The 10 largest privacy threats in 2018
Looking at statistics, 2017 could be considered a record year for data breaches. For anyone following popular security-related news, this should not be a surprise, with major companies such as Equifax, Yahoo, and Uber in the spotlight for massive data leaks. Along with several other businesses whose sensitive data was exposed, there was a record-setting 1,339 publicly reported data breaches in 2017, according to a report from the nonprofit organization Identity Theft Resource Center (ITRC).
But what if I told you that, by its end, 2016 was also named a record year for data breaches? And – not surprisingly at all – the same happened to 2015? What about 2014? Same thing. And 2013? Yes, exactly the same. This pattern of each year surpassing the previous period is a long-running one, and only emphasizes how much of an impact a combination of lax security practices and the evolution of cybercrime tactics can have on privacy matters.
See Infosec IQ in action
As the ITRC reports, in 2017 the number of exposed records reached 174,402,528 and one question remains unanswered: will 2018 hold true to this ill-fated tradition and create a new data breach record? We are already on the way, with companies such as Adidas, Under Armor and several others joining the hall of leakers. Or will the advances in data privacy regulations such as the GDPR and California’s recently approved Consumer Privacy Act of 2018 (which will come into full effect at the start of 2020) reverse this tendency and start showing – in numbers – the signs of a new era in which proper privacy and sufficient data protection will become a reality?
Either way, data privacy should still be a major concern, both for companies that process or store sensitive data on a daily basis as a part of their business processes or for individuals that must remain vigilant and make sure their rights are being respected.
Here, then, are the ...
10 biggest privacy threats in 2018
1. Vulnerabilities in web applications
A single vulnerability is more than enough to cause a major data breach. That is exactly what happened to Equifax; by exploiting a vulnerability that could feasibly have been patched back in March, hackers were able to enter into the system just a few months later in mid-May. This unfortunate situation, which exposed the personal data of 143 million people, could have been easily averted if the company’s patching procedures were in order.
2. Insiders and poorly-trained employees
Data exposure on the operator side is caused either intentionally by a malicious insider or unintentionally by a simple mistake. In the end, the effect can be quite similar, resulting in a large breach or even a smaller number of leaked records. However, a malicious insider may choose to select certain information which will be much more damaging if released.
3. Lacking breach response
Even with the best security controls, incidents leading to leaks are still a possibility. The point here is not making sure every incident is prevented, but rather being prepared to provide a swift response to minimize the impact of unforeseen situations.
IBM’s 2018 Cost of a Data Breach Study points out a simple truth: “The faster the data breach can be identified and contained, the lower the costs.” In the same report, the presence of an incident-response team is considered the top factor in reducing the per-incident cost of a breach.
4. Inadequate personal data disposal
Personal data should be kept only as long as the relationship with the customer or employee (and related legal obligations) are in effect. After that, it should be securely disposed of; no excuses. The problem is, many companies still fail to effectively remove and/or delete personal data in a timely fashion after termination of the specified purpose or upon request. This is a direct GDPR compliance violation which will most likely result in hefty fines.
5. Lack of transparency in privacy policies, terms and conditions
Per the GDPR, consent is a major requirement for collecting, storing or processing personal data. In principle, in order to consent to something, it is first necessary to be able to understand what you are consenting to. Many companies still fail to publish a proper privacy policy, and in some cases where a policy is available, it is not written in language that can be understood by the general public (i.e. non-technical and non-lawyers). This is yet another example of a direct GDPR compliance violation that could lead straight to fines.
Companies should provide clear information describing the type of data collected, why it is being collected and how it is going to be processed, stored, shared and even disposed of.
6. Collection of unnecessary data
Collecting data should always be done with a specific purpose for which consent has being received. For example, a company selling sports goods will only require a name, an address, payment information and a form of contact for making its deliveries. For this specific purpose, it will not need to know your birthday, gender or favorite team. In the case that the company wishes to collect this information for other uses (e.g. creating promotions or customized advertising campaigns), they should first obtain consent from the customer.
7. Personal data sharing
To put it simply, data is a currency, and it is quite common for companies to share it with third parties for several reasons. These reasons can range from enabling simple website widgets (e.g. maps, social networks buttons), to monetary compensation and political schemes.
The most notorious recent example is the Facebook/Cambridge Analytica scandal, where data from over 50 million Facebook profiles was leaked to Cambridge Analytica so they could build models, and both predict and influence individual choices on the political field.
Again, this is all about letting individuals know their data will be shared and getting their consent before doing so.
8. Incorrect or outdated personal data
Individuals have the right to rectify outdated or uncorrected personal data. This ranges from a simple address update to more complex situations, such as a medical record from a patient that was first diagnosed with signs of a specific illness, but later proved not to be afflicted. Whatever the situation, companies processing personal information should have specific procedures to make sure personal data is current and accurate.
9. Session expiration problems
Let’s say an individual gave consent for data collection while using an online service. If this service fails to implement measures such as a logout button or automatic session timeout, this may result in collection of additional personal data without the user’s consent or awareness. Some services (e.g. Facebook) do not implement automatic session expiration, and if a person forgets to log out and leave the computer unattended, someone else could easily have access to personal or even sensitive information.
There are a number of security controls for dealing with this type of situation; OWASP even publishes a session management cheat sheet that can be used to avoid privacy problems.
10. Data transfer over insecure channels
Personal data being transmitted over insecure protocols (e.g. FTP, HTTP) can be easily captured by an unauthorized third party. For this case, enforcing secure protocols (e.g. SFTP, TLS) is the safest option for avoiding a breach. It is important to remember that even when encryption is enforced, it may be vulnerable if you are using an outdated protocol such as SSL v3.
11. Bonus round: Dealing with the unknown
Many vulnerabilities can remain dormant for several years before being discovered and causing a major privacy impact. This was the case with Meltdown and Spectre. Discovered in 2018, this vulnerability plagues most modern processors, affecting personal computers, mobile devices and even cloud infrastructure, and allows attackers to steal data, including personal information.
It is quite possible to imagine similar vulnerabilities waiting to be found, and while it is not possible to deal with them until they are discovered, companies wishing to avoid a privacy incident should always take a safe approach (e.g. reducing the exposure surface, adopting tested security practices) for dealing with the unknown enemy.
Conclusion
While hackers, crackers and cybercrime syndicates are often still a step ahead of the general public, legislators all around the world are doing their best to create or update regulations that will make sure personal information is adequately protected.
Unfortunately, cybercriminals are not the only privacy threat source. Many times the companies themselves – which we trust with our personal data – not only fail to implement the necessary security measures, but also have no shame in playing the villain part, using private information for personal gain without any consideration for individual rights.
Changing this scenario will require more than simply passing laws and goes well beyond ordinary compliance to data privacy regulations. For this new data ethics era, individuals are required to understand the value of their personal data, the sort of threats it is exposed to, and how to make sure their rights are being respected. Companies processing personal data need to understand this paradigm change, and either adapt the way business is done or be prepared to deal with an immense level of both reputational and financial damage.
See Infosec IQ in action
Sources
- OWASP Top 10 Privacy Risks Project, OWASP
- 2017 Data Breach Report, Identity Theft Resource Center
- Adidas Says Millions of U.S. Customers Being Alerted of Breach, Bloomberg
- The Under Armour Hack Was Even Worse Than It Had To Be, Wired
- 2018 reform of EU data protection rules, European Commission
- California Passes Sweeping Law to Protect Online Privacy, The New York Times
- Cost of a Data Breach Study, IBM
- Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major breach, The Guardian
- Session Management Cheat Sheet, OWASP