Data threats come from three general fronts: individuals sharing too much information, data breaches and corporations selling increasingly granular customer data. Security professionals frequently sound warnings for the first two. The last one is rarely acknowledged as a security threat and more commonly labelled a privacy issue. But security and privacy are not separate subjects; they are intertwined aspects growing from the same vine.
“One cannot be secure if little to no attention has been paid to privacy protection. Consumers are a common target for an attacker to hijack sensitive user information and compromise not only that one person, but to also attack any platform where the individual’s details might be pertinent, such as their employer,” said George Gerchow, chief security officer atSumo Logic, a logs management and security analytics company.
But that’s only one part of the threat companies now face from the data other companies are selling.
“If you think of security as ‘keeping the bad guys from getting the data,’ then security and privacy go hand in hand. The bad guys don’t have to break in, they can just buy the data. Or buy the advertising slots to illegally manipulate people, even without buying the data,” warned Isaac Potoczny-Jones, founder and CEO at Tozny, a multi-factor authentication system provider.
Key employees also can be targeted, tracked and manipulated in ways beyond data breaches and online trickery.
“The problem is, the loss of privacy has made the adversaries’ job much easier, and your job much harder,” said Corey Nachreiner, CTO at WatchGuard Technologies, a network security vendor. “While I don’t think it makes security impossible, few people have the patience, diligence and constant vigilance to defend against attacks that use our own data against us. It would be much easier to secure ourselves if society put stricter regulations on how businesses use data.”
Make no mistake, data threats can and do emerge into real-world physical attacks. Here are just a few ways that happens.
Surveillance Data for Sale
“Let’s face it, many of the major telecoms’ and technology companies’ business models mostly or wholly depend on mass surveillance. Facebook would not exist without it. Google would be a fraction of their current size. Almost the entire digital advertising ecosystem would never have been invented,” said Richard Stokes, partner and founder of Winston Privacy, a plug-and-play privacy device that protects all home devices from mass surveillance. “Their raison d’etre is surveillance. We know it and these companies know it. Without consumer tracking, many of them go out of business.”
Chief among surveillance data is geographic data that not only shows where a mobile device user is standing at the very moment, in real-time, but also everywhere that user has been.
“Geolocation allows criminals to ‘case the joint’ without even being there. Think about this: If you are not home and your location data is being sold on the dark web, which is then in turn purchased by a thief, it’s easy enough for them to know when you’re not home—maybe even on vacation,” explained Karen Schuler, BDO’s National Data & Information Governance Practice Leader.
But robbing a place where you aren’t is only one possible threat scenario stemming from access to geographic data through either a purchase or a breach. Stalkers, spies, kidnappers, rapists and even assassins can use such data to find their victims.
The Threats in Mobile Phone Geographic Data
Of course, law enforcement can also use geographic data to catch criminals, as evidence for trial and to rescue victims of crime or accidents. The point is, geographic data has good uses as well as bad. It’s important to point out, though, that the goal behind the sale of geographic data usually isn’t to save victims—or to prevent anyone from becoming a victim.
“It’s fallacious to call a platform ‘secure’ if, in the same breath, it willingly participates in the selling of its users’ data to third parties. This phenomenon has caused quite a stir in the media as of late, and rightfully so,” said Pavel Bains, CEO and co-founder of Bluzelle, a decentralized data ecosystem provider.
Indeed, in June of this year, Verizon and AT&T pledged to stop providing information on phone owners’ locations to data brokers. The move came “after a prison contractor let law-enforcement officers track wireless customers, even non-inmates, without authorization,” according to a Bloomberg report.
“The practice skirts the carriers’ legal obligation to be the sole conduit by which the government conducts surveillance of Americans’ phone records, and needlessly exposes millions of Americans to potential abuse and surveillance by the government,” Senator Ron Wyden said at the time in the Bloomberg article.
It was a shocking new vulnerability that mobile phone users had never before contemplated.
“Until now, almost all of the recent news about the sale of private data has been focused on Facebook and Cambridge Analytica. Verizon’s announcement highlights the fact that private user data is captured by multiple technology companies,” said Dan Goldstein, president and owner of Page 1 Solutions, a full-service digital marketing agency.
“Your smartphone tracks everywhere you go. Verizon is learning from Facebook’s mistakes by getting out in front of this issue. It begs the question, however, about what other private data they have been capturing and selling and also demonstrates that many other tech companies like Google, Amazon, Apple, as well as ISP providers like AT&T and Comcast among others may have sold private user data without consent,” he added.
Privacy Regulations Not a Likely Fix
There are many other companies and telecoms that have not pledged to stop selling user geolocation data. The momentum may be too great for there to be industrywide actions. According to the recent CA Technologies’ “State of Digital Trust” report, almost half of consumers are willing to provide their personal data in exchange for digital services, and 49 percent of business executives admit to selling consumer data.
As long as this situation persists, security professionals will need to step up their game to protect employees and the c-suite from being tracked, recorded, manipulated or physically attacked from the easy access of this and other data, sold not on the dark web but in broad daylight and on mainstream channels.
Meanwhile, don’t bet on privacy regulations to safeguard your company and charges.
“Even with GDPR in full swing, there are already complaints that the regulation is failing to improve privacy for people on the ground. Post GDPR, most firms have simply made consumers agree to updated policies that provide consent for the continued use of their data. Many questionable practices have been justified under the ‘legitimate interest’ umbrella,” said Sean McGrath, cybersecurity advocate for BestVPN.com.