Since the 1990’s, the use of the internet has exploded. Almost 4 billion people across the world, representing over 50% of the world’s population, use websites and applications for a myriad of purposes, including shopping, conducting financial transactions, and connecting with others via social media. The statistics are staggering. 3.6 million Google searches are performed every minute of every day. Every 60 seconds on Facebook, 510,000 comments are posted, 293,000 statuses are updated, and 136,000 photos are uploaded. Over 15 million texts are sent every minute worldwide. While this breakthrough has improved productivity and quality of life in many ways, it does have several drawbacks. For instance, social media allows you to share personal information, a great deal of which is used by advertising companies to target ads based on users’ demographics and interests. In addition, any time a user looks up their checking account balance, purchases a book on Amazon, or donates money to the latest “Go Fund Me” cause, the financial information they enter online is stored electronically. Even walking into a store and paying for an item by credit card will create an electronic record on the retailer’s systems. All this electronic data can put people at risk for identity theft and other misuses of the information should a breach occur. Given the quantity, sensitivity, and accessibility of this information, individuals and companies are not doing enough to protect themselves from these risks.
There have been many recent examples demonstrating how a company’s lack of vigilance over their data security has resulted in a major breach of personal data. Hackers tend to focus their effort on companies and other large users of information, where they get more for their “hacking buck.” Equifax, one of the country’s three major credit reporting agencies, is a prime example. From May through July of 2017, Equifax was a victim of a series of security breaches whereby the personal information of 143 million people was compromised. The information included names, Social Security numbers, driver’s license numbers, and other personally identifiable information (“PII”). Now Equifax is dealing with the repercussions.
How did the Equifax breach happen? While unfamiliar to most, Apache Struts is a programming framework that aids in the creation of Java web applications and is used by at least 65% of Fortune 100 companies, including Equifax. It has been determined that the breach resulted from a vulnerability in Apache Struts. Had the breach been caused by a “zero-day exploit,” which “takes advantage of a previously unknown vulnerability in a computer application that developers and security staff have not had time to address,”(Future Crimes by Marc Goodman, page 16. DoubleDay, New York, 2015. U) it would have been an unfortunate event, but not one that could have been prevented. Zero-days are often sold to companies and hackers for anywhere from $20,000 to $1 million. However, it is reported that a zero-day was not the culprit with Equifax. The Apache Struts error (CVE-2017-5638) was actually detected in March of 2017 and had Equifax followed the recommended steps to patch the problem, the security breach could have completely been prevented.
Since Equifax was not vigilant enough in their data security procedures to actually prevent the hack, their focus had to shift to damage control. They had to develop ways to protect their customers’ data from being misused, although unfortunately, it may already be too late. Equifax has added a utility to their website which allows individuals to determine whether or not their data has been compromised by the breach by entering their last name and the last six digits of their Social Security number. If the results show that an individual has been affected, they are advised to review their credit reports and accounts for suspicious activity. Consumers can also get free credit monitoring service for one year and should consider placing a freeze on their credit files, which would make it challenging for a third party to open a new account in somebody else’s name. Changing your log in information as well as placing a fraud alert are additional steps that can be taken as well.
What cannot be ignored is the massive cost to Equifax. It certainly would have been much cheaper for their information technology department to monitor the Apache Struts patches and install as recommended. Instead, it has been estimated that the total out-of-pocked cost to Equifax will be anywhere from $200 to $300 million, much of this resulting from the cost of providing the credit monitoring and protection to consumers. In addition, there will likely be a long term impact on the stock price. Immediately after the announcement of the breach, the company lost $4 billion in market value, with the stock falling from $142.72 per share before the announcement of the breach, to a low of $92.98 per share. The stock has since recovered slightly, closing at $112.93 on December 1st.
Unfortunately, Equifax is not alone, as it one example of the many companies that have recently been hacked. In October 2017, three billion Yahoo accounts were hacked. However, in the Yahoo case, only names, e-mail addresses and passwords were hacked, not financial information. Walmart was hacked in 2009, when information from its credit card processing system was found on a computer in Europe. In 2013, Target was victim to a massive data breach, as hackers accessed the information of 110 million customers. Target estimates that the hackers cost them $148 million. In each of these instances, the information maintained by these companies on its customers was inadvertently exposed to harmful external sources.
