Personal Information has been Accessed without their Consent

By   ISBuzz Team
Writer , Information Security Buzz | Dec 07, 2015 05:00 pm PST

It seems like a lot of consumers don’t know when their mobile data has been accessed without their consent.

29 percent of the mobile users surveyed admitted they do not know when their personal information has been accessed without their consent. I don’t think we’d get similar responses if we asked mobile users to identify when their credit scores may have changed, or what their credit scores actually are. In all reality, most people don’t really take an active interest in monitoring their personal data. Given just how digitally dependent every single ‘thing’ or experience is today, it’s a sad state of affairs for anyone – a person or a business – to not know be able to confirm with absolute certainty if and when their data has been stolen or leaked.

How could data on devices they are currently using be accessed without their knowledge?

There are a few ways data can be accessed from a user’s mobile device. Let’s start with apps because, let’s face it, there’s an app for everything these days. And consumers are pretty app obsessed. Apps, for the most part, tend to have permissions associated with the types of personal information and analytics that are being collected. But most users are totally unaware that these profiling permissions exist, let alone what the parameters are for what types of data are collected and used. So if someone uses an app that’s collecting their personal information to customize the user experience and even market other products/services to them – and the user has no idea this is happening – it could be easy for their data to be captured without them ever being the wiser.

Who are the most likely culprits to access a consumer’s data without their consent?

You have to remember – every single thing we do and every single experience we have with a business, brand or advertiser today has to be personalized. It’s what consumers demand. And it’s what businesses have to deliver on to keep customers happy, loyal and spending money repeatedly with them. So anything less than personalized is a waste of time and money.

This expectation for personalization isn’t just reserved for the user experience – it also includes targeted ads. You know what I’m talking about. These are the ads that you see on Google, Facebook and pretty much everywhere else, promoting products or services based on traits specific to your needs, such as demographics, psychographics, behavioral patterns, past purchase history and past search behavior. So some app developers actually sell the customer data they collect to third parties, who will then use that data and the behavioral patterns extrapolated as a result, to develop and deploy targeted advertising.

And of course, there are some people and businesses out there who might try to steal and sell data for less than legal purposes. It’s unfortunate, but it’s also true.

In a world of BYOD, how can businesses ensure their employees are paying close enough attention to who accesses the data on their devices? What should businesses be most wary of?

There are certain monitoring practices and precautionary measures that can go a long way in preventing company data from going rogue. The very first thing companies should do is separate out mobile device management policies from BYOD. The two are not the same thing. Then I’d tell companies to create rules of engagement, list out the common challenges and flaws, establish documentation on the various access points, collect and analyze threat intelligence, and finally, conduct a comprehensive audit of all processes, documentation and tools that are currently in place and compare them to the requirements of regulatory standards. Under a BYOD (bring your own device) policy, companies and their IT departments should set specific restrictions on which mobile apps employees are permitted to use to reduce the chances of having corporate data exposed.

According to the study, consumers were most concerned about financial information winding up in the wrong hands. Is this really the most harmful type of data to be breached? What other type of information should they be worried about winding up in the wrong hands?

Simply put, there is so much credit card data available that the demand for stolen financial details is beginning to decline. But as our study found, it’s still high on the list of the types of data that are vulnerable to cyber theft. I’d say medical data is also a very hot commodity at the moment.

Why is tangible proof of data removal so important to the adoption of data wiping software?

It’s strange. In most other things in life, proof is currency. But with data security, a lot of people and businesses seem to take it for granted. And that’s dangerous. Just look at what happened when we recently bough 122 used mobile devices, hard disk drives and solid state drives from eBay, Amazon and Gazelle – there were huge amounts and types of residual data still left on them after they were resold. That should be reason enough to always demand physical proof that every single type of data has been wiped clean and can never ever resurface.

How much control do users currently have over how their personal information is processed and stored by companies?

In 2015 alone, there have been several monumental data privacy rulings. In September 2015, the US Court of Appeals ruled that the FTC mandate to protect consumers against fraudulent, deceptive and unfair business practices would also extend to oversight of corporate cyber security practices – and failures to comply.

Meanwhile, in May 2014, the EU Court ruled on a number of areas related to data privacy and one of these areas – known as the right to be forgotten – has become a point of contention in the amount of control users have over their data. Essentially, it says individuals have the right – under certain conditions – to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing.

What are the typical ways a user can check if their data has accessed without their consent?

Android users can use one of the application analysis sites to see exactly what permissions an app has. This is a good starting point.

[su_box title=”Paul Henry, IT Security Consultant to Blancco Technology Group” style=”noise” box_color=”#336588″]BlanccoPaul Henry, is IT Security Consultant at Blancco Technology Group. Blancco Technology Group is a leading, global provider of mobile device diagnostics and secure data erasure solutions. We help our clients’ customers test, diagnose, repair and repurpose IT devices with the most proven and certified software. Our clientele consists of equipment manufacturers, mobile network operators, retailers, financial institutions, healthcare providers and government organizations worldwide. The company is headquartered in Alpharetta, GA, United States, with a distributed workforce and customer base across the globe.

Blancco, a division of Blancco Technology Group, is the global de facto standard in certified data erasure. We provide thousands of organizations with an absolute line of defense against costly security breaches, as well as verification of regulatory compliance through a 100% tamper-proof audit trail.

SmartChk by Xcaliber Technologies, a division of Blancco Technology Group, is a global innovator in mobile asset diagnostics and business intelligence. We partner with our customers to improve their customers’ experience by providing seamless solutions to test, diagnose and repair mobile assets. SmartChk (or Xcaliber Technologies) provides world-class support, pre and post implementation, allowing our customers to derive measurable business results.[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x