Op-Ed: When your data is stolen, what’s really at stake? A lot, and maybe for a long time.

A trove of documents from I-Soon, a private contractor that competed for Chinese government contracts, shows that its hackers compromised more than a dozen governments, according to cybersecurity firms SentinelLabs and Malwarebytes – Copyright AFP/File Daniel LEAL

Much has been made of data breaches and resulting class actions. There’s an ungodly number of class actions, to start with. There’s not much mention if any of payouts for those affected in terms of specific payments to those affected.

A little digging around, however, finds much fuss and almost no deep analysis of the issues. The potential impact on those whose data is stolen seems to be seriously underrated.

This digging around told me that there was a conspicuous lack of hard numbers. There isn’t much if anything related to any sort of real or imaginary compensation for those affected.

So many major companies have experienced data breaches. The law is slow. Companies are fined for data breaches, but what about the people?

(Disclosure: I’ve had this experience myself as a result of a data breach.)

The issues for people whose data is stolen are complex.

After your data is stolen, that’s just the beginning.

You receive constant phishing emails. Hundreds, in fact, bot-generated.

Just clicking on the wrong thing could mean you are then personally hacked.

This could go on for a long time, years, in fact.

Are you “hacked for life”?

Was the data stolen sufficient for identity theft or further targeting?

How could you possibly ever be sure that the risks were over?

Data is a huge global market. We can thank data brokers for turning personal data into a commodity. The criminals do it differently. They’re not trying to sell you irrelevant time-wasting ads. They want cash any way they can get it.

Many of the operators are basically “data theft outworkers”, making pennies. Others work actual 9 to 5 jobs, with HR hiring, salaries, commissions, etc. This is an entire sector of the global economy, and it’s worth billions per year. They do mean business, and they mean your business.

That’s the basic layout. The legal issues, however, are a lot more demanding:

Privacy: How dangerous could a personal data breach be? Can you be doxed by a data breach? Short answer, in most cases, yes. Doxing is usually based on some sort of data leak or disclosure. That sort of personal information is a standard requirement in data management and could be very high risk for some.

Ongoing and long-term risk: If people have your information, they’re probably not going to just leave it there gathering dust. They’ll find a use for it. That could be several years at least of significant risk.

Actual value of the data stolen in commercial terms: This is more of an auditing exercise than legal, but it quantifies the monetary values for compensation. If you have a long-term high-value financial or health policy, the value is inevitably a factor in assessing data value.

Identity theft and fraud: How do you assess whether the data stolen can be used for identity theft? There has to be some identity information involved. What if someone uses your stolen data for “services” which translate into cash claims or actual transactions? It’s good money laundering practice, too.

Any and all of these hypotheticals can be turned into realities with a few clicks. That’s the risk for the people whose data has been stolen.

The bottom line is that there are far too many risks for those whose data has been stolen.  Not much seems to be being done about compensation, data protection, or anything useful, except making headlines out of the problems.

(To be fair, some protection against identity fraud has obviously worked, but compare that to the huge amounts of data stolen every day.)

OK, so what’s to be done about it?

Personal ID information can be “tagged” to see if it goes anywhere it shouldn’t. This could be part of the encryption process at setup. SSL data could be easily modified as an extra invisible level of protection.

Channeling of the movement of data breaches could be monitored using any sort of added code to identify movements of specific information. This should also deliver information about physical locations.

Dummy information could be put on databases to locate theft. These would be perfectly normal-looking accounts full of worms, white hat malware, etc. It wouldn’t cost much to do, either.

Redirects to law enforcement could be triggered by a data breach. “If breached, go to FBI, Interpol, national security, etc.” with a simple command. You’d get play-by-play evidence for prosecutions.

Proxies don’t work when it’s specific data being tracked. That eliminates the main defense against tracking.

ISPs, VPNs, and databases can provide real-time information regarding any stolen data with a few tweaks. AI-based security could also process and identify operators pretty efficiently.

Can we get on with it, like now? This is too expensive to be allowed to continue.

_________________________________________________________

Disclaimer
The opinions expressed in this Op-Ed are those of the author. They do not purport to reflect the opinions or views of the Digital Journal or its members.