Do you know where your data is ?
Complex and obscure data supply chains are making it difficult for users to understand where their data is captured, transacted and exposed.
A clear example is generated by a simple test — I went to the haveibeenpwned.com website to check if any of my email accounts have been breached
The website is a large repository of all of the email accounts that have been breached. Great work and effort by Troy Hunt — https://www.troyhunt.com/
Discovering that the email and password have been compromised was not a surprise; The database contains information on over 7.5B accounts that have been compromised representing 347 websites.
The surprise was to see the services that exposed the information. They are not the usual suspects, like; Home Depot, Marriott, Equifax, Blue Cross or others… they are unrecognizable organizations that have gain access — either by direct business relationships, affiliation, aggregation or other methods to my account and profile information and due to a breach, that information has now been compromised.
The image below shows the three organizations that compromised the data and it also describes the information that they exposed.
The are many issues, but one of the key ones is the lack of transparency on the user terms and conditions agreements — which in many cases it enables organizations to use (or sell) data with affiliates, third party vendors and many other organizations to use the data for other services without them “bearing any responsibility” on how its used.
The second issue is the aggregation of data; how organizations are leveraging basic account information and then aggregate data from multiple sources to enhance the data set, increase its value under the premise of improved performance;
Transacting with personal information is nothing new — the difference is the digitalization of the ecosystem — which creates rapid technology rails for such aggregation and consolidation — and the lack of strong security postures that have enabled that billions or data records and information is available in the web.
The impact of of such flow of information is felt by organizations and individuals by the rise of sophisticated phishing attacks driven by know information and behavior, or by increased identity theft due to the creation of false profiles and accounts, or spam and other methods.
But the greatest threat; is when such compromised data reenters the supply chain, and is used by individuals or organizations to make decisions.
Only then will individuals understand the impact of the data breaches, as the issue will move from just being a nuisance to change passwords due to a breach, to the real life impact that data driven decisions will have on individuals trying to gain access to services or other products — limiting access to innovation and services.