Is it possible to connect a breach to specific harm?

The fallout from the Equifax case has already begun. Those of you who may be affected by this breach should read this article to guard against some of the scams that are already being thrown at data subjects:

Beware – the Equifax Scams Are Coming

For those not affected, the article is worth reading to get small sample of the variety of attacks that follow leaked data.

In other news, we find that a lawsuit against the U.S. government over a leak of some 22 million employees’ records has been dismissed (link) on the grounds that the aggrieved data subjects (here represented by their labor unions) have not proven that they were harmed by the breach.

In a normal case of injury or damage, proof of cause and effect is a normal requirement. But how could the plaintiffs possible prove that damaging effects are caused by this particular breach? After all, the government could point out that a given harm was possibly caused by the Equifax breach, or some other. In other words, the traditional rules of evidence and inference are of little use in the age of internet crime.

Stolen data is completely anonymous. When you are attacked, you have no idea where the attacker obtained his data; even the attacker himself may not know the seller’s identity. The data in question might even have been legally obtained; many businesses (such as Equifax) are in the business of collecting and selling data.

Unlike money, data does not need to be laundered; it’s already untraceable. Unlike money, it can be copied and distributed without limit. Exposing one’s personal data on the internet is like exposing one’s body to radiation: the effects are cumulative, and for life.

At the moment the technical, legal, political, and other capabilities are not in place to stop this trend, nor even to slow it down by very much. Our technology is running ahead of our ability to deal with its consequences.

 

 

Equifax breach, part 2: is this our future?

The Equifax data breach continues to reverberate in the media, raising various issues that pertain to data security and privacy.

Asymmetry between errors and consequences

These issues present an asymmetry, what risk theorist Nassim Taleb refers to as ‘convexity’ (link), between the degree of negligence on the part of the data owner and the extent of the damage. In options theory, a convex payoff means that, in exchange for a small, defined loss, you obtain the possibility of an unbounded gain. The usual example is an exchange-traded option to buy or sell a financial asset. (Many people also think of lotteries in this context, but the analogy doesn’t apply, since lotteries are artificial, arranged as games of chance with known probabilities and a maximum payout.) Continue reading “Equifax breach, part 2: is this our future?”

Unrestricted email plus full PII access: recipe for trouble

Storage giant Seagate suffered exposure of the withholding-tax records of some 12,000 employees following a phishing attack.

link

At the time Seagate noted that there was no evidence that the information had been misused, also known as the absence-of-evidence defense.

Fast-forward a year or so, and the evidence has appeared.

link

As is usual in these cases, we have a combination of failures, such as: Continue reading “Unrestricted email plus full PII access: recipe for trouble”

Cloud apps and outsourcing bring new breaches

Given the apparent proliferation of data breaches (or at least their coming to light), I doubt that I can keep up, and so in future will comment only on those cases that illustrate some aspect of the GDPR.

That aspect today is the rampant push to get sensitive PII into the hands of cloud vendors and external (outsourced) developers and testers. I just came across some recent cases: Continue reading “Cloud apps and outsourcing bring new breaches”

Sweden’s data breach: a cautionary tale

Another week, another data incident. The GDPR is arriving none too soon. Let’s hope that it can slow the tide that is washing our personal data out into the internet data-ocean.

This time the victims are the citizens of Sweden, or at least those who have a vehicle registered, are in the police or military, or who are protected witnesses. In other words,  a nightmare scenario, which clearly would be a violation of the GDPR (that is, when it comes into force some ten months from now). Continue reading “Sweden’s data breach: a cautionary tale”

BUPA suffers an incident

News stories reinforce the reality of privacy incidents. Today I plan to discuss a story from The Register, one of my favorite tech sites. The article is short and well worth reading. Don’t miss the comments, which raise interesting points.

Bupa: Rogue staffer stole health insurance holders’ personal deets

BUPA, a UK health insurance company, suffered a leak of more than 100,000 customer records, including phone numbers and email addresses, due to the actions of an employee. Continue reading “BUPA suffers an incident”