Building Trust

Internet Society’s Online Trust Alliance 2018 Cyber Incidents & Breach Trends Report

On Tuesday July 9, 2019 the Internet Society’s Online Trust Alliance (OTA) released its 11th Cyber Incident & Breach Trends report, which provides an overview of cyber incidents – and offers steps organizations can take to prevent and mitigate the potential damage. This year’s report found a shifting landscape of cyber incidents. As the growth of some attack types levels off, others increase.

Adding it all up, OTA estimates that there were more than 2 million cyber incidents in 2018, and it is likely that even this number significantly underestimates the actual problem. OTA estimates an overall financial impact of at least $45 billion worldwide. The lead categories of attacks are cryptojacking (1.3 million) and ransomware (500,000), followed by breaches (60,000), supply chain (at least 60,000 infected websites), and Business Email Compromise (20,000).

There are many organizations that track data breaches overall. For example, Risk Based Security Reported the highest number at 6,515 breaches and 5 billion exposed records, both down from 2017. These estimates vary depending on their methodologies – see our full report for all of the breach estimates and our methodology.

One well-established attack type, ransomware, saw a decline in 2018. However, the total dollar value of these attacks continues to grow. Another well-known attack is Distributed Denial of Service (DDoS). Examples of successful DDoS attacks in 2018 range from banking (ABN AMRO) to education (Infinite Campus) to email services (ProtonMail) to software services (GitHub).

Business Email Compromise, where employees are deceived into sending funds to attackers posing as employees of a firm, also grew. The FBI’s 2018 Internet Crime Report reported more than 20,000 incidents in the U.S., resulting in nearly $1.3 billion in losses (an increase from approximately 16,000 incidents and $677 million in losses in 2017).

New to this year’s report is cryptojacking, which saw a marked increase in 2018. Trend Micro detected more than 1.3 million instances of cryptojacking code in 2018, a greater than three-fold increase from 2017. Supply chain attacks, also new to the report, grew as well. Symantec’s Internet Security Threat Report reported a 78% growth in supply chain attacks.

Other attack categories are based on the shifting infrastructure of the Internet. Many businesses rely on cloud services for some or all of their operations and as a result have become a target for attacks. One estimate by research firm Digital Shadows found that in 2018 there were 1.5 billion files exposed around the world solely due to misconfigurations in cloud services.

IoT devices are increasingly becoming tools to carry out various types of attacks, from DDoS to cryptojacking. Kaspersky Labs reported that in the first half of 2018 they saw a three-fold increase in the number of malware variations used to attack IoT devices.

But the report offers advice on how organizations can better prevent and mitigate cyber incidents. Organizations can use the OTA IoT Trust Framework to help make the entire IoT ecosystem safer. They can also follow the recommendations in the Cyber Incident & Breach Trends report.

While the landscape of cyber incidents is both vast and shifting – and may include new attack types – the guidance offered in the report remains largely unchanged. Organizations must remain vigilant and assume that at some point they will have to deal with a cyber incident. Following the recommendations in the Cyber Incident & Breach Trends report is a good first step.

Building Trust Improving Technical Security Privacy

Customer Data Isn’t Always an Asset: Lessons from the Marriott Data Breach

As data analytics have improved, the massive amounts of data that companies acquire from their customers has only gained in economic value. In the corporate world of today, this data can be a real asset for companies. However, as today’s news, that the records of over 500 million guests of Marriott International’s Starwood division hotels were involved in a data breach, makes clear, corporate thinking about the value of customer data needs to be reevaluated.

Especially when it comes to corporate acquisitions, companies need to start treating customer data as a potential liability, as well as an asset.

In September 2016, Marriott International acquired Starwood for $13.6 billion. When Marriott International sought to buy the Starwood hotel chain, Starwood’s customer data, played a central role in their reasoning for the acquisition. Citing higher income and better brand loyalty among program members,  Arne Sorenson, the Marriott CEO, specifically referred to Starwood’s loyalty program as a “central, strategic rationale for the transaction.” Loyalty programs, in addition to attracting repeat customers, also “provide hotels with a wealth of information on their guests” which hotels can use to “create laser focused marketing campaigns for various different kinds of guests.”

