The Lifespan of a Data Breach

The Lifespan of a Data Breach

Data theft has been a hot topic for the past few years. I’m not a fan of statistics because “There are Three Kinds of Lies: Lies, Damned lies and Data,” but to understand the seriousness of this issue you must see the ITRC Breach Statistics report. While businesses (and even government agencies) continue to amass data about us under the pretext of delivering better services, we unknowingly become more and more vulnerable to theft.

If you needed money (that you didn’t have) and a very large quantity of it, where would you go? Not to your local gas station ATM when you can watch any of the countless Hollywood Bank Robbery movies for ideas! Similarly, hackers strike retailers, credit card companies, banks, employers, payroll systems, insurance companies and doctor’s offices - all of which maintain giant data warehouses that contain little bits and pieces of information about us.

Data breaches have not amounted to much until now.  A spam email here (one from an African who is in trouble and needs you to wire him money today) or a fraudulent charge there can be quickly resolved with a phone call, nothing terribly inconvenient.

The Lifespan of a Data Breach

Hackers use a three-pronged approach to acquire data:

  1. They seek out and exploit system vulnerabilities to access the securest of secure servers (the proof is in the thousands of data beaches that happen each year).
  2. They deconstruct your social media profiles or install malware on your cell phone or computer to populate their Rainbow tables.
  3. They send you email to test the strength of your spam filters or to get a response from you.

At this stage, hackers have collected sweeping information such as name, address, email ID, passwords, credit card, medical history, Social Security Number, Date of Birth, etc.

Data breach dumps collected from across different retailers, credit card companies, banks, employers, payroll systems, insurance companies, doctor’s offices, etc. can be stored in a single Data Lake. Data in the lake can be cleansed, standardized and mastered using ETL, address standardization, de-duplication and complex functions like house holding – much to the envy of the likes of Google or the NSA.

The data is now ready for the “evil” Data Scientist.

He or she uses statistical programming languages like R or Python to learn about your spending habits, names of your spouse and children, where you live, what you are worth, who your friends are, when you went for your last medical checkup, what type of car you drive, where you had your last vacation and more.

Businesses use the Consumer Profitability Score to match up customers to product promotions. A retailer may use the Consumer Profitability Score to send coupons for diapers to expecting mothers or a car manufacturer may use this score to send you a reminder for your next oil change. Your income to expenditure ratio is used to calculate this score. The higher your score, the more likely you are to be a "profitable" customer and a target of marketers.

Similarly, the “evil” Data Scientist uses a Gullibility Index to target his next victim.

Have you received an email from a friend asking if he could borrow some money because he and his family have lost their luggage and are stranded at an airport overseas and need the money to get home? The email brings together several points of data from your profile to capture your attention and obtain a response.

If the email contains names of your friends and family members, the country they are stranded in, the fact that they are scared and perhaps a reference to their children’s medication – it is rated high on the index. For a low index, all the hacker needs is your cell phone number and your contacts. He places your number on a tool that tracks your geo-position and the tool alerts him as soon as you leave the country.  Freaky, huh?!

Businesses are investing billions in strategies that rely on unfettered access to data. Google bought Nest. Facebook acquired WhatsApp and now wearable health tech is taking off. These companies want to own all the data there is.

With Big Data comes big responsibility

The Ponemon Institute published a paper: The State of Data Security Intelligence. It found that 60% of global respondents (i.e. businesses that collect and store vast amounts of data in the hopes of one day using it) were “not confident” that they had the ability to proactively respond to cloud-based data threats. The paper went on to say that 80% had no way of finding out if sensitive or confidential information was exposed. I don’t think you have heard the worst yet.

Unbeknownst to them, businesses sometimes proliferate private and sensitive data through their cloud, mobile and web applications.

The real question is, “What should a business do to protect its data?”

  1. First, businesses can maximize their security investments by understanding their sensitive data risks and vulnerabilities and aligning their data security investments, policies, processes and actions accordingly. Businesses that have appointed a CISO – Chief Information Security Officer and a CDO – Chief Data Officer are moving in that direction.
  2. Second, implement a data security intelligence solution that identifies data risks and mitigation strategies.
  3. Third, identify where data is created and consumed and understand proliferation inside and outside the enterprise.
  4. Fourth, automate reporting of critical data assets at risk for data piracy and for security auditing and governance programs.

Because internet fraud is still in its infancy, the cost of data loss is also low. To increase the Gullibility Index, hackers will up the ante by collecting more and more information via data breaches. Businesses will have to consider not only the cost of the data lost, but also the cost to their customers.

Article written by Amar Nadig
Want more? For Job Seekers | For Employers | For Contributors