Is customer data now canon fodder for companies?
Password-sleuth Troy Hunt, who runs the website HaveIBeenPwned.com (HIBP), has added a database of 711 million records to the website which he says is an amalgamation of a number of customer record databases floating around the internet and is used for spam purposes.
For context, the biggest database prior to this one which Hunt posted contained a “mere” 393 million records, and was owned by River City Media, an alleged spam operation. In both occasions, Hunt’s website is programed to email those in database he posts to alert them they should change their passwords. A quasi-CSR programme, if you will.
Simultaneously, pawn shop experts CEX asked up to two million of its customers to change their passwords, as they had experienced a data breach orchestrated by a “3rd party”.
The company said that the stolen data includes customer names, physical addresses, email addresses, phone numbers and old credit card information dating back to 2009 which it says was encrypted.
In a statement, CEX did not give any such business reason to be holding expired card information.
These are only two examples of what is presumably the result of negligent security practices, which follow a summer of companies leaving large customer databases unsecured on an Amazon S3 instance due to misconfigurations.
US-based telecoms company Verizon leaked 14 million customer records, financial information company Dow Jones leaked 2.2 million customer records, US voting machine supplier ES&S leaked 1.8 million customer records, and finally security firm Kromtech found three million customer records belonging to the WWE, also on AWS.
These data breaches are only a handful that have occurred since 2017 began, and it’s clear we’re not at the end yet.
So the question is, has data simply become cannon fodder, used by companies to drive sales and discarded the minute it’s lost its value? It’s obvious that it’s very difficult to make assumptions and answer for every company in the world.
But when it happens to you, it suddenly becomes real. As Hunt notes in his blog post about the 711 million records, the Aussie said “The first place to start is with an uncomfortable truth: my email address is in there. Twice.”
Ilia Kolochenko, web app security expert and CEO of High-Tech Bridge comments: “Anyone who is worried about the effects of such data breaches should deploy a strong-password management solutions, and ensure each password is a unique one which isn’t reused. This should stop criminals from moving laterally into other accounts.”
Hopefully, less turbulent times are ahead. The incoming General Data Protection Regulation (GDPR) is expected to curb such data breaches, as it is seen to herald in more stringent data protection practices.
Several top data protection experts at the UK’s Information Commissioner’s Office have said the data protection regulation which has been in the making by the European Union since 2012 is designed to encourage companies to be more considerate of how customer data is handled. But it remains to be seen whether or not the desired effects will be achieved.
Many sceptics have chosen to spend the time since the GDPR’s honeymoon period began to complain that the ICO is going to use the GDPR to impose extremely heavy fines. But it seems as though the GDPR cannot come soon enough.
The UK’s fraud prevention service Cifas recently reported that identity fraud, facilitated by such data breaches, has reached new highs. During the first six months of 2017, 89,000 fraud cases were reported to Cifas where typically a criminal is pretending to be someone else for monetary gain.
Cifas said these crimes happen almost exclusively online, and are helped by such data troves held by Troy Hunt, and others found on the internet. 500 identities are now stolen every day, according to Simon Dukes, the Cifas chief executive, and it is one of the fastest growing types of cyber-crime.
Kolochenko concluded: “Unfortunately, I can foresee a significant rise in cyber-crime and online fraud in the near future, and law enforcement will struggle to keep up with the exponential rate of increase.
“We all must be on high alert as to who we share private information with to ensure criminals are not able to build up a picture on who we are, pieced together from information on the internet. Make no mistake, with every data breach which happens, criminals may gain that extra piece of information which will allow them to gain access to a banking account or sensitive medical records. And at that point, it’s game over.”