Once more unto the breach, dear friends, once more…
When Henry V uttered these immortal words in Shakespeare’s 1598 play, little did he know the chill that the word ‘breach’ would one day send down the spine of today’s online businesses and individuals that use them? These days, a breach is much more than just a hole in the wall that exposes a few soldiers, it is a hole in security that can expose millions of people at once. What’s more, these big data breaches are appearing almost everywhere, from newspapers to social media sites, cell phone companies to ticket sellers.
New legislation means that companies are no longer able to keep data breaches secret or sweep them quietly under the carpet. When a company is breached, they are obliged to tell everyone affected, whatever the cost to their reputation or their share price. A breach in a major Uk mobile phone company saw 5.9million customer records exposed and a 3% drop in the share price.
The social media giant, Facebook, saw its shares tumble too after a breach that affected a massive 87 million users. And when you are one of the biggest companies in the world, even a few percentage points can represent a loss of billions of dollars. Facebook is still feeling the impact, with several other sites, such as Tinder and AirBnB also caught up in the breach.
A worldwide issue
Data breaches are a worldwide issue, stretching from a major British airline company, who exposed thousands of customers’ financial data, to ride-hailing app Uber, who lost details of 5 7 million users and were fined $148m for lack of disclosure of the problem. Medical records have been hacked from Singapore to the UK, and ticket websites in Europe and in the US have been mined for personal data. Even less obvious targets, such as genealogy websites and fitness apps.
What data is taken?
Online privacy is always important but in some cases, only the most basic of data is stolen by hackers, such as addresses or dates of birth, which would be widely available anyway. The breach simply collects this information in one go to use or sell. However, with online payments becoming the norm for everything from flights to home entertainment, more and more people are trusting companies with their personal financial details too.
The British airline hack not only gathered email addresses and other personal identifiers, but it also collected credit card details, including key data such as expiry dates and the three-digit CVV codes. While this data is not usually stored on the system, hackers were able to breach the airline site by recording the information as it was entered by the customer. With this information alone, hackers are free to go on a spending spree with the user’s card.
What can be done to protect us?
If the giants of the internet, such as Facebook, are vulnerable to data breaches, it begs the question of whether any information is safe with any company. However, some are making the effort to protect their users by adding extra layers of security that are constantly changing in ways that hackers cannot predict. This is still not a fool-proof system, but it does slow hackers down, and as with most opportunistic thieves, anything that makes life harder for them makes them likely move on to the next, easier target.
Many companies now use a two-stage authentication to allow access to sensitive information. For example, organizations such as the UK Tax Office (HMRC) and Vodafone will text a code to your phone. Unless this code is entered within a few minutes, you will not be able to access your personal information. Others provide you with a device to generate your own code, such as the Nat West Bank card reader and the PokerStars RSA token. These random number generators use complex algorithms to create security codes, making account information much harder to hack and so significantly reducing the risk of large-scale data breaches.
How can we protect ourselves?
Unfortunately, with so much of our lives lived online these days, we often have little choice but to trust the companies we give our data to. The new GDPR laws, introduced across Europe this spring, may have tightened up how data is collected, stored and used, and have given users much more say in the way their personal information is handled, but short of buying everything with cash and living completely off-grid, there will always be informed about us somewhere online that can be stolen and exploited. Once more unto the breach indeed.