H̠̹̥͇̰̟͍̉4̥̙̥ͫĆ̨̜̩̠̪̒̍ͮ̌̚K͚̑̆́ͣ3̻̏̿͛D͈̥͍͙ͣ̒͆͗̇̚͝?̙̠̠̘̃̀̊̉͂ͥ?͕̙̠͚͉̳͑͆̀?̫̘̱͈͒͠
Understanding Data Breaches in the 21st Century
Data breaches effect hundreds of millions of people around the world every year
Using data compiled from a crowdsourced collection of news articles on this topic, we can see this problem is growing at an alarming rate
The available data indicates a massive increase in breaches over the last three years
What factors are driving this trend?
Tens of billions of records have been exposed in recent years
The vast majority of data breaches are benign—exposing nothing more than email addresses or full names
Some data breaches are serious, and reveal highly sensitive information—exposing detailed financial and medical records, credit reports, immigration documents, usernames and passwords
DATA TROUBLE
BETRAYAL IN THE INFORMATION AGE
By Matt Geiger
December 21, 2020
There’s something undignified about a machine that denies us. Whether we’re forced to repeat a password for the thousandth time, find all of the fire hydrants in a picture, or spell out some arrangement of wavy characters, our machines are performing a ritual of gatekeeping. This is how we build trust with much of our digital world: continuous interrogation. Prove you are a human. Prove that you’re worthy—to access and use this inbox, streaming service, or bank account.
We endure these minor inconveniences because doing so makes us feel safe and secure in providing our personal data. Whether we’re buying something from an online store or filing our taxes, we navigate our digital lives as a balancing act—carefully weighing convenience and instant gratification against trust and the risks we assume by sharing our information with others.
Allowing your favorite pizza place to store your credit card details ensures that you’re always just a few touchscreen taps away from having a hot and tasty slice of pie in your hands. This convenience also means that your payment details (along with countless others) are now a target for hackers, scammers, and other bad actors. This information is worth protecting. We trust that the pizza place will faithfully keep our payment details safe, and that they know what they are doing—or that they hired someone who does. What happens when that trust is breached?
Exploring a crowdsourced data set (InformationIsBeautiful.net), a story begins to emerge. This story is not so much about hackers breaking through sophisticated encryption schemes to gain access to your valuable data (although that certainly is a part of it); instead, it is a story about entities (both large and small) leaving your information exposed—for anyone to find if only they know where to look. Instead of storing your information behind robust layers of security, often it is kept behind the digital equivalent of a screen door.
MOST DATA BREACHES ARE DUE TO POOR SECURITY
On May 7th, 2020, over 8 billion internet records were leaked in Thailand by AIS (Advanced Info Service)—the country’s largest wireless carrier (source: TechCrunch). This represents one of the largest data breaches on record, and it is also indicative of the larger systemic problem we face in the information age: poor security. The database was stored on an open and public-facing server that anyone could access. According to TechCrunch, the database wasn’t even password protected, and provided realtime access to customer’s web traffic, including data about individual website requests (DNS queries), and other traffic (NetFlow) related to popular social media platforms such as Facebook (source: security researcher Justin Paine’s blog entry (via TechCrunch)).
In similar fashion to the AIS breach, on December 28th, 2019, approximately 250 million Microsoft customer records were found on public facing servers without password protection (source: Forbes). On September 4th, 2019, servers without password protection were discovered containing Facebook user data on more than 419 million accounts. Data included phone numbers, user IDs, gender, and country of residence (source: FastCompany). On March 23rd, 2018 Aadhaar, a national ID database in India, was breached (source: Zdnet). The system security hole involved the use of a static token (“INDAADHAARSECURESTATUS”) that was valid for all database queries, allowing anyone to access records by simply entering sequential ID numbers into a request. This exposed sensitive data, including full names, ID numbers, and even bank account details on more than 1.1 billion users.
These recent examples, all happening within the last three years, represent a reckless disregard for users’ data and privacy. Beyond the breaches of data, the careless nature by which this information was exposed also represents a breach of trust: between the entities involved and their users. When we put our trust into these companies, governments, and other institutions, we assume (often wrongly) that they will make at the very least a reasonable effort to keep our data secure. With guardians like these, who needs hackers?
DATA BREACHES ARE BECOMING MORE FREQUENT, AND THEY ARE GETTING LARGER IN SIZE
Including the years 2018, 2019, and 2020, there were 35 distinct data breaches tied to poor security, representing a total of more than 22,000,000,000 distinct records exposed. As alarming as these statistics are, we need to also consider the role of hackers. During the same three-year period, more than 2,000,000,000 individual records were exposed, in 62 separate incidents involving hacking. Taken on a whole, hacking and poor security are the largest contributing sources of data breaches, both in terms of frequency and magnitude. These two categories eclipse all other forms of data breaches: i.e., inside jobs, lost or stolen devices, and human error.
