by Sally Chase
“By their nature, large databases will never be free of abuse by breaches of security. If a large system is designed for ease of access, it becomes insecure; if made watertight, it becomes impossible to use.”
-University of Cambridge Professor of Security Engineering Ross Anderson
It began like the old fable of the boiling frog. We barely noticed a database breach here, the leak of personally identifiable information there. Leisure businesses were the first to fall—restaurants, retail outlets, hotels, entertainment platforms… So what if the dark web had our passwords and points, our travel plans and shopping history? By the time the breaches reached the state level, hardly anyone raised an eyebrow. We knew the tradeoff. Engage in society; hand over your data. Police database leaks revealed your neighbor’s peccadillos, and the history of the homeless woman at the intersection. Utilities records showed who was the least eco-conscious, running up large electricity bills. Department of motor vehicles breaches exposed our weight to the world, and our worst photo. We gossiped and laughed, and went on with our day.
When birth certificates, immigration documents, passports, social security cards, fingerprints, and TSA biometric scans entered the public domain, it became a little harder to prove our identities, but that was the cost of business in the modern world. We were all equally exposed, so the risk was distributed. Genetic and medical records were published, followed by voting and educational records, but by then our embarrassment threshold was high, and rules were in place to discourage discrimination. If anything, it made us more sympathetic. Bob’s having a bad day? Well, he has that heart condition. Sue said a careless word? She’s struggled with her temper since preschool, according to her Head Start files.
If it had happened years prior, the release of everyone’s private browsing data and online conversations would have shredded the social fabric. But we’d grown accustomed to the fact that we were all a bit weird, lonely, and afraid. Old insults were mostly forgiven and forgotten.
Intellectual property became a loser’s game, so innovation flagged, but with everything everyone did available to everyone else in real time, we were entertained enough with our current toys.
The first undeniable blow came with collapse of the financial industry’s firewalls, but by then it was too late. Cybercriminals had everything they needed to wipe out portfolios with cruel efficiency. Savings and investment accounts were drained overnight; credit and insurance claims were maxed out. As the economy ground to a halt, with families, businesses, and governments in pandemonium, the hackers dealt the death blow. The Pentagon, NSA, CIA , FBI, and DHS—along with their counter-parts around the globe—lost control of their digital assets. You can imagine what came next. The frog was boiled.
According to Verizon’s 2019 Data Breach Investigations Report, databases are among the most frequently compromised assets. A number of high-profile data leaks have made headlines in the past few years. The 2017 Equifax breach, for example, exposed the sensitive information of over 140 million consumers. The same year, a River City Media mistake leaked nearly 1.4 billion records. Not to be outdone, Yahoo admitted that a prior breach had disclosed 3 billion records. Deloitte, Bell Canada, and Uber also experienced significant breaches in 2017.
In 2018, Facebook, Reddit, Google Plus, Popsugar, Orbitz, Marriott International, WordPress, Quora, USPS, Mixology, Buca di Beppo, Under Armour, Air Canada, British Airways, MyHeritage, HauteLook, Blank Media Games, Medicare and Medicaid, and Ticketfly were among the organizations affected by breaches. 2019 saw more than 100,000 data security events, with breaches at Amazon, Microsoft, First American Corporation, Capital One, StockX, LifeLabs, DoorDash, Canva, Adobe, Facebook, Quest Diagnostics, Truecaller, and Westpac, among others.
Cybersecurity breaches may cost as much as $600 billion annually. For the sake of comparison, the economic cost of natural disasters, is estimated at just $76 billion. Individual victims of identity theft end up losing an average of $2,895, according to a recent Department of Justice study. While these figures are alarming, the human impact of loss of security, privacy, and even physical safety is incalculable. Stalking, threats, entanglement in plots against Hamas, and lapses in medical care, for example, are just some of the demonstrated risks of data breaches. The majority of respondents to an Identity Theft Resource Center survey reported feeling worried, angry, frustrated, violated, unsafe, helpless, sad, stressed, fatigued, distracted, distrustful, and betrayed as a result of their security incident. 84% experienced disrupted sleep patterns; 57% faced persistent stress-related physical pain such as headaches and stomach issues. The study concluded that identity theft impacts victims’ “daily lives in perpetuity.” Unsatisfying resolutions like Equifax’s botched settlement rollout, the payout of which may be down to about $6 per person at this point, only add insult to injury.
There’s reason to fear things may get worse before they get better. Experts caution that cyber threats may increase dramatically with the dawn of innovations like 5G networks and quantum computing. 5G’s unique threats stem from its wide distribution of vulnerable inroads, virtualization of formerly physical protocols, and reliance on brand new managing software. Quantum computing, with its ability to reduce “computing time from 10,000 years to a little over 3 minutes,” could put everything from “your personal financial or health records, to corporate research projects and classified government intelligence” at risk, in the words of Representative Will Hurd. As is often the case, novel technologies engender novel vulnerabilities.
Threats to database security come in a variety of forms. Authorized users, unauthorized users, malware, software bugs, user error, and design flaws all pose threats to data privacy. Breaches can variously expose, lock, wipe, or alter databases, resulting in jeopardizing leaks of personal information, damage to financial or informational assets, loss of control over essential functions (think airplanes, self-driving cars, automated medical equipment), or alteration of crucial data (think election results). While there are some measures available to database managers to safeguard their systems—such as controlling access, auditing use, encrypting data, employing firewalls, disabling unnecessary features, regularly updating software, enforcing the use of strong passwords, and securing physical hardware—many approach breaches as a matter of “when” not “if.”
In addition to routine database hygiene measures, other creative personal, technological, legal, and societal solutions are in the works. Security-savvy individuals are using ad blockers and VPNs to guard their browsing data. They’re applying strong privacy settings and only signing up for essential services and apps, supplying dummy answers on company forms eager to gobble up their PII, and setting up social profiles under aliases. The average Jane is learning to use strong, diverse passwords in conjunction with password managers, and to freeze her credit reports, in order to minimize the fallout of leaks. She is steering clear of suspicious messages, downloads, and links; installing security software; and avoiding unsecured networks.
Technological innovations give additional reason for hope. Messaging apps like Signal and WhatsApp offer end-to-end encryption. Search engines like Presearch and DuckDuckGo aim to challenge Google’s ascendancy by providing a platform that doesn’t collect and sell personal data. Presearch promises, “We do not track or store any of your information or searches.” Meanwhile, over in the financial industry, Bank of America, Goldman Sachs, PNC and more are testing cards with lithium battery-powered dynamic CVV codes that change several times a day. Other innovators are pioneering safe ways to share documents, encrypt the internet of things, authenticate users without transmitting private data, and code against “post-quantum” attacks. More sophisticated threat detection and response tools are also under development.
Progress is being made on the legal front as well. The California Consumer Privacy Act, passed in 2018, gives consumers “the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect.” 25 US States have data privacy laws in place, with more in progress, and federal laws variously protect children, medical information, financial transactions, and credit information. On the international stage, the European Union’s transformative 2016 General Data Protection Regulation, which applies to everyone who offers services to or processes data from anyone in the EU, limits what data can be collected and how long it can be stored. Brazil has plans to enact a similar law in 2021. Obviously, new laws won’t put an end to malicious or accidental breaches, but they will stymie the collection of hackable personal information in the first place.
Finally, the nonprofit sector is actively involved in driving change. Groups like the International Association of Privacy Professionals (IAPP), Privacy Rights Clearninghouse (PRC), Electronic Privacy Information Center (EPIC), and Center for Democracy and Technology (CDT) champion designs and regulations that respect individuals’ data rights. CDT, for example, is monitoring potential abuses of students’ data privacy amidst the ongoing pandemic and accompanying technological stop-gaps. EPIC drives policy research and legislative efforts, filing frequent amicus curiae briefs, speaking before Congress, and organizing conferences. PRC acknowledges and works to change a reality where there is “no comprehensive right to privacy; little trust in those who collect, share, and use our data; and lack of power to protect our privacy.” IAPP published a promising comprehensive “Privacy Ecosystem Map” of “companies and organizations shaping the future of data privacy.” The map includes dozens of organizations from advocacy groups to regulatory boards, consulting firms, and businesses providing training and technological solutions.
Will these efforts pave the way to a more secure future, one where we’re confident in the safety of sensitive data transactions, we retain ownership and control of our PII, and we protect vulnerable parties from exposure and exploitation—or will Dr. Anderson’s warning prove insurmountable? Stay tuned.