This article was published on December 28, 2018

Depressing lessons 2018’s endless data breaches taught us

Depressing lessons 2018’s endless data breaches taught us
Emily Wilson
Story by

Emily Wilson

Emily Wilson is VP of Research at Terbium Labs, a Baltimore-based dark web data intelligence company. There, she counsels clients on the app Emily Wilson is VP of Research at Terbium Labs, a Baltimore-based dark web data intelligence company. There, she counsels clients on the appearance of their information online and provides ongoing analysis on fraud, drugs, weapons, extremism, and other information appearing on the dark web. She can be reached @ThirdEmily.

In the days after Facebook’s September announcement about a bug that may have compromised 90 million users – yes, that was three months and several earth-shattering Facebook headlines ago – someone asked me what consumers could have done to avoid being caught up in yet another data breach.

“They could not use Facebook,” I said.

Every time a major breach occurs, we look for answers about what consumers can do differently. What can I do to protect myself? Can I stop criminals from stealing my data? How do I fix it? I’ve gotten these questions from friends, family, colleagues, and journalists over the past few years, and my answers are getting increasingly pessimistic: there’s nothing you can do, not really.

You can change your passwords. You can freeze your credit (seriously, freeze your credit). But you don’t control the systems on which your data is stored, so you can’t fix it, and you can’t stop it.

The answer doesn’t lie with the consumers. This is not something for the consumer to solve. This is not something that we – you and I – can fix. We need to be looking at the tech giants that have been amassing our data instead.

That will be $5 and your mother’s maiden name

The average consumer has no real ability to opt out of putting their data in compromising situations. Engaging with the world, or at least transacting with the world, creates countless opportunities for data collection and subsequent compromise: buying gas, getting groceries, going to the movies, checking your email – all of these activities require sharing, transmitting, and recording information about you.

This data contains a wealth of information: personal data, medical histories, financial details, preferences, behaviors, movements, and, increasingly, biometric data – think of face recognition, voice technology, and DNA from genetic or ancestral testing services.

Even if the security community warns consumers against entering personal information on unsecured websites, it’s unreasonable to expect people to abandon their online shopping or social media accounts – for many, the most reliable source of connection with friends, family, and the rest of the world.

At every turn, companies look to record, collect, and connect data. Technology runs the world, and data is the fuel – data is a commodity, and the tech giants understand that.

These companies rely on user data for increased market share and broader monetization, with many companies even incentivizing users into additional data sharing in exchange for special rewards.

In exchange for increased data access (read: increased surveillance), companies serve up highly customized user experience, pulling in preferences and browsing history from multiple sites and accounts, using predictive analytics to identify needs and prompt purchases.

These customized feeds and personalized recommendations are part of what create addictive user experiences – and higher revenues.

We’ve gotten used to these services that collect our data. We rely on them — and the tech giants know that. They know that once these technologies become a regular part of the flow of life, commerce, and information, they’re very difficult to give up.

For every new feature, users trade a little bit more data and a little bit more privacy, all in the name of convenience or a dopamine hit.

It’s getting harder and harder to opt out.

What does that have to do with data breaches?

If 2018 taught me anything about data breaches, it’s this: we’ve reached a whole new scale of compromise. In the last few weeks alone, we’ve seen multiple breaches impacting hundreds of millions of records each. Just in the last few weeks. And those are just the ones we know about.

These last few weeks aren’t an anomaly. 2018 also brought us a breach at the Sacramento Bee (19.5 million records), Ticketfly (27 million records), Panera (37 million records), Under Armour (150 million records), and Aadhar, India’s national ID database (1.1 billion records) just to name a few.

We saw huge third-party data breaches at sales engagement startup Apollo (200 million records) and at marketing firm Exactis (340 million records). Exactis follows in the wake of Equifax – who, by the way, announced in March 2018 that the initial breach impacted 2.4 million additional customers – by having data on nearly every US citizen.

While Exactis didn’t include the financial details that drove the concern and attention around Equifax, it did include personal data and detailed profile information: the age and gender of children in a household, smoking habits, religious affiliations, pet preferences, hobbies, and interests. Everything about your life, nicely aggregated and cross-referenced.

A few years ago, we would flinch at the news of a breach that impacted 100,000 customers. Exposed records now regularly number into the millions or even hundreds of millions. When we thought of data breaches, we thought of usernames, passwords, and maybe contact details.

Now, we have to wrestle with the compounding effects of personal information, digital profiles, financial data, location tracking, passport information, and even DNA. We’re facing a steeper trade-off, where consumers are forced to choose between participation and privacy, and where participation involves signing over a considerable amount of data that, realistically, isn’t going to be secure for very long.

The stakes are significantly higher.

Aren’t the lawyers going to save us?

No. I mean, maybe. But no. Legislation incentivizes better security practices for corporations – good for all of us – but ultimately rules and regulations will not solve the problem on their own. Consumers are trapped between the high data appetites of the tech giants and the growing fraud economy, with a ready collection of cyber criminals eager to cash out on compromised data. Legislation will only get us so far.

If you’re looking for optimism on the future of data security, I’m not the right person to ask. As someone who sees stolen data traded every day on the dark web, I have a firm practicality about the scope of the data compromise problem: it’s bad, and it’s getting worse.

The only consolation I have in our ongoing and inevitable data exposure is that, to quote one of the transformative musical productions of our time, we’re all in this together.

Executives, consumers, legislators, world leaders, college students, kindergarten teachers – everyone is at risk, everyone is exposed, and everyone is facing the same fallout from data compromise. Eventually, the weight of worldwide data exposure will sink in, and leaders, legislators, and, yes, even the tech giants might just try to do something about it.

Also tagged with

Back to top