While Marriott International successfully acquired Starwood, its valuable loyalty program and customer data, they also unwittingly acquired a data breach in progress, which would lead to future damage to their global brand.

As an internal investigation has suggested, the criminals behind this recent data breach had been inside the Starwood’s networks since 2014 – two years before the acquisition. These criminals gained “unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before 10 September 2018.” For some customers, this information includes personal information like contact information, mailing addresses, names, and even passport numbers. Marriott International has also been unable to rule out the possibility of payment information, like credit card numbers, having been stolen as well.

In news reports, this is not Starwood’s data breach, but Marriott International’s. And this incident is already costing the company. Overnight, their stock price dropped by over 5%. Like any data breach, this incident will harm trust between the company and its customers. To try to rebuild their customers’ trust, Marriott International has: set up a website about the incident and a dedicated call center; said it will send out email notifications to those impacted and will pay for a year’s worth of a monitoring service to alert them if their personal information being shared online (in some countries). All of this takes money and resources.

The Marriott – Starwood acquisition and data breach provides an important lesson: when a company is negotiating an acquisition, data security and data handling practices must be a central part of the negotiations, and a company’s due diligence.

When Marriott International acquired Starwood and its data, they also acquired the risk associated with storing and handling that data. Digital security is a crucial part of a corporation’s bottom line, and security incidents can quickly become disastrous for a business. Before making acquisitions, companies need to carefully look at the digital security and data handling practices of the businesses they seek to acquire, analyze the risks, and reassess.

How much risk am I really willing to pay for? Is $13.6 billion and a data breach a fair deal?

Read the Cyber Incident & Breach Trends Report, which includes core readiness principles and a top-level readiness checklist.

Building Trust

Will Uber Drive Us to Federal Breach Legislation ?

The past six months we have witnessed an un-paralleled level of questionable business practices resulting from data breaches.  As trusted brands, Uber as well as Equifax and others, who have been entrusted with significant amounts of personal data have failed the American public.  The breach missteps and follies only continue.  Each time most within the security and privacy communities have rolled our eyes in disbelieve.

While it is important we do not victimize the victims, and acknowledge there is no perfect defense.  At the same time it is equally as important for organizations to be prepared for an incident and be transparent on how they respond.  Every organization has an implied and legal responsibility to apply best practices to help prevent incidents, detect events and be prepared to respond and remediate the impact.  Judging by these past incidents the concept of data stewardship and accountability has gone by the way side.  All too often these organizations are caught flatfooted, or attempt to hide the incident for a range of what appears as self-serving reasons.  Perhaps they have recognized the current regulatory landscape has little meaningful ramifications or that they will not be held personally accountable. Self-regulation appears to be failing and the existing regulatory construct does not appear to be a deterrent or taken seriously by executives and their boards.  In the case of Yahoo and Equifax, the CEO’s walk away with millions of dollars while the impacted consumers are left on their own.

With each major breach event I have hoped it would be a watershed moment, becoming a catalyst for change. Today US companies are faced with a complex mosaic of 48 State breach laws, plus several sectorial regulations.  While nearly everyone complains about the challenge to navigate this maze of regulations, no progress to develop a national breach regulation has occurred.  Ironically, generally there is rough consensus on several key requirements defining; 1) reasonable baseline security, 2) personal or covered information, 3) notification triggers and requirements and 4) remedies.  Having personally worked on over a dozen such draft bills, I have been disappointed how partisan efforts and trade groups have driven these efforts off the road, ignoring the impact on consumers.

I am hopeful this time it will be different. The allegations against Equifax and Uber have ratcheted the issue to new heights.  On May 26, 2018 the EU Data Protection Directive (GDPR) will be enforceable.  While many companies will be prepared, the vast majority will not be, nor do they recognize the risks.  Technically they only need a single resident of the EU for regulations to kick in.  GDPR requires regulators to be notified within 72 hours of learning of an incident, while US companies has shown disregard and taking in some cases 6 to 12 months.  The US is by and large sadly behind the rest of the world recognizing privacy rights and data breach reporting requirements. 

