I could do a blog exclusively on data breaches because they happen so frequently that I’d never run out of material. Eight hours ago, the Supreme Court of India’s website was hacked, apparently by “HighTech Brazil Hackteam.” I imagine that they’re either a group of highly motivated lawyers or, given their logo, a group of very high teenagers. Of course, hacking a website isn’t the same thing as accessing confidential or private data, and it’s unlikely that the Indian Supreme Court has vital data on its site. Put another way:
Other hacks are much more serious, of course, and those are the ones that get at sensitive data. In the US, there isn’t a hierarchy of personal data quite like there is under the GDPR, where “sensitive” information like biometrics, sexual history, or trade union membership are highly protected categories. Nevertheless, you can be sure that the more categories of data that are exposed to cybercriminals, the more serious a breach will be taken by regulators, both here and in Europe.
Sometimes clients ask me “what’s the worst hack so far this year?” My answer often surprises them – as it did in 2015 when I said that it was the Office of Personnel Management hack. The responses were usually “but wasn’t the Anthem breach much bigger?” or,
I believe that the primary metric for evaluating how bad a breach was is ascertaining what can be done with the information stolen. With Ashley Madison, you could blackmail users, certainly, but the information was publicly available, and so if you wanted to learn if your spouse was a cheat, it only took a few clicks. Outcome? Lower risk (other than the risk of getting Lemonaded.) The OPM breach, on the other hand, gave a foreign power (almost certainly China) access to critically sensitive data about US government employees, including security background, fingerprints, and a trove of financial, personal, psychological, and professional information that would be simple to exploit. Outcome? One of the worst national security risks in recent memory, and an ongoing source of vulnerability for the country.
The key is determining whether the fallout from the breach can be contained and whether its risks expose greater vulnerabilities than just credit card numbers. This isn’t an academic exercise – under the GDPR, for instance, companies have an obligation to report data breaches directly to data subjects when there is a “high risk to the rights and freedoms of natural persons.” That’s not an analysis you can undertake, or even understand if you haven’t already analyzed your data and categorized it meaningfully.
With that in mind, what do I think is the scariest breach so far this year? If I had to pick right now, I’d say TaskRabbit. “Come on” you might say, “what’s the risk there, that someone won’t fix my leaky kitchen faucet?” Well, think about what data TaskRabbit has: if you’re a customer, it has your name, your address, perhaps the access codes to get in your front gate or front door, financial information, when you are available at your home, and perhaps what devices you have in your home that is already not working (hence the request) and whether those devices are connected to the internet. If you’re performing tasks, the app can literally send you an address and say “go here.”
This is what I mean by understanding your data. At first glance, a breach at TaskRabbit might have seemed more an annoyance than a major risk, particularly if there was no payment information in the app. But when you analyze what information is present, in usable form, you start to recognize the dangers. To me, TaskRabbit would need to think very carefully about reporting the breach to individual users because, depending upon the information taken (and especially if there was location data involved), it would be hard to disprove that there was a high risk to the rights of persons. The safer approach would be to expect that the DPAs will want proof that a breach wasn’t a serious risk, even if that’s not what the Regulation says.
In the end, every breach is a bad thing, and every system needs adequate safeguards. This is why the data inventory you conduct at the very outset of your data security plan is crucial, and why categorizing your assets is the first step in the DataSmart method, because if you don’t know what you have, you don’t know what to protect.