Potential data breaches would make Ashley Madison break-in pale by comparison
By CHRISTOPHER MIMS
Sept. 8, 2015 12:01 a.m. ET
NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT
YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.
ILLUSTRATION: ADAM NIKLEWICZ
Many security and privacy researchers expect a cyber-breach event that will make the hack of infidelity site Ashley Madison look like a footnote by comparison. It could affect not just people seeking extramarital affairs, but everyone in America.
Even more daunting, it could be under way already, and we don’t even know it, say computer security experts.
It’s difficult to pick the worst-case scenario for this breach, as each could be devastating in a different way. It might involve the revealing of everything from shopping habits to the complete Web browsing histories of many Americans. It could put national security in jeopardy by giving hackers the ability to create spear-phishing attacks—in which people are tricked into compromising their computers via emails from businesses that look legitimate—containing so much personal detail that even the most paranoid of government employees or contractors could be fooled.
These security experts say we have unwittingly built the most perfect online surveillance system ever contemplated—for bad guys.
“What more could you want if you wanted to gather intelligence on our citizens?” says Grady Summers, chief technology officer at cybersecurity firm FireEye Inc. “You’d want to see everything they do on the Web, everything they’re buying. We’ve built this incredible machine that does that and we don’t even realize it.”
What Mr. Summers and many others are talking about is the potential for hackers to gain access to enormous and—by design—poorly understood databases containing just about everything there is to know about everyone, gathered from sources as disparate as store loyalty cards, public records and our behavior on the Internet.
The players in this industry, called data brokers, were the subject of a 2014 report by the Federal Trade Commission, in which the U.S. agency recommended that Congress move to require brokers be more transparent about what they gather and how they obtain it.
‘You’d want to see everything they do on the Web, everything they’re buying. We’ve built this incredible machine that does that and we don’t even realize it.’
—Grady Summers, of FireEye
Data brokers sell information to everyone from advertisers and marketers to private investigators and financial institutions, and some of their activities are limited by laws regarding the handling of personally identifiable information. There have been a few egregious missteps, such as one case in which a broker inadvertently sold data to a company that used the information to steal millions of dollars from hundreds of thousands of people.
Plenty has been written about what data brokers know about us and how that might be used to violate our privacy, but what has yet to be highlighted is what might happen if the data they gather falls into the wrong hands.
“We know that foreign intelligence services and hackers in general are now targeting sources of high value behavioral information, and there’s no better source than data brokers,” says Chandler Givens, co-founder of TrackOff, software designed to thwart some forms of online tracking.
“It’s highly likely one of these companies have already been compromised,” says Samy Kamkar, an independent security researcher, a sentiment echoed by other security professionals.
To put this threat in context, you have to understand that consumers—or in other words, all of us—face two separate but interlocking issues.
First, more companies than ever are gathering more data than ever about us. Efforts to limit the scale of this for-profit surveillance has been fought and, in the U.S. at least, largely lost. Culturally, we seem to have accepted that, in aggregate, every single thing we do that can be recorded will be.
The second issue is that breaches of the companies that hold data are becoming more apparent, if not more frequent. This is in part because the damage—as in the Ashley Madison hack—is more visible and direct than in the past, giving a new urgency to a privacy debate that has until recently been moribund.
How secure are the systems of these companies? I reached out to a number of data brokers, including Acxiom Corp., the company with an estimated 1,500 data points each on as many as 700 million consumers. The company didn’t comment, nor did officials at Oracle Corp., owner of data broker Datalogix, or Drawbridge, which claims to process 80 billion to 100 billion transactions a day in which ads are served based on user profiles.
One data broker that was willing to talk is ID Analytics, a company that offers a technology-based solution to both the proliferation of personal data and the increasing vulnerability to breaches of it. A company representative said one of ID Analytics’ primary lines of business involves helping companies detect when a breach of personal information has occurred, and then cope with the fallout.
“Risk mitigation,” which the FTC praised in its report as essential for ameliorating the fraud that comes from data breaches, is a booming business for ID Analytics.
One of the issues with the behavior of some data brokers is that they are willing to track us whether or not we want to be.
For example, in a technique called “device fingerprinting,” websites can identify a person even if they have all the typically identifying information switched off, says Mr. Givens of TrackOff.
Using a mobile browser, turning off cookies, even attempting to eliminate all the varieties of eradication-resistant “supercookies” used by advertisers cannot thwart device fingerprinting, says Mr. Kamkar.
Not only is there still little transparency about what data brokers know about us and how that information is obtained, but they have every incentive to continue to expand the scope and granularity of what they know. In part, says Jen Golbeck, a professor of computer science at University of Maryland, that is because these companies view their methods, as well as the size and contents of their databases, as competitive advantages.
All of which makes them the biggest of targets.
Follow Christopher Mims on Twitter @Mims or write to firstname.lastname@example.org