The starting price for a new offering of stolen personal information on the dark web--16 gigabytes of sensitive personal information featuring the names, mother's names, genders, dates of birth, and the taxpayer identification numbers of 92 million Brazilian citizens--was $15,000 last week. In case you're wondering, that's roughly half the population of the country and pretty much 100 percent of the working population.
Ring any bells? Think back a few weeks (and west--but also on the equator). The number 16 comes up again--16.5 to be precise--but that time it wasn't the size of a data sample but rather an entire nation's population. Still drawing a blank? It's totally understandable. The hit parade of breaches is long and ceaseless. It's easy to miss one or two on any given day.
That compromise was discovered by white hat hackers working for vpnMentor, who stumbled upon the personal identifying information of every living man, woman, and child (16.5 million, including seven million minors, but who's counting?) in Ecuador. It also included an estimated 3.5 million deceased Ecuadorians. The data was sitting unprotected and very exposed online for anyone to look at or steal.
The Ecuadoran compromise was discovered as part of an ongoing project where vpnMentor scans ports "to find known IP blocks." The specifics don't matter. The whole cyber-gotcha thing is way too exotic for most of us mortals. What matters is that millions of people were put in harm's way by overarching cybersecurity failures, and this situation is only amplified by widespread shortcomings when it comes to personal cyber-hygiene. A recent Pew Research study found that most Americans don't even know the basics when it comes to cybersecurity.
Like the Brazil breach, the Ecuador compromise included personal and corporate tax ID numbers, as well as bank account information--including current balance in the account, amounts financed, credit types, and the location of a bank branch used by an individual. The same information about family members was also available, as well as how people in the data set were related to one another. A short list of the available data in the Ecuador incident included full name (first, middle, last); gender; date and place of birth; home and work addresses; email addresses; home, work, and cellphone numbers; marital status; date of marriage (where applicable); date of death (where applicable); and the highest level of education achieved.
If there is such a thing as a complete data disaster, this was it.
Why It Matters
Enough information is available in just those two data fails to make fraudulent account authentication or takeover a real possibility for more than 100 million people--not to mention the horrors of full-blown identity theft.
In just the past few weeks, breaches of Zynga, the maker of popular Words With Friends, and an unsecured database maintained by a company called DealerLeads that tracks car buyers, exposed the data of about a half billion people. No one really questions our collective vulnerability. The takeaway here is that we are all affected by data carelessness and malfeasance these days.
What remains to be seen is how businesses react. My hope is they will very quickly become more cyber-sensible about the threat of identity-related crime among their employees or customers and as a result start providing the solutions demanded by a breach-weary marketplace.
There Is a Solution
If one of your employees suffers a compromise of their identity, they could spend somewhere between 100 to 200 hours getting back to normal, much of that time eating into their productivity on the job. Then there's the equally horrifying possibility that if this employee is compromised, a hacker might use their access to your network as a conduit into your customer or employee databases, perhaps even gaining access to your intellectual property or trade secrets. With breaches and data exposures now being a fact of life, the question becomes how to normalize the fallout in a way that keeps the wheels of industry turning.
The answer may be in your insurance policy, or it may be in your employment benefits package. Increasingly, resolution services are included as a perk of doing business with an insurer or of being employed. And it makes a lot of sense given the disruption caused by identity theft. If you don't have this particular benefit, ask for it. If you don't offer it, consider including it. Adding cyber-protection to an employee benefits package or an insurance policy is a double win: It helps with retention and helps people engage in better cyber-self-protection. Anyone who has been the victim of an identity-related crime will tell you that such services are a huge win for everyone involved.
Practice the 3 Ms
At the end of the day, we are our own best guardians, which is why I urge people to adopt a simple approach to my definition of "information wellness." I call it the three Ms approach.
1. Minimize your exposure: Vet your vendors! Foster a culture in which everyone from the mailroom to the boardroom is invested in privacy and data security. Train your employees from their first day and have an ongoing discussion about best security practices. Create a map of information access, and make sure your most sensitive data is only available to those who need to have access and practice proper cybersecurity protocols to keep the data safe. Have a sensible BYOD (Bring Your Own Device) policy and remind employees about the importance of installing updates on connected devices. Frequently back up your data. Hire a chief information security officer--never leave your security solely to the IT department.
2. Monitor your networks and your assets: Make sure regular assessments are conducted on the security of all your data assets. When vulnerabilities are discovered, make sure they are patched immediately. Don't wait for a call from a white hat hacker.
3. Manage the damage: How an organization responds to a breach or compromise is a defining moment. It is crucial that you act urgently, transparently, and empathetically. In order to avoid an extinction-level event, have a robust incident response plan. Have a media plan. In fact, consider putting a crisis management firm on retainer. Game various scenarios and have a team in place to help your clients, as well as both in-house and third-party experts who understand the timing and notification requirements in each state for various regulators, law enforcement officials, insurance companies, employees, and customers.
Nothing is going to stop criminals from trying to con us, but we can get better at protecting ourselves, in ways that become force of habit, once we get into the mindset that there are risks out there but also best practices (and excellent services) to help avoid them.