Last week the Senate Commerce Committee ranking chair Senator Bill Johnson (FL-D), proposed legislation making it a criminal act to not disclose such data. This has the potential to wake up the C-suite.  As we look forward to new legislation, I propose legislation be modeled after CAN-SPAM the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003). Enacted in 2004, CAN-SPAM is a single Federal Law, pre-empting individual State Laws, permitting State right of enforcement.  Primary enforcement would be left to the Federal Trade Commission and State Attorney Generals could join in actions or file on their own.  Similarly, there needs to be a penalty, not relying on harms or damages be proven. We need to take the best from leading States such as California, New York, Massachusetts and others.  As a benefit to industry such legislation should also provide safe-harbor from Federal and State laws as well as the threat of class-action suits to companies who have employed reasonable security and are in full-regulatory compliance.  

At the end of the day both consumers and business will benefit from federal breach legislation. Having a consistent set of rules and regulations will raise the bar of breach prevention and readiness, saves tens if not hundreds of thousands of dollars in legal costs, while most importantly enhancing consumer protection and expediting timely notifications.

Who knows, perhaps in the long run we might be able to “thank” Uber for driving us to this destination.

Craig Spiezle

Managing Director, Agelight Advisory Group
Chairman Emeritus, Online Trust Alliance
Follow Craig on Twitter @craigspi

Note The views expressed in this op-ed do not necessarily reflect those of the Internet Society.

Improving Technical Security Privacy

What India's Banking Industry Breach Can Teach Us About the Importance of Collaboration

Towards the end of October 2016, several Indian banks announced they would be recalling millions of debit cards in the wake of a data breach that affected the backend of software that powered an ATM network there.

It was a situation that could have been better mitigated; a government-sponsored organization tasked with sharing information about data breaches completely missed the warning signs that a breach was taking place. As a result, no one connected the dots until millions of fraud cases had been detected.

Raj Singh, Regional Bureau Director for the Asia-Pacific region, Internet Society, recently gave me his insights into the lessons that organizations in all industries can learn about mitigation from this incident, as well as how to overcome barriers that prevent collaboration, which is vital to mitigation efforts.

Information Sharing and Collaboration: The Keys to Successful Mitigation

Data breaches are all too prevalent nowadays. “Hackers will always try to find a weakness in the system,” Singh asserted. While organizations should continue their efforts to prevent such breaches, they must also have a mitigation strategy in place to offset the disastrous effects of cyber crime.

In the case of the Indian ATM data breach, the Information Sharing and Analysis Centre (ISAC) established by the Indian government failed to detect the breach in time because each compromised debit card was flagged as a case of fraud rather than the result of a cyber attack. Before this incident, banks bore the responsibility of tracking and handling fraud cases. No one raised an alarm until millions of debit card customers complained of fraudulent charges.

Singh pointed out that the situation could have been managed much better “if people had realized that hacks and breaches have multiple dimensions.” If ISAC had treated each case of debit card fraud as a cyber crime, a pattern would have emerged much sooner. When the Indian government founded ISAC, no one considered the possibility that credit and debit cards were so vulnerable to hackers. “People are focused on the door when the hacker is coming in through the window,” Singh added.

In general, the finance industry has some strong information sharing mechanisms in place that have a good reputation for mitigating the impact of data breaches. Singh noted that Singapore’s Association of Banks (SAB) and the global Financial Services – Information Sharing and Analysis Center (FS-ISAC) are two examples of organizations that enable members to share news of threats so that others can attempt to prevent or at least mitigate attacks.

It’s becoming abundantly clear that information sharing and collaboration must take place outside of the finance industry, too. The EU’s Agency for Network and Information Security (ENISA) published a report at the end of December 2015 about the importance of information sharing and collaboration in prevention and mitigation of cyber attacks for all industries. In the Obama administration’s final cybersecurity report, released at the beginning of December 2016, researchers stressed how crucial it is that the private sector and the public sector share information to prevent mass cyber attacks from taking place.

