Hacks and Security Breaches
While organizations are happy to collect your private data, they aren't committed to protecting it anywhere as carefully as they do their own private information.
A new report from Mastercard shows that the average data breach costs Canadian businesses $5.64 million while only 39 per cent of businesses are implementing adequate cybersecurity tools.
— CTV News
Instead, much of this data is protected only with the least effective (and least expensive) technology and some companies leave the information unprotected and available to anyone that can locate the server it is stored on.
Each time there is a databreach containing your information, it has the potential to reveal a pattern in your password use. In the very least it provides the personal information that was used to create and maintain your account.
The Equifax data breach is a great example of how weak protections are to prevent data breaches that affect millions of people.
More Common Than You Think
Data breaches are more common than you'd think, given the infrequency of news reports. How often?
Every day. Multiple times. Every day, without question.
— Troy Hunt
Only the very largest breaches are reported in media and then often months or years after they actually happen.
Data breaches now happen so often that they rarely make the regular news cycle, but that doesn't make them any less dangerous. A data breach gives cybercriminals the chance to uncover your private information and use it for nefarious purposes, such as identity theft.
One example is the LastPass breach. It took over six months from the time of the first incident to begin reporting risks to customers. Customer data wasn't reported missing until December 22, 2022 even though it appears to have been taken months earlier. Initially customers were told their data vaults were probably safe, but failed to note that LastPass hadn't warned customers with weak security to upgrade.
TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer.
So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022.
— Almost Secure
Breaches Go Back Years
These companies seldom report the loss until much later (often years later) and are not financially responsible because of their vague terms of service and poor privacy policies.
You only need to look at the way Facebook, Hotmail and others so quickly changed their privacy policies to enhance their profitability. You're on your own when it comes to protecting your identity.
Online Crime Treated Like White Collar Crime
Much like white-collar criminals, online criminals face far lighter repercussions (if they are caught at all) than someone robbing a store or kidnapping for ransom.
As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change.
— Daniel Burrus
In addition, most of these crimes are committed abroad where it is much more difficult to prosecute the perpetrators.
White Collar Crime Punished Lightly
One of the reasons that the loss of personal information occurs is that companies don't see any reason to spend money to protect information they didn't pay for in the first place.
No one forced these companies to carelessly collect that information nor retain it.
Until such crimes are punished appropriately and to the same degree as a similar blue-collar crime, these breaches will continue.
Numbers Affected Understated
Often initial breach reports understate the actual number of affected accounts. Later reports progressively report larger numbers.
As the public faces of huge corporations, executives have a lot to lose if their reputation — or that of their company — becomes tarnished. Their public relations team and their company's board may feel that paying off the criminal gangs could be less expensive than damaging the company's brand or causing a drop in stock value after announcing their business has become a victim to a serious cyberattack.
So while some companies and individuals will try to cover up that they have been scammed, the truth can and often does come out.
— ZoneAlarm blog
One example is the Yahoo breach which initially reported 500 million accounts were breached in 2013. Now we know that all 3 billion Yahoo accounts were affected including Yahoo Mail, Tumblr, Flickr and Fantasy Football.
The Motive: Financial Gain and Espionage
The primary purpose of hacking these sites is financial gain, although other factors such as espionage are likely factors.
Cyber criminals have placed 617 million hacked accounts for sale on the dark web, stemming from 16 separate data breaches.
Personal Data Revealed
Most large companies now make at least some of their income by collecting and analyzing personal data from people on social media, websites and more.
Companies like Facebook are based entirely on abusing that trust.
These companies seldom provide decent protection for collected information because they paid virtually nothing for it and the consequences of a data breach seldom affect their bottom line.
Neither Facebook nor Clearview AI suffered significant fines for their part in the scraping of millions of photos on Facebook accounts without permission in order to sell the data to police forces in North America, yet ordinary citizens can face huge fines when caught posting images not owned by them.
One of the best security moves you can make is to get off Facebook.
Everyday we hear about another undisclosed data breach. Private information being collected, sometimes sold, and given away without our knowledge or consent. CEOs sit before Congress saying they will "do better" while stories continue to break about negligence and wrong-doing.
There have been at least 200 documented data breaches since 2005, and the number of records exposed is only on the rise as more folks move their lives online. It's impossible to know the impact and extent to which data breaches are occurring as many almost certainly go unreported.
— Interest.com (2019)
Each year the number and severity of data breaches, compromised accounts is becoming increasingly frequent and more severe.
Example Privacy Breaches
A new study looking into data breaches in 2019 found that on average, a US citizen had their personal information leaked to the public at least four times. This is only based on publicly reported data and leaves out hundreds of other breaches that may have occurred behind closed doors.