These various methods of data breaches may seem entirely distinct from one another, but at their root, they all relate to hacking. Before explaining this relationship, we first need to define what exactly a hacker is (and what a hacker is not). The definition I use when referring to hackers: any person or group that has sufficient general and/or esoteric knowledge of a system (or systems) to manipulate that system (or systems) in novel and intentional ways.
Note that this definition is entirely neutral in regards to ethics. Hackers, under this definition, would include digital security experts and researchers, as well as IT professionals, amateur coders, state-sponsored cybercriminals, organized crime, and politically motivated actors (a.k.a, “hacktivists”).
It’s easy to imagine that the lax security and the status quo of easily accessible data would make hacking a less attractive method—why bother robbing the bank when the money is there for the taking? Yet this way of thinking appears to be completely wrong. A better way to think about it is to imagine that “digital equivalent of a screen door” mentioned earlier. For hackers of all stripes, testing security is a lot like walking down an infinite hallway with various types of doors—all can be opened, some require more effort.
Poor security is like a screen door, in that it doesn’t shield the content from prying eyes or forceful hands. Whatever lies beyond these doors is entirely up for grabs. Hackers might go after such weak systems as either crimes of opportunity, or while acting as a so-called “white hat” (e.g., ethical hackers or security consultants).
Hacks involving targeted attacks (e.g., spear-phishing, malware, key-loggers, zero-day exploits, etc.) are like burglaries—where thieves employ lock picking or other tools. Even fairly good security will eventually succumb to a determined attacker.
If you’ve ever snuck into a movie theater by having a friend open the back door for you, that was an inside job. For example, on October 20th, 2013, Krebs on Security reported on Hieu Minh Ngo, a Vietnamese identity thief who had paid access to a credit reporting database, Court Ventures—a company that was later purchased by Experian. This paid access gave Ngo access to detailed financial records on more than 200 million Americans, which he then sold online to other scammers.
Lost and stolen devices can be thought of in terms of lost keychains and stolen wallets. If someone has access to what you keep in your pockets, then they can easily have access to everything that you do.
Last but not least, we have human error: in layman terms, this is simply an “oops.” This is the digital equivalent of having a steel security door with biometrics, but you forgot to close it on your way out.
VIEW FULLSCREEN: CLICK THE UPPER-RIGHT CORNER, HERE.👇
Scroll to the right to view all data breaches by year.
MOST OF THE DATA IS BENIGN, BUT THAT DOESN’T MEAN WE HAVE NOTHING TO WORRY ABOUT
Before you smash your iPhone with a hammer, or take out your laptop with a shotgun, you should know that there is a silver lining in all of this: most of the data exposed in recent breaches is fairly benign. While there are many, many alarming exceptions (as noted above), the vast majority of records contain little more than usernames, email address, phone numbers, and other information that can easily be found through perfectly legitimate channels. You don’t need to be a hacker to search for all of the Sarah Connors in your area. There’s a free website for that. The real danger lies not in the quality, but in the quantity of data. In the mosaic theory of intelligence gathering, having enough small pieces of information can add up to a much bigger picture; the more information you have, the easier it is to fill in the gaps.
TWO PATHS
In the 1960s, the Department of Defense was worried that the Soviet Union might launch an attack that would disrupt US military communication infrastructure. The basic theory was that a high altitude nuclear blast over the North American continent wouldn’t cause any direct damage, but the resulting electromagnetic pulse (EMP) would temporarily disable most ground-based electronic systems—the induced currents would instantly fry radio transmitter and receiver systems, telephone lines, and more. To counter this threat, they funded a program to build a resilient computer network, with protocols that would make the system diffuse and decentralized (Abbate, 2000). In 1975, ARPANET, a predecessor to today’s internet was born.
A system designed to duplicate and distribute packets of data around the world is fundamentally at odds with data security goals. This is not an original idea or argument, but one that is often repeated. Additionally, no computer security solution is ever perfect, and the automated nature of computers creates an inescapable and perpetual arms race.
We can continue to fight a losing battle, plugging security holes aboard a ship that was designed to leak, or we can create something new to replace it. There are two paths laid out before us: one path leads to building a new network, one with rigorous and mature security measures at its core. This next-generation high-security network will not operate like today’s wild and reckless internet. The other path leads to accepting what is already true: there is no spoon such thing as secure data, only varying degrees of inconvenience.
Everything you type and everything you read, all the things you record and watch, all of this is happening in public.
Matt Geiger is a graduate student at Carnegie Mellon University School of Design, in Pittsburgh, Pennsylvania. This story was part of a joint final project for Communication Design Studio and Seminar One, under guidance from Stacie Rohrbach and Molly Steenson.