Russ Harvey Consulting - Computer and Internet Services

Data Breaches

Personal Data Revealed | Where is the Accountability? | Equifax Data Breach

Data breaches

Hacks and Security Breaches

While organizations are happy to collect your private data, they aren't committed to protecting it as carefully as they do their own private information.

Instead, much of this data is protected only with the least effective (and least expensive) technology and some companies leave the information unprotected and available to anyone that can locate the server it is stored on.

Breaches Go Back Years

These companies seldom report the loss until much later (often years later) and are not financially responsible because of their vague terms of service and poor privacy policies.

You only need to look at the way Facebook, Hotmail and others so quickly changed their privacy policies to enhance their profitability. You're on your own when it comes to protecting your identity.

Often initial breach reports understate the actual number of affected accounts. Later reports progressively report larger numbers.

One example is the Yahoo breach which initially reported 500 million accounts were breached in 2013. Now we know that all 3 billion Yahoo accounts were affected including Yahoo Mail, Tumblr, Flickr and Fantasy Football. Here's what to do.

The Motive: Financial Gain and Espionage

The primary purpose of hacking these sites is financial gain, although other factors such as espionage are likely factors.

Cyber criminals have placed 617 million hacked accounts for sale on the dark web, stemming from 16 separate data breaches. — Independent

Have You Been Hacked?

Find out if your email address has been in a known breach. If so, change passwords for those accounts (and any others using the same user names and/or password).

If the service is free, then you are the product. — The Day We Lost Everything

Data Breaches Reveal Personal Data

Most large companies now make at least some of their income by collecting and analyzing personal data from people on social media, websites and more. Companies like Facebook are based entirely on abusing that trust.

Because they paid virtually nothing for it, these companies seldom provide decent protection.

Everyday we hear about another undisclosed data breach. Private information being collected, sometimes sold, and given away without our knowledge or consent. CEOs sit before Congress saying they will "do better" while stories continue to break about negligence and wrong-doing. — Mozilla
There have been at least 200 documented data breaches since 2005, and the number of records exposed is only on the rise as more folks move their lives online. It's impossible to know the impact and extent to which data breaches are occurring as many almost certainly go unreported. — Interest.com

Each year the number and severity of data breaches, compromised accounts is becoming increasingly frequent and more severe.

New Privacy Breaches

A new study looking into data breaches in 2019 found that on average, a US citizen had their personal information leaked to the public at least four times. This is only based on publicly reported data and leaves out hundreds of other breaches that may have occurred behind closed doors. — TechRepublic
This is unprecedented: almost half of all people in Canada had their sensitive, personal information from a medical testing company hacked and stolen. And it took over 6 weeks for the public to be informed.
OpenMedia

See if you're affected then sign the OpenMedia petition for action.

Be sure to read the resource links at the bottom of the OpenMedia petition to understand the scope of the problem and why action must be taken to stop this loss of personal data.

Over 75% of Canadians Affected

In the first year that reports are mandatory under PIPEDA ending October 31, 2019, the OPC received 680 breach reports affecting more than 28 million Canadians, six times as many as the year before.

Canadian Breaches in One Year
Type of incident Total breach reports
Accidental Disclosure 147
Loss 82
Theft 54
Unauthorized Access 397
Grand Total 680

Clearly breaches of private businesses has been greatly undereported.

 

Where is the Accountability?

Would you simply shrug your shoulders if your bank “lost” your life savings because of lax security? Why should mass data breaches be any different?

Many of these companies either are unaware that the breach took place (indicating technical incompetence) or have opted not to report the breach to those affected (essentially fraud).

Insufficient security resources to protect the information in their care should not be an accounting decision.

Clearly, company executives have no skin in the game. They should be personally liable with their own assets on the line.

Government Agencies and Political Parties

It should start with our government representatives. It is shocking that our federal parties totally ignore privacy laws and that our governments not only spy on us but share that information widely both internally and internationally.

Buying Power Influence

Consumers need to assess privacy in their purchase decisions. This hits business where it hurts.

First, as consumers we need to stop shrugging and accepting data leaks as business as usual. Security should influence our buying decisions: the organisations we deal with won't take security seriously unless customers and the public do, too. — ZDNet.

