highly informative. It explains the nuances between Hactivists, Script Kitties, and DDoS, among other characters and methods. My article on Wanna Cry has an outstanding selection of video clips to explain these concepts in simple, and even satirical terms.

This 2016 article depicts the 2012 Linked IN breach,

Companies typically protect customer passwords by encrypting them. But at the time of the 2012 data breach, LinkedIn hadn’t added a pivotal layer of security that makes the jumbled text harder to decode.

In sum, it is up to us as consumers to remain proactive and vigilant to the the threats a data breach can create.

Show your support

Clapping shows how much you appreciated Jenny Balliet’s story.