Ongoing revelations of mass data breaches have become so large and so pervasive that online users simply cannot expect their data to remain private anymore, experts have warned as more and more breaches expose consumers’ personal details by the hundreds of millions.
Recent revelations that all of Yahoo’s 3 billion users were compromised in its highly-publicised data breach sent privacy advocates reeling this month, with Webroot director of threat research David Kennerley warning that the Yahoo breach – exacerbated by the recent disastrous Equifax breach – mean that “we now without doubt have to accept that a good number of once trusted companies cannot keep our private data secure.”
This was shifting the onus of security towards consumers, Kennerley said in a statement in which he exhorted users to “become more proactive and improve their own security hygiene” by using different passwords for each online profile, checking the authenticity of any emails received, watching all online accounts for suspicious activity and staying aware of recent breach disclosures.”
Shifting the burden to consumers is likely to prove easier said than done, however. Also responding to the Yahoo revelations, Mimecast director of security product management Steve Malone noted that many users “will have reused their Yahoo email password in the workplace” – creating an easy pathway for hackers to gain access to internal work emails that can help them launch internal phishing attacks and escalate their privileges on the network.
Figures suggest that most consumers would neither know nor care if this happened. A recent Ponemon Institute-Centrify study found that just 15 percent of consumers nominated ‘performing work-related activities’ as one of the times when their privacy and security were most important to them.
This was far behind ‘using social media’ – when 62 percent of respondents said privacy and security were important – and ‘visiting a healthcare provider’, cited as important by 75 percent of respondents. Also surprisingly, just 34 percent of respondents said privacy and security were important when making a credit card purchase online.
That research showed a strong mismatch between consumers’ security priorities and their perceptions of various industries in protecting their data: for instance, just 17 percent of respondents said they trusted social-media companies to preserve their privacy and protect their personal information and just 27 percent trusted credit-card companies to do the same.
Cybersecurity think tank the Institute for Critical Infrastructure Technology recently issued a scathing assessment of the implications of the recent mass data breaches, with senior fellow James Scott warning that “the reckless handling of data collected in capitalistic dragnet surveillance has developed into a national security and privacy epidemic”.
“The Equifax breach should epitomize the consequences of negligent data brokerage,” Scott warned, “and serve as a wake-up call to similar organizations who profit from dragnet surveillance and the employment of psychographic and demographic Big Data algorithms.”
That breach, he warned, was “an inexcusable travesty” caused by an executive culture that “assumed either that their investment in modest cyber insurance policies would cover the costs of any incidents or that they were too essential to America to be allowed to suffer severe consequences that resulted from their deliberate negligence.”
Fully 143 million American consumers were suffering potential identity breaches but the calculus had worked in the executives’ favour in the short term, Scott warned: “At the moment, their estimation is moderately accurate. Data brokers do not seem to be held to the same level of accountability as other businesses…. [but] the C-level executives of Equifax should at least face investigations and Congressional inquiry, if not criminal charges. Negligent and unqualified C-level executives are the crux of critical infrastructure cybersecurity and cyber-hygiene.”
Yahoo executives were similarly blamed for botching their response in the investigation after the original breach was made public. Yet even as the full implications of Equifax, Yahoo and other breaches continue to emerge, analysts advised that consumers take advantage of access-control protections such as two-factor authentication to protect access to their online accounts.
Anticipating abuse of the stolen data – whether by using Yahoo passwords to log onto work systems, or by watching medical and financial services for unusual or unexpected activity – has become an unavoidable obligation in the effort to contain damage from what is now being seen as the inevitable compromise of personal data.
With new data breaches emerging on a regular basis, things are likely to get worse before they get better. And for organisations to bolster their protections of personal data, Sense of Security chief operating officer Murray Goldschmidt recently told CSO Australia, they need to improve corporate security culture by building – and implementing more realistic cyber risk and data controls.
“It’s not only about an organisation’s armoury of defences,” Goldschmidt explained. “It’s about their appetite and the risk culture within the organisation. They will test as broadly and as widely as necessary to get access to [target data] – which is their motivation. It’s all about the combination of maturity, risk awareness, and culture.”