Data breaches: an über-headache

Data breaches: an über-headache

In November 2017, a raft of news agencies reported of a scandal1 at the ride-sharing company, Uber. Per ABC Australia2:

According to the company’s account, two individuals downloaded data from a third-party cloud server used by Uber, which contained names, email addresses and mobile phone numbers of 57 million users around the world.

They also downloaded names and licence numbers of 600,000 of the company’s US drivers, Mr Khosrowshahi3 said in a blog post.

The breach occurred in October 2016, yet we are only just now seeing details of it. Rather than reporting the breach, Uber employees paid $100,000 US to the hackers to have the data deleted. The new Uber CEO has reportedly fired two staff as a result of the situation. According to some reports4, the chief security officer and a deputy were the two employees dismissed. It is questionable whether such cover-up actions were even legal – the USA has a raft of security breach notification laws5, and it would seem unlikely that the nature of the data retrieved exempted Uber from having to disclose to its users that the breach had occurred.

Uber’s data breach was not even a sophisticated one6. In effect, it amounted to Uber leaving the keys to the house under the doormat, only to discover that someone used those keys to enter the house. Accessing source files on GitHub, the ‘hackers’ found that Uber had left within their source code the username and password required to access Uber’s Amazon storage buckets. With those keys available, it was a simple case of copying the data.

Walking in the door

In Ethics in Information Technology, Reynolds notes7:

An alarming number of identify theft incidents can be traced back to data breaches involving large databases of personal information. Data breaches are sometimes caused by hackers breaking into a database, but more often than one might suspect, they are caused by carelessness or failure to follow proper security procedures. For example, a laptop computer containing the unencrypted names, birth dates, and Social Security numbers of 26.5 million U.S. veterans was stolen from the home of a Veterans Affairs (VA) analyst. The analyst violated existing VA policy by removing the data from his workplace.

Reynolds noted as well, “The number of data breach incidents is alarming (over 1,450 in 2012 alone)”8. Data breaches are not new in businesses. Indeed, they occur with such a regularity that many have become inured to them. Familiarity has just as much potential of breeding apathy as it does contempt, it seems. The website Breach Level Index9 estimates as of 26 November 2017 reports more than 9 billion records lost or stolen since 2013, with more than 5 million records a day, or almost 60 records a second being stolen in breaches. The website also suggests only 4% of breaches were ‘secured’, whereby data stolen was encrypted and therefore not of use:

Breach Level Index Nov 26 2017 Stats

In the grand scheme of things, Uber’s data breach is hardly even the most substantial to be experienced. Even from a publication date of 2015, Reynolds cites examples of a 150,000,000 record data breach in 2012, and a 130,000,000 record breach in 200910. Equifax suffered a breach earlier in 2017, compromising personally sensitive information including US social security numbers for as many as 143,000,000 people11.

Years after the event, Yahoo trickled out, over a series of press releases, information regarding an ever increasing number of user accounts that were compromised in a 2013, until finally admitting in 2017 that all user accounts had in fact been compromised12:

Yahoo today announced that the huge data breach in August 2013 affected every user on its service — that’s all three billion user accounts and up from the initial one billion figure Yahoo initially reported. Since disclosing the hack, Yahoo continued to add more numbers of accounts compromised, but today’s announcement makes it clear that if you had a Yahoo email account, you were part of the breach.

The hack exposed user account information, which includes name, email address, hashed passwords, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers,” the company said back in 2016. Yahoo did confirm that passwords were not stolen in clear text, and hackers did not obtain bank or credit card information tied to the Yahoo accounts.

Depending on the circumstances and data retrieved, breaches do not necessarily yield immediate results for hackers. Sometimes the value comes from combining breaches from different companies in order to form a more complete set of personally identifying information for affected users (e.g., matching usernames and birth dates from one site with usernames and social security numbers from another site), and at other times there is the goal of using passwords harvested from a low value, insecure site against another, higher value site in the hopes that users accessing both used the same username and password.

