On Data Breaches

With great connectivity comes great scams.

Hello, is it me you’re looking for?

You wouldn’t bare your heart to strangers, will you?

Yet every time you type in a query on Google to find out flu symptoms, or ask your Facebook friends about the newest gig in town, you do exactly that. This is where the paradox of privacy kicks in — you feel you are in control online (Pfanner, 2009), safely tucked away in a cocoon of anonymity, when in reality you are not.

You reassure yourself — it’s just the tech biggies, and they’ll do the right thing. Turns out, they won’t. Privacy, and security is often, if not regularly, sacrificed at the altar of corporate profits. The bar — to disclose your information — is on a scale of low to none. Welcome to surveillance capitalism (Johnson, 2019).

So, your data leaks through an entire supply-chain funnel. Each actor in the chain, has its own funnel, and the data leaks some more. In short, you have no idea where the data ends up. Or, in whose hands. Or, for what purpose. Remember, these are not discrete fragments of your digital life.

Every step you take

Our research shows tracking begins before you’re even born: with pregnancy trackers, mothers=to-be happily give out sensitive personal information to some very sketchy (from a privacy standpoint) shops. It takes less time today to register your newborn with a national ID than it would to whip up a bowl of Maggi (ANI, 2018). The jury is still out on how secure the entire process is. The super fun activity you picked up for your child — that too is probably leaking her data. And yours. Even a cross-continent effort can’t clean that mess up (Doe, 2019).

In the meantime, your child learns to browse, and visits Mattel or Hasbro to check on the coolest toys in town. Guess what legislators found? The very same toy makers snoop on kids. Very illegal, very uncool!

Schools (Vidyut, 2018), and universities are notoriously bad when it comes to data security. You could grab 1.5 million such data points for about a thousand dollars (Laha, 2017). Surely these are from lesser known institutes, you ask? We found evidence of multiple IIT’s being hacked, and at least one IIM leaking data of both current and prospective students. Let that sink in, even if you never made it to the IIM of your choice, you have lost your data.

The child, now a grown woman, goes to work. More of her time is spent online, for both professional and personal reasons. More services, more breaches. From no-name brands to the likes of Facebook, and Google, the leaks just don’t stop. Growing older, with more frequent visits to the doctor? You’ve got a healthcare data breach too. (Krebs, Transcription Service Leaked Medical Records, 2018)

Does it surprise you then that India saw the second highest number of data breaches? (BI India Bureau, 2019)

Hit em’ up

With great connectivity comes great scams.

That, in a nutshell, is the essence of our digital lives. Eternal vigilance is too high a price we are willing to pay though. So, you have scammers with your email addresses threatening to disclose your darkest sexual fantasies to your Facebook friends. Too embarrassing? Cough up $3000. (Cox, 2018) Not an email user? No worries, you can get these via snail mail too. (Krebs, 2018)

If you haven’t already, now is a good time to head on to haveibeenpwned.

Type in a few of your favorite email addresses, and see if they have been compromised. They most likely are, and the questions you should be asking are: which breaches, what sort of data those breaches expose, and since when.

You gotta fight for your right to party

How do you fix this? You force businesses to take you, and your data seriously. Such enforcement can happen only when there is a regulatory requirement.

Legislation is hard, legislation is slow. Particularly in technology, where the landscape is evolving ever faster, and with increasing complexity. Thankfully though, people are waking up. The European Union’s GDPR marks a watershed moment in personal data privacy. In the US, while health records have had enjoyed an elevated privacy concern thanks to HIPAA, personal data in general has had much less protection through fragmented, state-specific legislations. Australia and Canada have had their own privacy laws for a while now, and South Africa has led the way in Africa through the POPI Act.

As for us — the mighty billion — we have only recently won our Right to Privacy. This was just the beginning in what will be a long fight to protect privacy, and fix our breaches. A solid data protection bill should be our next milestone. And that won’t happen without us banding together.

Come one, come all, fight the good fight, and make sure we get this done, and get this done right.

This post is authored by Suman Kar from Banbreach.com

References

ANI. (2018, 04 27). Baby Girl Enrolled For Aadhar Within 2 Minutes Of Being Born. Retrieved

from NDTV: https://www.ndtv.com/india-news/maharashtra-newborn-gets-enrolled- for-aadhaar-within-2-minutes-of-her-birth-1843639

BI India Bureau. (2019, 12 19). Here are the most controversial data breaches of 2018 that affected Indian users. Retrieved from Business Insider: https://www.businessinsider.in/Here-are-the-most-controversial-data-breaches-of- 2018-that-affected-Indian-users/Aadhaar/slideshow/67155542.cms

Cox, J. (2018, 08 21). Hackers Made Half a Million Dollars Pretending They Watched You Watch Porn. Retrieved from Motherboard: https://motherboard.vice.com/en_us/article/xwk3wq/hackers-sextortion-half-million- blackmail-caught-watching-porn

Doe, D. (2019, 01 10). Are Indian firms too lax in data security and in responding to breach notices? Retrieved from www.databreaches.net: https://www.databreaches.net/are- indian-firms-too-lax-in-data-security-and-in-responding-to-breach-notices/

Johnson, E. (2019, 02 20). Google and Facebook have become “antithetical to democracy,” says The Age of Surveillance Capitalism author Shoshana Zuboff. Retrieved from recode: https://www.recode.net/2019/2/20/18232469/shoshana-zuboff-age-surveillance- capitalism-book-google-facebook-privacy-data-kara-swisher

Krebs, B. (2018, 01 11). Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience.

Retrieved from Krebs On Security: https://krebsonsecurity.com/2018/01/bitcoin- blackmail-by-snail-mail-preys-on-those-with-guilty-conscience/

Krebs, B. (2018, 04 23).Transcription Service Leaked Medical Records. Retrieved from Krebs On Security: https://krebsonsecurity.com/2018/04/transcription-service-leaked-medical- records/

Laha, R. (2017, 05 24). 1.5 million students’ data leaked online, put up for sale for up to Rs60,000. Retrieved from Live Mint: https://www.livemint.com/Education/wLghql47X2SPYSnNh6nDwL/15-million-students- data-leaked-online-put-up-for-sale-fo.html

Pfanner, E. (2009, 07 12) The Paradox of Privacy. Retrieved from The New York Times: https://www.nytimes.com/2009/07/13/technology/internet/13iht-cache13.html

Vidyut. (2018, 04 27) Aadhaar numbers of 69,83,048 school children leaked, reports security researcher. Retrieved from Medianama: https://www.medianama.com/2018/04/223- aadhaar-numbers-school-children/