- The average American had personal information stolen at least 4 times in 2019.
- 15 million LifeLabs customers had their data hacked in late October.
- PDL data leak affected 1.2 billion.
- Last year 28 million Canadians were impacted by data breaches.
This is unprecedented: almost half of all people in Canada had their sensitive, personal information from a medical testing company hacked and stolen. And it took over 6 weeks for the public to be informed.
Be sure to read the resource links at the bottom of the OpenMedia petition to understand the scope of the problem and why action must be taken to stop this loss of personal data.
Over 75% of Canadians Affected
In the first year that reports are mandatory under PIPEDA ending October 31, 2019, the OPC received 680 breach reports affecting more than 28 million Canadians, six times as many as the year before:
|Type of incident||Total breach reports|
Clearly breaches of private businesses has been greatly undereported.
Equifax Data Breach
Probably the most glaring of the many reported (and unreported) data breaches is the 2017 Equifax data breach.
Richard F. Smith, former Equifax CEO, blamed it on an employee's error in not patching a known security vulnerability.
The data stolen provided more than enough information to commit widespread identity theft on the majority of American and Canadian citizens.
Even though this data was particularly sensitive, Equifax provided little data security.
A company like Equifax that has sensitive, personal information on most Americans should have the best data security in the industry. Instead, it has the worst.
— Senator Elizabeth Warren
Executives Cashed Out
There was also a delay in reporting the breach while the company executives cashed out.
The lack of quick action by the company's executives should have resulted in firings and severe financial penalties for the company.
If you checked to see if your personal identity was compromised, you gave up the right to sue.
Equifax settled the FTC lawsuit by agreeing to provide either 10 years of credit monitoring or $125 settlement.
But Equifax never provided enough funds for this settlement:
Equifax earmarked only $31 million for claims, meaning that if all 147 million people affected by the breach filed a claim, everyone would get just 21 cents.
— The New York Times
This provides no incentive to corporations to provide security for data they hold about private citizens.
What's needed is a legislated requirement to protect data much like the safety requirements for automobiles and mandated payouts that significantly hurt the bottom line of companies that disregard those requirements.
Where Did Data Go?
For quite some time there was a mystery of what happened to the data because it didn't show up on the dark web like such breaches usually do.
The Great Equifax Mystery
The theory that a foreign government was behind the attack was the most logical conclusion.
The great Equifax mystery: 17 months later, the stolen data has never been found….
Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.
— Kate Fazzini, CNBC
In February 2020, it was revealed that
four Chinese officers of the People's Liberation Army…were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.
Weird Online Data Dump
An open (not password protected) 4 terabytes of data from the People Data Labs (PDL) and OxyData.io (OXY) contained cross-linked information on over 1.2 billion people was found on October 16, 2019. PDL and OXY are data enrichment companies. What they do is allow companies to search:
- Over 1.5 billion unique people, including close to 260 million in the US
- Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
- Over 420 million LinkedIn URLs
- Over 1 billion Facebook URLS and IDs.
- 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers.
De-duplicating the nearly 3 billion PDL user records revealed roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person's Facebook, Twitter, and Github URLs.
— Check Point blog
It is interesting that the data is an accurate copy of data obtained from 2 different companies blended into one database. Someone either was a very large customer of both companies or managed to hack both databases.
Why was it available on an open IP address (22.214.171.124) rather than hidden away?
Someone should be held accountable for both scraping (collecting) such data then combining it for profit as well as allowing it to be copied into an unprotected cloud account unnoticed.
If both companies (and the company officers) were bankrupted for this breach, perhaps the tracking of such sensitive data would be less attractive and companies would spend money securing customer data as carefully as confidential company data.
TransUnion Data Breach
TransUnion's 2019 data breach affected 37,000 Canadians.
The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record. TransUnion says someone fraudulently accessed data using a customer's login credentials.
It is disconcerting that those protecting businesses from fraud are so lax in their security. One reason is that TransUnion and Equifax serve businesses, not consumers.
Following the bankruptcy of computer retailer NCIX in Vancouver their computers were never wiped to remove customer data before they were sold.
This personal information included IP, home and email addresses, passwords, credit card information and social insurance numbers.
Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information was sold on Craigslist.
Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not remove liability for those responsible for not securing that information, including the former officers of that company.
Timely Reporting Lacking
The number, frequency and size of security breaches are not improving. Companies are protecting their servers, not their users' information.
Often companies don't even realize they've been hacked until long after the data has made its way into the dark web.
68% of breaches take months or longer to detect.
— Menlo Security
The history of data breaches includes some of the largest and most damaging on record as well as how to prevent data breaches.