Easier Said than Done: Barriers to Information Sharing and Collaboration

Making recommendations and even being a member of an information sharing network still isn’t enough to keep incidents such as the one in India from unfolding. Singh observed that barriers hamper vital collaboration between firms and organizations that would otherwise counter or at least mitigate the consequences of a cyber attack.

For a start, SAB and FS-ISAC only share information with members. So, if your company doesn’t operate within the finance industry, you don’t have access to details of threats submitted by SAB or FS-ISAC members.

Secondly, Singh observed that businesses tend to be quite competitive and hesitant to share information about any possible weakness. Yahoo is a recent example of just such a company. In 2014, hackers stole encrypted passwords and personal data from over 500 million accounts. It took Yahoo over two years to uncover the breach and disclose it. Users responded by threatening to shut down their accounts. American senators expressed their dismay at Yahoo’s slow detection and response to the attack. After disclosing the breach, the value of Yahoo’s stock fell three percent.

Another barrier to information sharing and collaboration is the “it can’t happen here” mindset. “There’s a lack of empathy and understanding,” Singh explained. Businesses might say, “Oh, a data breach hit a bank. We’re not in the banking sector, so we don’t need to worry about something like that affecting us.” While some businesses in industries outside of finance might pay attention, others won’t because they haven’t been hit by hackers yet, or they’re unaware that they’ve been attacked. Of course, that mindset leads to firms falling prey to hackers. “A data breach can happen anywhere, anytime,” Singh emphasized.

Overcoming the Hurdles to Improve Breach Mitigation

Singh doesn’t view these burdens as insurmountable. He believes that organizations can improve collaboration and information-sharing efforts in order to mitigate breaches.

One of the first steps is stronger regulations and enforcement of existing rules on data breach disclosure and data sharing. “From what I hear, everyone says that they’re talking to each other and working with each other,” Singh remarked. “But that’s taking place at conferences. What’s happening on the ground?” He added that self-regulation is unreliable, because of the competitive nature of business and the desire to be seen as strong and invulnerable. Although many countries have enacted personal data protection laws, they don’t seem to be powerful enough to force companies to collaborate so that incidences such as the one in India don’t take place again.

As consumers share more information with organizations, and those organizations rely on interconnected digital systems that are prone to breaches, the risk for hacks will only continue to rise. When businesses work together and treat information on data breaches as something to be disclosed rather than a closely guarded secret, they have the power to better protect their customers and keep their reputations (and profits) intact.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.

Improving Technical Security Privacy

Dan Geer Revisits 2014 BlackHat Recommendations: More Industry Recognition of the Problem, Much Left To Do

Computer security analyst and risk management specialist Dan Geer used his keynote at the Black Hat conference in 2014 to make 10 policy recommendations for increasing the state of cybersecurity. Among his suggestions: mandatory reporting of cybersecurity failures, product liability for Internet service providers and software companies, and off-the-grid alternative control mechanisms for increasingly Internet-reliant networks like utility grids and government databases.

I caught up with Geer for an update on his proposals, and his views on the current state of cybersecurity.

First, let’s talk about your policy recommendations for making the digital world safer. Have you seen any progress on any of these fronts?

Not in the concrete sense of here’s a law, or here’s a dollar or here’s a new organization, but in the sense there is broader recognition that we actually have to do something. This isn’t just a bunch of ninnies complaining. We have to do something.

The sensitivity to all of this is getting higher. I hope that doesn’t result in panic or doing something silly, which could happen. I hope instead that the reaction is more, “you’re right, we really have to do something substantial.”

Can you point to some examples of this broader recognition?

If you look at the topics that are discussed at meetings that are not academic meetings, more and more of them have a policy flavor, and only a small number still that “here’s a technological nicety that’s really cool.” Again, I take that as a marker in time, as a change in opinion, as to whether the threats are real or not.

