Is It Really Worth Protecting Personal Information Anymore?
Hardly a week goes by without a headline shouting about yet another data breach. One of the biggest ever happened in January, to email marketing company Red City Media. Security researcher Chris Vickery of MacKeeper broke the news about the breach. It involved almost 1.4 billion accounts containing Personally Identifiable Information (PII) including email addresses, names, and addresses. Yahoo is on par with Red City Media, admitting to a 1 billion user account hack in 2013, along with the 500 million also hacked last year.
And then there are the continuous and ongoing breaches of healthcare data – Protected Health Information (PHI). The joys of data breach notification laws allow us to see, via the US Department of Health and Human Services (OCR) ‘Wall of Shame’, that in the last 10 weeks, 54 data breaches have been committed, the largest affecting almost 86,000 individuals.
In terms of breached individual PII and PHI, the genie is out of the bottle and we can’t easily put it back in.
The Price of Information?
Cybercriminals don’t steal personal information for fun, well they might, but they mainly do it because it is a commodity that can be sold. The actual prices paid for consumer data varies and changes over time. However, research performed by McAfee found that the average amount paid for US credit card details was $15, and bank login credentials can fetch up to $6000. Of course, the true costs of this are met by the hacked company and the individual. According to research by the Ponemon Institute, the cost to companies for each breached account is around $154, with PHI breaches costing even more at $355 per breached record.
A Personal Tale
Once your data is in the hands of someone who wants to commit fraud, they will use it. I have had direct experience of the result of my PII being stolen. Last year an attempt to take a $12,000 loan in my name was attempted. I was lucky, it was stopped because of a mismatch in phone numbers in the application, and because of good security practice. The loan may have been stopped in time, but not before I had spent countless hours of my life on phone calls. There were three reasons why this fraud attempt was prevented:
- The PII that had been sold to the fraudster was incomplete. So, they had attempted to open an account with a credit file agency, in my name, to check the rest of my data. Fortunately, that company completed the account by sending a code to my address to finish the account creation process. This was my alarm bell.
- When that bell started to ring, I logged into my own legitimate credit file agency account and spotted an unrecognized credit file check that had come in from a financial organization. The account also showed me that a loan had been applied for.
- I called that organization to alert them the loan application was fraudulent. They already had suspicions because of a mismatched phone number (going back to the incomplete PII in 1 above) and were going to contact me to confirm the application.
This time it ended well for me, but the fact is identity theft is a growing problem. In fact, the Identity Theft Resource Center has described an “astronomical rise” in the number of social security numbers being exposed because of PII breaches. With data breaches increasing by around 40% in 2016 identity theft is fast becoming normalized.
The Compliance Conundrum
Data breach prevention has produced a swath of laws and regulations. In the US, the healthcare industry has the Health Insurance Portability and Accountability Act (HIPPA), along with its counterpart HITECH, which offer a framework for protecting PHI. In the financial sector, regulations such as the Gramm-Leach-Bliley Act (GBLA) offer similar advisories to protect sensitive consumer data. In Europe, the new General Data Protection Regulation (GDPR) will likely have repercussions that reach further than the EU states. As well as the legal frameworks for protecting data, organizations such as NIST offer a cybersecurity framework and advisories on best practice data protection. We should be covered. Yet, in 2016 we have more data breaches than ever before. The Breach Level Index shows nearly 6 billion data records have been stolen since 2013, with only 4% of them being encrypted. What is going wrong, and why, with all of the laws and regulations telling us how to protect personal information do we have more breaches than ever?
The Cat’s Out The Bag
The solution to PII / PHI protection is not straightforward. Even if you have encrypted the data correctly and set in place OWASP web security directives, if a key member of staff, that has full database access is spear-phished, then the cat is out of the bag. Spear-phishing, where staff like system administrators are targeted, has been the technique behind some of the biggest data thefts, including Target Corp. and Anthem.
We need to turn this problem on its head. Billions of us have already had some of our personal information stolen. Just protecting consumer data is not enough, we have to control the use of PII – put the user back in control. If the actual use of our data, for third party transaction such as loans, etc. is secured, then even if stolen, it will become useless to a cybercriminal.
The concept of a verified or assured identity is starting to take off in the consumer world. It is being driven by governments, such as New Zealand ‘RealMe’ and the UK Government Verify schemes, which use real-time verification of a person to create more secure access to online services. In the US this is being looked at by NSTIC, who are running pilots across several states to look at secure digital identity delivery.
Controlling access to personal information by making sure the person deciding to share these data, really is the owner of that data, AND is explicitly consenting to the exchange, goes a long way to also protecting it. It should, at the very least, be part of the overall security equation. With a 40% increase in data breaches last year, what we are doing now to protect PII clearly isn’t working, so we have to look at other ways of ensuring that personal information use is controlled. It looks like the old ‘layered security approach’ is back in town, and using a combination of web security, encryption, adaptive authentication, and assured consumer identity management, is the way forward.
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
Check out if your PII has been stolen: https://haveibeenpwned.com/
Susan Morrow has spent the last 20 years of her life working in various areas of security, and more recently online identity. She is most interested in the interplay between the cybercriminal and the victim – the games that are being played out in the world of cybercrime.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies