News has broken that 1.2 billion records were found online on an exposed, unsecure single server. While it doesn’t include sensitive information such as passwords, credit card numbers, and Social Security numbers, it does contain profiles of hundreds of millions of people. This includes home and cell phone numbers associated social media profiles like Facebook, Twitter, LinkedIn and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.
A dark web researcher recently found a trove of data sitting exposed and easily accessible on an unsecured server—about 1.2 billion records in all—containing profiles of hundreds of millions of people that include phone numbers and social media profiles. https://t.co/6VAfAt7SIf
— WIRED (@WIRED) November 22, 2019
It is somewhat unique that the actual database was left exposed in this particular scenario. These continued breaches validate that more fail-safe protection methods need to be put in place to address gaps in the security model due to human error and data sharing with third parties. Companies need to have a stronger focus on data-centric protection around the actual data values, like record-level encryption.
This recent event further illustrates that external third parties remain a significant source of data loss risk. This begs the need for a different model of data sharing that limits exposure and centralizes data instead of distributing it outright to multiple external parties. This will result in consolidation of digital processing and utilize a privacy preserving analytics capability to support use cases for business intelligence and collaboration across multiple parties. Companies will need to come to grips with protecting the actual data and as part of a “shared responsibility” model.
In modern society, the algorithms that dictate much of what we see and hear are inscrutable and our widely-published personal information is the key to making those algorithms generate enormous amounts of revenue for the algorithm owners and arguable amounts of value for us. The reason this reality is less catastrophic than it could be is that everyone\’s private data is grist for the mill. If the bad guys had only the private data of thousands, then those thousands of people would surely be in deep trouble. Given the data of billions, an individual is once again a needle in a needle stack. In cryptography, algorithms are meant to be public and the keys are meant to be private. If you require \”security through obscurity\” and keeping your algorithm private for your cryptosystem to be \”secure,\” you\’ve made a serious misstep. There are almost certainly other choices to accomplish security goals.
This incident highlights multiple data privacy tenants. The most obvious of which being that given access to any data, organizations will find a way to use, and potentially misuse it. In this case, someone had access to user profile data from multiple social media platforms and then merged that data together with the combined data allowing users to be more readily identified. While the origin of the raw data is currently unknown, the existence of such a merged dataset should surprise no one. Nor should it be surprising that this merged dataset was unsecured and freely available on the internet. The core problem highlighted in this and other similar incidents is just how unaware most people are of just who might have access to their personal data from a data sharing agreement between businesses. While legislation like GDPR in the EU may enable consumers to request details on what data a specific organization might have collected on them, it’s often difficult for users to interpret the report given to them. Even when the report is clear, when data is transferred to a second organization there is no guarantee the same security practices were employed by both companies.
To better combat this challenge, consumers should question precisely what benefit they receive from providing a given data element, or if the data being requested mostly benefits advertising or profiling efforts. If the data isn’t specific to the service being delivered (e.g. shipping address), then there is no shame in being blunt with the company and asking why they need it, how they are going to secure it, and how you can verify they’ve done so properly. Only if we as consumers set higher privacy expectations with our providers will the current data sharing situation improve.
Every day, we read headlines about new breaches and data exposures, so it is not surprising to come across places where this data is available for the taking. If anything, this finding should be a stark reminder that relying on credentials and personally identifiable information for user authentication is outdated.
Bad actors compile the same user’s information from different breaches and then go the victim’s social media pages to complete that profile. The discovery of this server with all the information it contained, is proof that fraudsters continue to work behind the scenes to amass consumer data while companies continue to utilise outdated password and security question to know it is you. Companies need to expedite the transition from credential and knowledge-based authentication, to security that verifies users based on their behaviour as well. By verifying users online with passive biometrics and behavioral analytics, breached credentials and answers to secret questions, are not enough to log into someone else’s account or to make a transaction. More companies today are implementing these technologies to protect their business and their customers from account takeover. Hackers are not able to mimic inherent user behaviour online, making the stolen credentials valueless.
This data breach seems to just be the latest in what seems to be a never-ending string of incidents. Yet, the sheer volume of data that has been collected and left exposed online does make this one stand out. This data breach may not have included any sensitive data such as credit card numbers. However, the data that was breached could expose individuals to identity theft, credential stuffing and phishing scams. Individuals should use Troy Hunt’s HaveIBeenPwned website to check if any of their details were leaked in this breach or any others. In addition, users should be extra vigilant on each of these social media platforms and be particularly cautious over any attempted communications both via and (supposedly) from the platforms themselves.