Also, just as we thought that some banks were too big to fail, I think we have to think about things on the Internet that are too connected to fail. That idea is beginning to get a little play. For instance, there is a bill in the U.S. Senate, The Securing Energy Infrastructure Act (S.B. 3018), that argues that electric systems need to have, at least in part, analog not digital controls. Like a fire line or firebreak, where a failure can’t jump from this point to that. I think the very idea that a sitting senator would introduce something talking about the need for non-digital controls on the grounds of resilience is indicative of minds coming around.

You also call for mandatory reporting of security breaches. Is there any progress being made on that front and why do you think that is important?

It’s going to happen and I think it’s going to happen for public companies first. The Securities and Exchange Commission has been ramping up its rule-making in this area for a couple of years now. The issue goes to materiality and what do I have to tell my stockholders. Cyber failure has clearly become material. And things related to it that are secondary, like loss of trade secrets and customer data, have become material.

Most of your recommendations focus on organizations and companies. Where do consumers fit into this and the liability issues of cyber failures?

It’s getting harder for consumers to avoid being recruited into problems. There was a recent example of closed-circuit televisions that were recruited for a giant distributed denial of service attack. Consumers are not in a position to prevent what they own being used as a weapon against someone else. If my car is stolen and is used in a bank robbery, I probably won’t face and repercussions. If my handgun is stolen and used in a bank robbery, I might, especially if I left it on the front porch. Where is the line for computers? Probably closer to the automobile. But on the other hand, Internet service providers have to take some responsibility. If they want dumb clients then it’s their problem.

We have seen some big companies report massive breaches recently, albeit quite a while after the fact. Do you think more are stepping up on their own to announce security breaches, or are they only coming out when they are forced to?

According to Data Breach Investigations Report from Verizon, 80 percent of data breaches are discovered not by the victims but by someone else. That is important, and it hasn’t changed. If people don’t report cyber failures then you are encouraging silent failure – silent in the sense that you discover there has been a cyber invasion and you repair it but don’t tell anyone. I am sympathetic, but I’m afraid you’re going to have to tell. It’s like driving off the end of a bridge and not telling anyone. And silent failure is the problem we have more of than anything else. Silent failures often are gateways or stair steps to other failures.

So it is essential that we get a handle on this kind of thing. In the medical world, you have medial privacy unless you have a disease that is too important. If you show up with the plague, that’s a big deal. Sorry about your medical privacy, but we have to notify all sorts of people.

Some people may object to that, and they may have an argument of principle, but they don’t have an argument of logic.

That same logic should apply in cyber space. As the definition of a material event changes, like you lost all your client data or accidentally shipped something that had malware in it, those things all have to be reported.

I am not sure how to make that pleasing for all concerned. It’s one of those things that it’s a bad solution but I don’t have a better one.

You run the Index of Cyber Security which regularly polls those on the front line about the state of cybersecurity. What are some of the trends you are seeing?

A steady increase in risk more than anything else, but other things as well. Three years ago, we asked what fraction of the security tools that the respondents are using now would they install again if starting from scratch. Three years ago, they expressed buyer’s remorse for about a third. This year buyer’s remorse had grown to half. So, my reading between the lines is “I am buying one of everything and my unhappiness is growing.”

Another thing that I think is quite fascinating is that the size of data breaches seems to be on a curve known as power law, an interesting kind of curve that says in effect the biggest one you’ve ever seen to date will be eclipsed by a bigger one but bigger in a certain substantial kind of way. That is what is happening and while we are talking, just such a report (from Yahoo) has appeared.

To quote Nassim Taleb, “We are undergoing a switch between continuous low grade volatility to the process moving by jumps, with less and less variations outside of jumps.” Using a forest fire analogy, if there are no little forest fires, then eventually you will get a whopper. In the woods, that is due to a buildup of combustible timber. On the Internet, that is due to a buildup of unwarranted trust and dependence.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.

Building Trust Improving Technical Security Privacy

'Security Fatigue' Complicates the Battle Against Data Breaches

With the news of a second, even bigger hack of Yahoo user data, common sense might conclude that consumers would be scurrying to batten down their Internet hatches. But a new study indicates otherwise, concluding that “security fatigue” has made many of us numb to the dangers lurking in cyberspace.

“Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” a team from the U.S. National Institutes of Standards and Technology concluded in an article for IT Professional, which is published by IEEE Computer Society. “All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”

The study by Brian Stanton, Mary F. Theofanos and Susanne Furman, all of NIST, along with independent consultant Sandra Spickard Prettyman have indeed reached this saturation point.

So, the announcement in December by Yahoo that it has identified another security breach, from 2013, that compromised passwords, birthdays and other personal information from more than 1 billion accounts, will likely do little to bolster Internet security – at least among average users.

In fact, with the rise of mobile, the Internet of things and the continued linking of just about everything in our personal and professional lives to global networks, the study underscores what many have long warned will be a growing number of increasingly bigger security breaches, from distributed denial of service, or DDoS, attacks, to hacks of retail, banking, healthcare and other sites that we freely share our personal information with on a daily basis.

The report is based on an analysis the authors did of a larger study of average computer users in the Washington, D.C., and Central Pennsylvania in 2011.

Although that original study did not specifically address security fatigue, the authors say they began to notice “many indicators in which fatigue surfaced as participants discussed their perceptions and beliefs about online privacy and security.”

 After recoding the data, they said, security fatigue surfaced in 25 of 40 interviews, and was one of the most consistent codes among the dataset.

“I think I am desensitized to it,” one respondent is quoted as saying. “I know bad things can happen. You get this warning that some virus it going to attack your computer, and you get a bunch of emails that say don’t’ open any emails, blah, blah, blah. I think I don’t pay attention to those anymore because it’s in the past. People get weary of being bombarded by ‘watch out for this or watch out for that.’”

The authors said the data shows participants often don’t feel personally at risk, or assume they are not important enough for anyone to care about stealing their information. They highlight several comments in which they say the “frustrated tone, minimization of risk and devaluating of information is evident. 

“It doesn’t appear to me that it poses such a huge security risk,” one wrote. “I don’t work for the state department, and I am not sending sensitive information in an email. So, if you want to steal the message about (how) I made blueberry muffins over the week, then go ahead and steal that.”

Another wrote: “If someone needs to hack into my emails to read stuff, they have problems. They need more important things to do.”

What many of the respondents apparently don’t realize, is that while their personal communications and information may be of little value to hackers and cyber thieves on its face, their lax security practices enable the bad guys to hijack their computers and networks and use them in broader attacks, such as DDoS attacks that can cause huge crashes across the Internet.

So what can the IT community do? The researchers said it’s time to “rethink the way we currently conceptualize the public’s relationship to cybersecurity.”

They make three specific recommendations:

(i) limit the decisions users have to make related to security,
(ii) make it easier for them to do the right thing and
(iii) provide consistency whenever possible.

For example, in the workplace, they suggest offering different ways for users to log into the system, including an option between a traditional user name and password or the use of a personal identification and verification card.

“As IT professionals, it is our responsibility to take up this challenge and work to alleviate the security fatigue users’ experience,” they write.

“…We must also continue to investigate users’ beliefs, knowledge, and use of cybersecurity advice and the factors, such as security fatigue, that inform them, so we can ultimately provide more benefit and less cost for adopting cybersecurity advice that will keep users safe online.”

In other words, improving online security is going to require a concerted effort to not only educate computer users about the need to follow security guidelines, but also provide them much easier ways to keep their data safe on an ongoing basis.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.

Improving Technical Security Privacy

New Study Reveals More Than 200 Mobile Sites/Apps are Exposing Sensitive Consumer Information

The Wandera 2017 Mobile Leak Report, a global analysis of almost 4 billion requests across hundreds of thousands of corporate devices, found more than 200 mobile websites and apps leaking personally identifiable information across a range of categories – including those that are essential for work.