Business Reponsibilities

Canada's businesses and employees need to understand that ignoring the problem is not acceptable and that the consequences for businesses and employees involved could be significant. Failure to report a breach is fraud.

Employee Snooping is Fraud

Employee snooping, whether malicious or simple curiosity, needs to be stopped. A “need to know” should be a first line of defense backed by severe penalties for failure to protect privacy.

Not only should personal data be protected by excellent security, but there should be a tracking system that records who accessed the data and when.

Businesses are responsible for their employees. Traning in security, accountability and ethics as a condition of employment is the least of those responsibilities.

Responding to Privacy Breaches

Responding to such shocking numbers is important. Canada's privacy laws are 35 years old and greatly out of date, especially compared with other countries.

A large number of breach incidents were the result of individual phishing attacks or phone scams which means that public education needs to be stepped up.

We need to look at how technology can be used to catch criminals or remove their access to Canadian phones and email accounts.

Similarly, if companies faced massive fines for failing to protect the data they collect “just in case” its useful, they would be far less likely to collect it as well as secure what they collected more effectively.

While Bill C-11 was supposed to provide these sorts of fines, it needs revision if it is to succeed.

Our government boasted about imposing some of the highest fines for privacy violations in the world.

 

Now we know these fines won't apply to many of Canada's most high profile and egregious privacy incidents over the last few years. — OpenMedia

Reporting a Privacy Breach

Canadian businesses and organizations are legally required to report privacy breaches. Hoping it goes away could cost you both customer loyalty and significant fines.

If You've Been Affected

These large numbers indicate that most individuals in Canada have already been affected. We need to stop unsafe practices and start treating ignorance as a public menace.

Legislation is Probably Required

Too often we try to tell folks how to protect themselves, but how to you protect yourself from credit card and other information stolen from retailers other than by strictly using cash and refusing any personal details such as requests for your email address to “email your receipt.”

You should receive a printed receipt with your transaction, so you're providing information with little return value to yourself compared to the future value of your email address to the retailer.

Corporations must be held legally and financially accountable for security breaches that affect customers. There need to be fines, investigations, and court-ordered consequences. Money needs to be spent on lawyers—a lot of money. The current model where customers have to spend their own money and energy to bring lawsuits to bear is unreasonable. — PCMag

 

Equifax Data Breach

Probably the most glaring of the many reported (and unreported) data breaches is the 2017 Equifax data breach.

Richard F. Smith, former Equifax CEO, blamed it on an employee's error.

Many Affected

The data stolen provided more than enough information to commit widespread identity theft on the majority of American and Canadian citizens.

Inadequate Security

Even though this data was particularly sensitive, Equifax provided little data security.

A company like Equifax that has sensitive, personal information on most Americans should have the best data security in the industry. Instead, it has the worst.
Senator Elizabeth Warren

Executives Cashed Out

There was also a delay in reporting the breach while the company executives cashed out.

The lack of quick action by the company's executives should have resulted in firings and severe financial penalties for the company.

Consumers Unprotected

Checked to see if your personal identity was compromised?

You gave up the right to sue.

Seriously?

Settlement Inadequate

Equifax settled the FTC lawsuit by agreeing to provide either 10 years of credit monitoring or $125 settlement.

But Equifax never provided enough funds for this settlement:

Equifax earmarked only $31 million for claims, meaning that if all 147 million people affected by the breach filed a claim, everyone would get just 21 cents.— The New York Times Editorial

This provides no incentive to corporations to provide security for data they hold about private citizens.

Where Did Data Go?

For quite some time there was a mystery of what happened to the data because it didn't show up on the dark web like such breaches usually do.

The Great Equifax Mystery

The theory that a foreign government was behind the attack was the most logical conclusion.

The great Equifax mystery: 17 months later, the stolen data has never been found….

 

Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies. — Kate Fazzini, CNBC

Mystery Resolved

In February 2020, it was revealed that four Chinese officers of the People's Liberation Army…were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

Return to top

Related Resources

Related resources on this site:

or check the resources index.


If these pages helped you,
buy me a coffee!


 

Return to top
RussHarvey.bc.ca/resources/databreaches.html
Updated: March 15, 2021