Blog

Another Week Another Data Breach…

Dec-2018 4 min to read

Last Thursday, I found myself enjoying the view from our new office- a sunny day, it offered a great view with a clear blue sky. On the digital front, however, the clouds appeared greyer, as I had received yet another e-mail just that morning informing me that a service I signed up for did not protect my information properly. Consequently, my social media profiles and email address had been leaked- frustrating, yes, but not really private information. In fact, my mail address has been a part of my public profile for years, and there is probably nothing less private than social media. Over the last 12 months, Cambridge Analytica, and Facebook facing technical issues with their API keys have served to strengthen my conviction that social networking platforms are not an area where you can afford to post anything you may not be comfortable with later.
So, what can we learn from these breaches?
First, we must face the harsh reality that they are bound to happen. Empiric wisdom points to the fact that by now we should assume that the services we sign up for will be unable to protect our data and at some point, they will get compromised. This is sad, but true.Once we subscribe to this mindset, we can start to prepare for the inevitable data breaches, And luckily there are plenty of things we can proactively do to protect our online identities.
Passwords: They will be compromised! Therefore never, ever re-use the same password across multiple services. I belong to an industry that likes to complicate things, including passwords. And that is necessary, but the key to strong and secure passwords is that they should be unique. If they are not unique and you re-use the same password across services, then the impact of a data breach suddenly gets much bigger. It is not just your presence on your favourite forum about sea-turtles and cute kittens, but your whole digital life which then gets impacted.Admittedly, with all the services we now use, it is almost impossible to remember passwords. So why not use technology to help you? Personally, I use a password manager, which is protected by additional two-factor authentication (2FA) based on a physical piece of hardware (Call me paranoid). If you are less paranoid, use a service or application which can integrate with a TOTP soft-token on your smartphone i.e. that little 6-digit number that keeps changing.
Some password services are cloud-enabled applications, however most of them will go to extreme measures to protect your data. After all, they hold the keys to your digital kingdom. If you don’t trust them, you can use one of the many open-source applications that you can run on a device where you control the data. In short, all passwords need to be unique, and you must remember to protect them.Furthermore, for any service, you should enable dual-factor authentication. Pretty much any respectable service will be able to do offer 2FA in one form or another. Special care should be taken around your mail account – as this is always of interest to hackers, but more importantly, any password reset will happen to that account, so this now becomes a pillar of trust for all of your other applications.
Data: As data will be breached, you should think about what is appropriate to share. I always consider the purpose and risk whenever doing anything online. This probably means that my Facebook profile is quite boring with the occasional re-share of some silly video but otherwise stripped of real information about myself. My wife and I decided early on not to share pictures of our kids. Not from a security perspective as much as we think that our kids should be able to decide for themselves if they want their pictures online. After all, I don’t believe I was the cutest kid in the world, so I am happy social media was not around in my youth!
When it happens: You need to be able to monitor for data breaches, because you may not be told by the service owner. I use a website which monitors my e-mail service providers and then tells me if they have been associated with a data breach.When it happens, I assess the data breach and take the necessary precautions. This could be something as simple as being a bit more alert when receiving e-mails, to potentially getting a new credit card, or at least monitoring my credit card statement a little closer.
There can be nasty cases where you find yourself stuck between a rock and hard place. For example, the recent Marriot breach resulted in the leakage of over 500 million records, exposing sensitive data including user information, reservation details, and password information…ouch that is bad!The issue with passport information is that it is very hard to change. I can never change my date of birth, where I was born, or my nationality. Even changing your social security number, which is typically registered in a passport, is a very cumbersome process. These are therefore the ones I am really worried about.
For this reason, I am happy to see that there are now more serious consequences for companies that process and store such information. GDPR and local information security laws are already starting to impact companies, and there is good reason for that- protecting your identity and data is serious and there is no easy answer.
Blog by: Nicolai Solling, CTO at Help AG