Most notably, the study revealed:

  • More than 59 percent of all the leaks identified were from just three categories: news and sports, business and industry and shopping.
  • Among leaked mobile sites and apps were well-known sites such as ESPN Fantasy Rugby, Fox Sports and Royal Mail
  • A vast majority of leaks included sensitive information such as email/username (90 percent) and password/hash (86 percent)
  • 80 percent of the top 50 adult sites were leaking some form of PII.

I spoke with Michael Covington, vice president of Product at Wandera, about the report and what it means for both businesses and consumers.

What is the Mobile Leak Report?

The Mobile Leak Report is a summary of research that uncovered more than 200 well-known and reputable digital services responsible for exposing sensitive consumer and enterprise information. These “data leaks” are particularly relevant to mobile users because the primary culprits were apps and mobile-tailored websites that failed to protect the sensitive information as it was in transit.

In your opinion, what was the biggest “take away” from this report?

For me, the biggest take away from the report is a realization of how critical end-to-end visibility can be when assessing security risk. Most organizations have no visibility at the data level of how a corporate mobile device is being used. Simply understanding the risks is an essential first step to plugging the holes.

I’m fairly confident that most users assume mobile apps and websites will protect their sensitive information; sadly, this report shows that those assumptions are flat out wrong. We found that these 200+ leaks were coming from devices in more than 20 countries that were using apps, websites and mobile websites – it seemed that no one was spared.

The information at risk included credit card details, dates of birth, addresses, home phone numbers and passport information. Overall, it was a staggering amount of detailed information that was being exposed.

Without some end-to-end visibility that could expose these leaks, most organizations are flying blind and have no idea how much they, or their employees, are exposed.

What was the most shocking discovery within this report?

In my opinion, the biggest shock contained within this report was the fact that so many mainstream apps were leaking the private information of the users and organizations that trusted them with this data in the first place.

Our research shows that this problem is not isolated to a particular category or service domain. The fact that the data leaks are so broad and span geographies is what I found most disturbing.

With data leaks being so broad, what can be done to mitigate these risks?

First, companies that publish apps and maintain online services should have a security development lifecycle practice that considers security and privacy requirements early in the development process. These same organizations should also be going thorough security audits on a regular basis to ensure that their security requirements continue to be met.

Secondly, companies with mobile users who utilize apps to handle sensitive data need to have tools in place to manage security risk. We have seen several instances where even the official app stores have been plagued by malicious apps, fake apps and apps that simply fail to protect the privacy of sensitive information.

Companies that are embracing mobility must have a plan in place to deal with security issues when—not if—they occur.

What is your advice to consumers on reducing leaks or protecting themselves from these mobile leaks when using their favorite apps?

Enterprise security teams are usually the most organized when it comes to assessing their overall risk exposure, largely due to investment in third-party tools and services to help manage that risk.

For consumers, however, it is difficult because there is no visual cue on an app that indicates when a connection is secured.

Consumers can take some basic steps to help protect themselves. I recommend that mobile end users spend time reviewing app store comments and at least limit their downloads to the official app stores so they can minimize their overall risk exposure.

What other steps need to be taken to address data leaks?

When it comes to data leaks, the biggest change that’s needed is with the publishers and owners of content. Whether you are a major sports news website or a train operator or an online streaming music service, you absolutely must consider security and privacy as part of the transaction with your users.

Time-to-market is important, but rushing an app through the review process or launching a mobile website before it’s been tested is a mistake because it could put your users—not to mention your brand—at risk.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.

Building Trust Identity Improving Technical Security Privacy

The data-driven world doesn’t run on data: it runs on trust.

News of the recent, large-scale data breach at US health insurer Anthem adds yet another big name to the list of companies that have suffered targeted attacks, compromising the personal details of millions of people. The company itself has reacted quickly with an admission, an apology, and a website with more information for those affected. But what’s the bigger picture, in terms of good practice in data custody?

First and foremost, this is an issue of trust. The data-driven world being what it is, we no longer have an alternative to being digital citizens. If you bank, pay tax, receive social security or healthcare benefits, or use a telephone, you are partly digital… and of course most of us do far more than that in the digital realm every day. No matter how concerned you are about privacy, it just isn’t realistic to expect to withdraw from the digital world, so you have to place your trust in the growing number of organisations who collect, process and share your personal data.

