A clear example is a result of a simple exercise — I went to the haveibeenpwned.com website to check if any of my email accounts have been breached. (The website is a large repository of all of the email accounts that have been breached. Great work and effort by Troy Hunt — https://www.troyhunt.com/ )
Discovering that the email and passwords have been compromised was not a surprise; The database contains information on over 7.5B accounts that have been compromised representing 347 websites.
The surprise was to see the services that exposed the information.
They are not the usual suspects, like; Home Depot, Marriott, Equifax, Blue Cross or others… they are unrecognizable organizations that have gain access — either by direct business relationships, affiliation, aggregation or other methods to my account and profile information and due to a breach, that information has now been compromised.
The image below shows the three organizations that compromised the data and it also describes the information that they exposed.
The are many red flags that you can gather from the results, lets review some key ones:
A) Lack of transparency on the user terms and conditions agreements
In many cases privacy and security (see sample above) enable organizations to use (or sell) data with affiliates, third party vendors and many other organizations to use the data for other services without them “bearing any responsibility” on how it is used.
B) Aggregation of data;
Organizations leverage basic account information and then aggregate data from multiple sources to enhance the data set, increase its value under the premise of improved performance or services. The image above is a sample of the text that informs the user of such possible activity.
Transacting with personal information is nothing new — the difference is the digitalization of the ecosystem — which enabled by rapid and interconnected technology rails for such data aggregation and consolidation . The problem is due to the lack of strong security postures that have exposed billions of data records and information to be available in the internet.
The impact of of such flow of information is felt by organizations and individuals with the rise of sophisticated behavior driven phishing attacks leveraging known information of the target, or by increased identity theft due to the creation of false profiles and accounts and other methods.
Organizations and individuals must now be concern when such compromised data reenters the supply chain, and is used to make decisions.Only then will individuals understand the impact of the data breaches, as the issue will move from just being a nuisance to change passwords due to a breach, to the real life impact that data driven decisions will have on individuals trying to gain access to services or other products — limiting access to innovation and services.