Posted by Trevagh Stankard on Tue, Jun 29th, 2021
Can a Data Breach Like the 533 million Facebook Records Leak Be Prevented?
Hardly a day goes by without a mega data leak being announced to the world. In April, one such leak involved the phone numbers and other personal data of 533 million Facebook users' from 106 countries. The data was stolen and exposed on a popular online hacking forum. This mass-scale violation of the security and privacy of user data is not an isolated incident. What is concerning is the normalization of this type of data exposure, even when stringent rules are being used to protect personal information from insecure practices. The question is: can these levels of data exposure be prevented, or do we have to ‘learn to live’ with them?
Can Privacy Legislation Help Prevent Data Breaches?
Data privacy has become a hot topic ever since the EU enacted its General Data Protection Regulation (GDPR). Privacy was not born of the GDPR, rather the regulation provided rails upon which data privacy could be achieved. The GDPR developed notions of privacy based upon the idea of ‘data subjects rights’. These rights, encapsulated in eight key statements, include the ‘right to erasure, the 'right to rectification, and the ‘right to access data. The legislation is underpinned by a legal basis such as user-led consent to share data and enforced by a hierarchy of organizations and individuals with heavy fines for violations. Many countries now emulate or go some way towards, a local version of the GDPR, the California Consumer Privacy Act (CCPA) being an example. Exposure of data has led to large fines including a fine of $26 million against British Airways for allowing its systems (including consumer web portals) to be compromised, resulting in the exposure of personal and financial data from 400,000 customers.
Privacy and security are not the same. However, they are interrelated, and security helps enforce certain aspects of privacy, namely preventing personal data from being exposed.
The GDPR is built around the principles of privacy by design and default. This is a general-purpose approach to privacy that encapsulates systems, processes, people, and technology.
Privacy legislation often includes hints at the type of security needed to achieve protection of personal data so that leaks can be prevented. The GDPR states that personal data must be processed using ‘appropriate technical and organizational measures'. What this means in practical terms is open to debate. Analyzing how data was leaked gives an insight into what constitutes ‘appropriate’ technology that is effective in protecting personal data.
Appropriate Security for Privacy Protection
Data is leaked via several methods. Some of the most common are:
Threat Stack survey found that 73% of organizations have identified at least one critical security misconfiguration. Misconfiguration of cloud components such as databases is behind many data breaches/exposure. This was the case when Capital One bank experienced a massive data breach in 2019, resulting in 106 million data records being exposed. The problem was identified as privileged access misuse and misconfiguration of a Web Application Firewall.
According to the Verizon Data Breach Investigation Report 2020 (DBIR), phishing attacks are involved in 36% of all data breaches, up by 11% from the previous year. Cybercriminals take advantage of cloud apps, using the trusted branding of Microsoft and other corporate apps to phish users, stealing credentials, and using these to steal and expose personal data.
The latest ransomware doesn't just encrypt data, it makes use of other malware, such as a Trojan, to also steal data. Ransomware is prolific. Recent high-profile ransomware attacks, such as Colonial Pipeline company, highlight the use of stolen data to put pressure on the company to pay the ransom. In the Colonial Pipeline ransomware attack, cybercriminals encrypted system files, but also stole 100 gigabytes of data.
Each method used to steal and expose data is also a privacy violation. Consent to share data, a tenet of many privacy legislation the world over, requires ‘appropriate security’ to prevent non-consensual data leaks. But what are these appropriate technologies?
Five Examples of ‘Appropriate Technologies’ to Maintain Data Privacy
Privacy legislation is typically non-specific on what types of technologies to use, the wording may mention some, such as encryption or access control, but the details are not offered. In terms of data protection and prevention of data exposure, certain technologies can be used to add the appropriate security needed to prevent a data leak and to meet regulatory compliance needs:
- Encryption and access control: End-to-end encryption for data in transit and data at rest encryption are fundamental in helping to prevent data exposure. Email encryption, data leak prevention technologies, and secure app access, all contribute to a secure system that prevents data leaks.
- Pseudonymization: Used to replace data within a data set that would otherwise identify an individual. GDPR recommends using pseudonymization alongside other technologies.
- Privileged access management (PAM): Managing privileged access using PAM solutions can help prevent data exposure.
- Web content filtering: compromised websites contain malware such as ransomware. WebTitan stops employees from navigating to these websites and inadvertently infecting a network with malware. Data Protection Officers (DPOs) can use web content filtering to enforce different web access policies for different environments.
- Anti-phishing for emails: SpamTitan blocks malicious attachments and links to infected websites, thereby preventing phishing-related data exposure. It also prevents data breaches by dual antivirus engines to safeguard personal data stored on network systems.
The data leak exposing 533 million Facebook users is just a sample of an avalanche of stolen data. The privacy implications of these exposed data mean that consumers and companies alike suffer. Consumers lose control over their data, a key tenet of data privacy. Companies involved in privacy violations lose customer trust. The use of appropriate technologies can help mitigate the loss of privacy and help companies achieve compliance with regulations such as CCPA and GDPR and maintain better customer trust.
Protect your business from data breaches with TitanHQ multi-layer security. Speak to a security expert today to discover how we can stop potential data leaks. Contact us.