The Internet Society recently published its approach to cybersecurity:

We risk losing the trust of users who have come to depend on the Internet for many of life’s activities. And we believe that we also risk losing the trust of those who have yet to access the benefits of the Internet, thereby discouraging the kind of investment needed to complete the job of connecting everyone in the world.

Data breaches undermine trust, and shake people’s confidence in services from which they often cannot simply withdraw. But the problem is not confined to health insurance, or to commercial organisations, or to the US. There are plenty of examples of poor data custody in the public sector and in other countries around the world. So, what can and should organisations do to ensure that they are the best possible custodians of personal data, are worthy of trust, and – when the worst happens – can rebuild the trust of the individuals whose data they hold?

Be a good data custodian

One lesson about good practice can be drawn from Anthem’s own response to this breach. According to their website, although the data breach affected a worrying set of personal details, the company expresses confidence that it has not compromised other specific datasets such as claims data, medical information and credit card details. We don’t yet know the details of the attack, but one question, clearly, will be whether the data that was not breached benefited from protection that could have been applied to the data that was breached. For example, credit card companies insist on specific safeguards under schemes such as PCIDSS (Payment Card Industry Data Security Standard). Were some of Anthem’s data stores simply easier to access than others? Were the authentication and access controls strong enough?

It would be premature to jump to conclusions in Anthem’s case, but these principles are generally applicable:

  • Compartmentalise data so that the impact of any single breach is limited.
  • Restrict access to data, so that only the right users/roles and applications can unlock it.
  • Increase the strength of authentication required, according to the sensitivity and scope of data accessed.
  • Protect privileged users’ access with particular care.

The recent publicised attacks have targeted data at rest, as opposed to data in motion – but there’s little point securing your databases if you let the same data cross the network in clear. Data needs protection whether it’s being stored or being sent. Session-level encryption can protect data against exposure while it’s in transit, and encrypting datasets/documents before sending them will ensure that they don’t just fall out of the end of a session-encrypted ‘pipeline’ in a vulnerable form.

Any data custodian should think carefully about the privacy and security implications of measures that undermine data confidentiality, such as cryptographic “back doors” or “golden keys” to facilitate third-party access.

Remember: if you’re a data custodian and you suffer a breach, you’re not the victim: you’re the route the attacker took to get to the victims. Don’t leave that route open.

Size isn’t important

Although breaches at big, high-profile companies hit the headlines, technology makes it increasingly easy for tiny organisations to accumulate colossal amounts of data. We’re frequently told that big data is the new oil… but who would spend millions finding and extracting oil to make billions from it, but then keep it in a big plastic bucket in the back yard?

To put it bluntly: if your business model is to monetize individuals’ personal data, then protecting your raw material makes sense for you as well as them.

Prevention is better than cure

Anthem, like many organisations before them, try to reassure victims of the breach by offering credit monitoring and identity protection services. But the individuals whose personal data has been compromised still face months, maybe years, of effort and inconvenience to mitigate the resulting risk. They are at greater risk of identity theft, identity fraud, worsened credit rating, and reputational damage.

It is notoriously difficult to associate a specific data breach with the harm an individual might suffer further down the line – and that difficulty grows with each successive breach. An identity (built up from data like name, address, date of birth, social security number) is not like a credit card. If your credit card is compromised, simple: you have the bank cancel it and issue a new one. You can’t do that with your identity, yet we protect the credit card data with more care. Does that make any sense?

Where personal data is concerned, the impact of a breach is potentially so irreversible that prevention, rather than cure, must be the priority.

Recognise the real value of personal data

The hidden theme through all these recommendations is this: personal data has value, both to the individual concerned, and to the organisations that collect and process it. Too often, that value is disregarded for the sake of convenience or cost-saving. Identity data deserves just as much protection as credit card data, or medical data.

Every individual whose data you process puts their trust, and to some extent their future in your hands. Be a safe repository for their data, and a worthy repository for their trust.