What are some ways in which companies can protect themselves, and protect their customers? In June 2017, IBM-sponsored research conducted independently by Ponemon Institute discussed the cost of data breaches and the impact that Business Continuity Management (BCM) has on reducing the negative effects of a security breach. BCM is a “holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause.” According to the study, the total cost of a data breach for companies with a BCM program decreased from $4 million to $3.62 million. Such companies identified potential threats 43 days sooner than those without a program, and also experienced a significantly lower risk of a second attack within two years. When everyone is at such high risk, it is always important to prepare for the worst and take the necessary precautions to make sure that the damage is under control and in some cases, even prevented.
Corporate data breaches are not the only ways that information can be compromised. In fact, the actions of most people every day put them at great risk individually. Websites collect information regardless of whether users approve or are even aware that it is happening. Social media, retail, and other websites collect personal information and distribute it to various entities for profit. Often, they use tracking cookies to monitor web activity. Whenever users search on Google, their location and previous search results are used to filter the results and pages that are displayed. In addition, many websites store the personal information users share with them as part of their normal business practices. This enables websites to display advertisements that appeal to users’ demographics or interests. Similar to the large corporate hacks discussed above, hackers will also target individuals’ online information for their own use or to sell it to other users or third-party companies. As a matter of fact, my own Facebook account was hacked while writing this paper. All my Facebook friends received a message from “me” asking them to follow a link to a video. I was alerted to this by several friends who asked if the message was legitimate. Luckily, I do not believe anyone followed the link. This could potentially have infected their system with a virus. As a result, I had to change my Facebook password, log off of all devices, and let my friends know that I was hacked.
Individuals are aware of the security risk of their personal information. According to the Federal Trade Commission, 82% of Americans are concerned with their online privacy and 49% believe that their information is less secure now than it was five years ago. This concern is justified, considering the fact that 64% of Americans have experienced a major data breach. . What is all this data telling us? People are not doing what they can do to protect themselves. Only 12% of Americans utilize password protection programs and only 65% percent of Americans memorize their passwords. 41% of people have shared their password online while 31% say that they use the same or similar passwords for multiple accounts. It is ideal to choose a password that is challenging to guess even if it means not being able to memorize it. The public is partially at fault for the lack of privacy and must take the necessary precautions in order to live in a digitally-safe environment.
Marc Goodman is a leading expert in cybercrime and internet security. In his 2015 book entitled Future Crimes, he proposes the UPDATE protocol which is so basic in his view, he equates to locking your front door and not leaving your car keys in your car. If followed, Mr. Goodman claims this protocol could help individuals avoid more than 85% of today’s digital threats. Briefly described, the UPDATE protocol includes the following recommendations:
Update Frequently – Enable automatic updates of all software, operating systems, and apps, as companies regularly release patches when a bug or vulnerability is discovered.
Passwords – Passwords should be unique to each of your accounts, at least 20 digits with upper and lower case letters, numbers and symbols, and should be changed frequently.
Download – Software should only be downloaded from a company’s own website or a software’s official site to prevent pirated or third-party versions from compromising your security.
Administrator – Be wary of using administrator rights on your computer, which may open the door for downloading viruses or malware throughout your system or network.
Turn Off – Power down your computer when not in use, as hackers cannot access your computer when it is not on and not connected to the internet.
Encrypt – Encrypt your data to prevent it from being read even if accessed, and access the internet only from trusted virtual private networks (VPNs) as opposed to public networks.
To what extent can we live privately online in this digital age? Our passwords and personal information are saved on websites. When we go to supermarkets, the items we purchase are saved and advertised to us at a later time. When you click on a link online, your web browser stores the link and shows advertisements that are recommended based on your previous web activity. Some of the technology impacts us in a positive way. Recommendations at stores and online marketplaces are convenient. Mobile GPS applications that store your location and previous destinations can make it easier to operate the software. Google can use your location to recommend local restaurants and entertainment venues. There is a wide range of what our data can do but monitoring what information you disperse to whom is the most important step you can take to ensure a safe and private life in a digital world.