When it comes to data breaches, companies can find themselves in a situation of damned if they do, damned if they don’t. When Zappos suffered a breach of 24 million customer records in 2012, it immediately contacted customers to advise they reset passwords and any website where they used a similar password, yet subsequently faced nine class action lawsuits13. Compared to the likes of Uber and Yahoo, Zappos responded with a high degree of integrity by notifying users within 24 hours of the need to check their security.

Accordingly, mandatory data breach disclosure laws are being introduced in an increasing number of jurisdictions to supposedly take away the choice for businesses when a breach is encountered. Even countries such as Australia, which is quick to adopt technology but slow to legislate around it, is moving on mandatory data breach reporting – the Federal government legislated for reporting for Commonwealth agencies and businesses, which will take effect in February 201814.

The need to legislate that businesses disclose data breach situations speaks to a potential failure in businesses to put the welfare of their customers at a sufficiently high regard. Yet legislation is lax in the time-frame with which it requires breach notifications to be issued: the Australian legislation that will go live February 2018 will require people to be notified within 30 days, and an attempt to amend the legislation to notification within 3 days of a breach was defeated. Even the 30 day breach reporting was seen as onerous, however15:

Industry groups including the Australian Industry Group (Ai Group), the Association for Data-driven Marketing and Advertising (ADMA) and the Digital Industry Group Incorporated (DIGI), whose members include Google, Twitter, Facebook, Yahoo! and Microsoft, have argued that the existing voluntary notification scheme overseen by the Office of the Australian Information Commissioner is effective.

(You would be correct to note that a company which was reluctant and extremely tardy to reveal the full details16 of a data breach of three billion users is part of an industry group which advocated voluntary disclosure processes were sufficient within Australia.)

While codes of conduct have no guarantee of literally ensuring behaviour meets expected standards, they do instill at least in some industries a higher degree of personal accountability in ethically charged situations – either in terms of attracting individuals who agree with the obligations, or at least providing a means of censuring those who act contrary to them. There is certainly no binding code of conduct when it comes to information technology, either within specific industry verticals, or globally across professions17. When we consider the number of breaches that happen regularly and the frequency with which disclosure does not happen in a timely manner, this does pose the question – are businesses and government agencies demonstrating that they are ethically mature enough to hold sensitive data?

Some would bet $100,000 US that the answer is no. Short of an epiphany within business it would seem likely that there will need to be ongoing, concerted legislative attention to this matter to force a generational change relating to the ethical handling of data breaches. One might even suggest that the business acronym, ROI needs to pivot from “return on investment” to “risk of incarceration” in order to encourage a top-down attention to law and behaviour in relation to ethical handling of data breaches.

Footnotes

  1. One might suggest, another scandal
  2. Uber boss says a data breach exposed 75m users’ data and the company didn’t tell anyone, ABC News, 22 November 2017
  3. Uber CEO
  4. Uber paid hackers to delete stolen data on 57 million people, Eric Newcomer, 22 November 2017, Bloomberg
  5. Security Breach Notification Laws, 12 April 2017, National Conference of State Legislatures
  6. Uber’s massive hack: What we know, Selena Larson, 23 November 2017, CNN Tech
  7. Ethics in Information Technology, George W. Reynolds, 978-1-285-19715-9, Cengage Learning, Fifth Edition Published 2015, p151
  8. Ibid.
  9. Breach Level Index
  10. Ethics in Information Technology, George W. Reynolds, 978-1-285-19715-9, Cengage Learning, Fifth Edition Published 2015, p152
  11. Equifax data breach: What you need to know, Kaya Yurieff, September 10, 2017, CNN Tech
  12. Yahoo says all 3 billion user accounts were impacted by 2013 security breach, Natt Garun, 3 October 2017, The Verge
  13. Ethics in Information Technology, George W. Reynolds, 978-1-285-19715-9, Cengage Learning, Fifth Edition Published 2015, p152-153
  14. Australia to get data breach notification regime, Rohan Pearce, 13 February 2017, Computerworld
  15. Data breach notification bill receives bipartisan backing, Rohan Pearce, 7 February 2017, Computerworld
  16. And indeed, revealed it piecemeal, over the course of several years
  17. While in particular system administrator guilds have been champions of promoting codes of conduct, their membership is wholly voluntary in almost all situations.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: