In a year that was all about data and privacy, it seems only fitting that we closed out 2019 in the shadow of a jumbo data leak where more than a billion records were found exposed on a single server.
Despite this being one of the largest data exposures from a single source in history, it didn’t cause nearly the public uproar that one might expect from a leak involving personal information such as names, email addresses, phone numbers, LinkedIn and Facebook profiles. Instead, this quickly became yet another case of consumer information being mishandled, impacting many of the same consumers that have been burned several times already by companies they trusted.
What’s different about this leak – and what should have given consumers and businesses alike pause – is the way in which this case highlights a more complex problem with data that exists today.
There’s no question that data is a very valuable asset. Organizations have done a great job figuring out how to capture consumer data over the last decade and are now beginning to use and monetize it. The problem is, that data can also be used in many different ways to inflict serious pain on victims in their personal and business lives. So, when that data goes through someone’s hands (business or individual), how much responsibility do they – and those up the lifecycle chain – have for where it ends up?
Beginning at the consumer level, users can opt out of sharing data and should do so at any chance they get if they are concerned about having their information exposed. The good news is that new regulations like the GDPR and CCPA are making this easier to do retroactively than ever before. The challenge is that the system isn’t perfect. Aliases and other databases can still be difficult to opt out of because although they may have information captured, errors like misspellings can prevent consumers from getting to their own data.
With this particular incident, we also caught a glimpse of the role that data enrichment, aggregators and brokers play in security. Although it didn’t come directly from their own servers, the exposed data was likely tied to enrichment firms People Data Labs (PDL) and OxyData. While several data brokers today are taking more responsibility and offering security and privacy education to their customers, it was alarming to see that neither data broker in this case could rule out the possibility that their data was mishandled by a customer. In fact, rather than pushing for a solution, Oxydata seemed to shirk responsibility entirely when speaking with WIRED.
Data brokers need to own up to this challenge and look at better screening of their customers to ensure their use of data has valid purposes. A case study by James Pavur, DPhil student at Oxford University, underscored these failings in the system when he used GDPR Subject Access Requests to obtain his data from about 20 companies, many of which didn't ask for sufficient ID before sharing the information. He went on to try and get as much data as possible about his fiancée, finding he could access a range of sensitive data, including everything from addresses and credit card numbers to travel itineraries. None of this should be possible with proper scredaening in place.
Ultimately, whoever owns the server where the leak originated is the one that will be held legally and fiscally responsible. But should data brokers be emulating the shared responsibility model in use by cloud services like AWS? Either way, by understanding the lifecycle of data and taking additional responsibility upstream, we can begin to cut down on the negative impact when exposures like this inevitably occur.
About the author: Jason Bevis is the vice president of Awake Security Labs at Awake Security. He has extensive experience in professional services, cybersecurity MDR solutions, incident response, risk management and automation products.Copyright 2010 Respective Author at Infosec Island
The U.S. Securities and Exchange Commission (SEC) this week published a report detailing cybersecurity and operational resiliency practices that market participants have adopted.
The 10-page document (PDF) contains observations from the SEC's Office of Compliance Inspections and Examinations (OCIE) that are designed to help other organizations improve their cybersecurity stance.
OCIE examines SEC-registered organizations such as investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others.
Through its reviews, OCIE has observed approaches that some organizations have taken in areas such as governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.
Observed risk management and governance measures include senior level engagement, risk assessment, testing and monitoring, continuous evaluation and adapting to changes, and communication. Practices observed in the area of vendor management include establishing a program, understanding vendor relationships, and monitoring and testing.
Strategies related to access rights and controls that were observed include access management and access monitoring. Utilized data loss prevention measures include vulnerability scanning, perimeter security, patch management, encryption and network segmentation, and insider threat monitoring, among others.
In terms of mobile security, organizations adopted mobile device management (MDM) applications or similar technology, implemented security measures, and trained employees. Strategies for incident response include inventorying core business operations and systems, and assessing risk and prioritizing business operation.
By sharing these observations, SEC hopes to determine organizations to review their practices, policies and procedures and assess their level of preparedness.
The presented measures should help any organization become more secure, OCIE says, admitting that “there is no such thing as a “one-size fits all” approach.” In fact, it also points out that not all of these practices may be appropriate for all organizations.
“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency. We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices,” Peter Driscoll, Director of OCIE, said.Infosec Island