Where Responsibility Lies: What Businesses Do To Protect Your Data (Hint: It’s Not Enough)

Print More

In 2012, just under 50,000 cases of malicious cyber attacks were reported to the United States Computer Emergency Team, a department within Home land Security dedicated to computer based threats. In 2015, damage costs from cyber crime soared to three trillion dollars internationally. And much more recently, the number of reported cyber attacks that targeted business exploded to nearly 200,000 in 2017. However, the actual number may be around 350,000. The problem is only growing. As the world becomes more computerized, there is more to attack, and more people to exploit.

Unfortunately, technologies do not develop in a vacuum, so as security gets stronger, so do the tools that hackers use to circumvent those measures. After a recent wave of RansomWare attacks that targeted small business owners and private citizens alike, thousands were left wondering how they can protect themselves, their data, and their assets. At the end of the article, I’ve provided suggestions on what private citizens can do to protect themselves, but when it comes to large corporations that store millions of customers’ data, the issue is much more complicated.

In 2015, the UK equivalent of AT& T or T-Mobile, TalkTalk, began to receive reports of scam calls to their customers in which the scammer had access to the customer’s TalkTalk account details. The scammer would get the victim to log onto their computer and share their screen with the scammer, who would then install malware. Victims of the scam lost thousands of British pounds, directly from their bank accounts, and 21,000 TalkTalk accounts had been compromised. What’s most shocking is that TalkTalk had no idea that the breach had occurred. TalkTalk owned a call center, WiPro, in Kolkata, India, where employees of elevated status had access to an enormous amount of unencrypted user accounts. Three rogue WiPro employees loaded thousands of user accounts onto USBs, and handed them off to known scammers, with the understanding that if the scammer was successful, the employee would get a share of the profits. But it isn’t the data breach itself that put TalkTalk in the hot seat; data breaches occur all the time. Equifax, Home Depot, JP Morgan, and many others have had data breaches affecting millions of accounts, much larger than the initial TalkTalk breach. The issue was that, unlike the companies mentioned above, TalkTalk did not notify their customers that a breach had occurred. Eight months passed and the scams continued, but nothing escalated. However, in August of 2015, a second breach of TalkTalk customer data occurred, this time externally instead of internally as before. And this time, TalkTalk did notify customers, saying that additional security measures had been put in place, but to play it safe nonetheless. 2.5 million accounts had been compromised. Three months later, the TalkTalk network speed ground to a crawl. Customers were unable to access the Internet or even make phone calls. Eventually, the TalkTalk website went down. During this third breach the entire TalkTalk customer base, 4 million accounts, had been accessed. 156,000 accounts had had their details stolen.

None of it had been encrypted. Six people were arrested in connection with the hack, all of them under 21, the youngest being 15.

Ever since this third breach, TalkTalk has been on a long journey downhill, and are still generally regarded as an untrustworthy business.

You’d think that a cybersecurity disaster like TalkTalk’s would have encouraged other business to step it up. Unfortunately that isn’t the case. The same kind of attack used to breach TalkTalk, a SQL injection, was used to breach VTech, the children’s toy company at the end of 2015. 6.4 million accounts, which included (now hang in, this is a long one) parent’s name, email, question and answer for password retrieval, IP, home address, profile photos, and device passwords. Perhaps more disturbing, the hacker had access to the child’s name, gender, birthday, and photos, chats, and voice messages created by children playing with VTech devices. Again, not all of this data was encrypted. Passwords were MD5 hashed, a very weak form of encryption that I (a 16-year old with no professional cybersecurity experience) have been able to unhash. VTech didn’t use SSL, which ensures that browser users are securely connected with the website they’re using preventing man-in-the-middle attacks. Yahoo announced in 2016 that they had been the victim of the largest data breach in history, claiming that 500 million user accounts were stolen. It wasn’t until 2017 that Yahoo revealed the actual number of stolen accounts: 3 billion. Despite claims that all data was protected, it was eventually revealed that all the information in nearly all of the 3 billion stolen accounts was poorly encrypted.

In the US, unlike the EU, businesses are not required to report data breaches to government data protection agencies. I don’t know about you, but I would want to know when my information had been compromised. Anywhere that you have to enter information to make a purchase or to make an account, your information has the potential to be stored, which always has the potential to be stolen. With this in mind, companies need to be doing more to protect customer data. Data should be encrypted, all their software should be patched and updated regularly, and at the bare minimum, their networks should be sophisticated enough that a bored 15-year-old in his parents’ basement can’t steal 156,000 customer accounts. Companies shouldn’t be able to hide and downplay any breaches, especially those that directly threaten their customers in any way, financially or otherwise. Many business owners and corporate CEOs are behind the times and don’t have a true understanding of the threat of data breaches and cyber attacks. Furthermore, we, the consumers, are asked to essentially blindly sign over our data and information to companies who we don’t know if we can trust. It’s time for companies to embrace the responsibility that comes with holding a customer’s identity in their hands.

The question then is what CAN we do to protect our data? Most of it is common sense: don’t reuse passwords, enable two-step verification when available, stay up-to-date on patches (software updates specifically for fixing security flaws), verify senders of important emails, and be smart with what you download.

Reprinted with permission.