Five personal data lessons we need to learn from the Equifax hack

The Equifax data breach, which has leaked critical personal information including Social Security numbers and birth dates on an estimated 143m Americans, as well as Britons and Canadians, is one of the largest ever, both in scale and the importance of the data stolen. So what lessons can we – and must we – learn from this demonstration of individual powerlessness in the face of data theft?

  1. Honeypots of data are hugely attractive to hackers. We know this, it’s common sense – and yet still we are persisting with the centralising of personal data rather than returning it to the individual. Putting each of us in control of our own personal data, so we can choose when and with whom it is shared, is all that makes sense.
  2. When our data is sold from behind our backs, we don’t know who has it. The nature of Equifax’s credit-scoring business, which takes data from a number of sources to help other companies assess creditworthiness, makes it hard to assess whose data was stolen – and for individuals, whether they were involved in the breach. Again, so much better to have individuals as the hub of all their data, sharing it with insurance companies, for eg, when needed, or letting algorithyms run over the data on the phone and just return the result, in what we at call private sharing.
  3. When our data has been breached by a third party, we’re reliant on them to tell us. Equifax has set up a website for people to check if their personal details were part of the breach, but there have been widespread reports of the site returning different results for the same data. It also requires a Social Security number, making it useless for anyone outside the US. Not to mention the fact that the breach took weeks to come to light, potentially giving the hackers time to use the information they had stolen before its owners even knew it was gone. We are not in control of our own data, which is created by us. That model – where our data is used for profit by others – needs to change.
  4. Those involved are at significant risk of fraud for years to come. This is not an email breach, where the people involved can simply change their passwords and (largely) put a stop to the damage. The information stolen, which also included addresses, drivers licence details and credit card numbers, means those affected are at significant risk of identity theft – and will be for years to come. We must use breaches such as these as drivers for change – otherwise nothing will change.
  5. Finally, and possibly most scary of all, we don’t know what this means. We don’t know if this hack will translate into increased levels of theft and fraud, or whether other information held by similar credit-scoring companies is any more secure. Or, indeed, whether Equifax will be punished for this breach.

What we do know is that trusting others with our personal information has seen it leaked over and over again. The fundamental method of personal data management must move back to the individual from central stores. And until it does, massive breaches of this scale, and the subsequent hassle and problems caused to those the data actually belongs to, will continue. Regulation has a part to play, but so too does consumer behaviour – and we need to be clear that this is not ok, on any level.

Were YOU hacked? The top data breaches of 2016

2016 was the year that records kept being broken for topping the league that no-one wants to be part of – biggest data breaches of all time.

MySpace, Yahoo and FriendFinder were the big three (although there were countless ‘smaller’ ones) – all revealed in the last few months, despite being historic breaches.

MySpace seemed – and was – a huge deal when it was announced. It emerged approximately 360m records from the now-defunct platform had been hacked after millions of user names and passwords were made available online.

That seemed a ridiculous number until FriendFinder came along to top it, with 400 million stolen records, spanning 20 years of data. That it operated a lot of 18+ sites including Penthouse merely made it more tantalising (and garnered more press coverage).

But the big daddy of breaches was still to come – although the hack happened back in August 2013, Yahoo only became aware in November that data from ONE BILLION accounts had been stolen. They told the world in December, at the same time becoming the not-so-proud holders – for now – of the biggest data breach to date.

So how do you find out if you were caught up in any of these hacks? Yahoo, for eg, has notified users it thinks were affected, asking them to change their password – and that’s probably best practice if you have an account with any service that has announced a hack. LeakedSource also maintains a database of over two billion records, which you can search to see if your accounts or email has been conpromised.

And if you want to be amazed/freaked out at the same time – check out this excellent site which visualises key data breaches over 30,000 records since 2004. There are a lot…

Friend Finder massive personal data breach shows why French mega database is a bad idea

Personal details from 412 MILLION accounts registered on the adult Friend Finder Network have been leaked in one of the biggest data breaches so far seen.

Dwarfing the number of users affected by the Ashley Madison and MySpace leaks, and second only to the 500m accounts leaked in the 2014 Yahoo attack that only recently came to light, this breach saw information including email addresses and passwords released.

The attack, which took place last month, was Friend Finder Network’s second attack in under two years, making it clear just how inviting and attractive targets with huge honeypots of data can be.

This is one reason why the mega personal data base France is planning, which will hold personal information on the 60 million people living there who hold a French identity card or passport, is a bad idea, particularly for privacy.

Aimed at decreasing identity theft, the rationale behind it is hard to criticise – but the execution is flawed.

As shown by the WhatsApp/Facebook data sharing change, the stated aim of anything is not always how it ends up – and French people should, rightly, be concerned about how intrusive this could be if other datasets were added in the future.

It is clear that anywhere holding huge amounts of data makes themselves a target for hackers – and the information held is inevitably vulnerable, threatening individual privacy.

So much better, as in the Internet of Me vision, for each individual to be the holder and controller of their own data, able to share it as and when needed on their terms.

Not only does this put the personal back in personal data, and mean we are each back in control of the information which we create, but companies and governments then need to ask for rather than take it without our permission.

Additionally, and to the benefit of all, these huge honeypots of data are also diminished.

Information is powerful – and we all need to do everything to keep our own secure – including working towards a better plan for personal data storage generally in the future.