What happens to your personal data when a company you do business with gets hacked?
By Olev Edur
It’s scary…we read or hear regularly about corporate hacking involving big organizations such as governments or banks or social media sites, cases in which massive amounts of personal information are jeopardized. These attacks have been going on for years and, so far at least, seem to have prompted no widespread outcry among those whose information was taken. So how concerned should we be about all these corporate and government security lapses?
Given the lack of outcry, it would seem not much. But then as with life generally, the answer can depend on a lot of factors, including the nature of the attacks. “There are two basic kinds of organized criminal attack,” says Daniel Tobok, the chief executive officer of Cytelligence, a Toronto-based cyber security company. “In the first, criminals get into an organization’s system and encrypt the data so the company can no longer access it, and they demand a ransom. What they do is effectively seize control of the corporation and make the company pay to get it back.
“The second type of criminal attack doesn’t hold the company for ransom,” Tobok says. “They get the data and sell it on the dark web, which is like a flea market for criminals. If you want a hit man, or drugs, or a child slave…there’s nothing that you cannot buy on the dark web.”
There’s not so much likelihood of dissemination in the first case, but in the second, it’s anyone’s guess what could happen with your data. It depends on exactly what data was involved, for starters, and what kinds of new security measures are put into place after the attack, both by the organization in question and by the people whose data was hacked.
And while the lack of outcry may seem like good news, the leakage of your information could still conceivably lead to losses or costs later on. It’s just that you may never be able to connect the two events, especially if they happen years apart. As a result, both Tobok and Andy Ellis, the chief security officer for Akamai Technologies in Cambridge, Massachusetts, acknowledge the importance of always safeguarding your personal information.
That’s because, while the organization involved may fix its own vulnerabilities after the fact, by then the horse has bolted—your stuff is out there and let’s face it, North American retirees generally are viewed as prime targets (after doctors and dentists) by every scam artist on Earth.
“Personal identity information can be monetized, and everybody is a target,” Tobok says. “The average profit from a combination of name, driver’s licence, and credit card ranges from $8 to $13 per person; if you add a social insurance number, the profit can be up to $18. If hackers can reach 100,000 or a million records, well, you can do the math.”
However, Ellis is somewhat less concerned about the fallout from these attacks because when it comes to your banking accounts and other financial assets, it’s still up to the banks and other corporations to guard and not give away those assets to strangers.
“The real problem is based on knowledge of your identity,” Ellis says. “It’s the idea that someone can pretend to be you and use your personal information to take money out of your account or buy something with your money. Then the company calls and says you have been a victim of identity theft and you owe us X number of dollars. In that situation, what you say in response is, ‘I have not been a victim of identity theft; you have been a victim of fraud, and that is your problem.’
“There’s not much a corporation can do,” Ellis says. “They won’t sue you—they don’t want the reputation of being careless with your data, especially now with the power of the Internet to spread that information. In fact, the banks won’t ever let it get to court, because they don’t want to be branded as careless. And if the incident affects your credit rating, you can always challenge the rating.”