January 28th, 2017 was data privacy day (https://staysafeonline.org/data-privacy-day/) and on this day I normally write a blog post or speak at some conference about important guidelines or best practices for data privacy. However, over the last year something has started to become more obvious to me as a result of my work. Data Privacy is not that simple. Yes, we can create systems and processes that help to prevent the leakage of data and those systems can be successful for companies. Policies, procedures and technical controls can help to protect financial and other sorts of confidential company data. That is, if the organization has and follows a good security and data privacy plan, which must also include facility security. While this seems simple, there are still so many data leaks. What is surprising is that Insider threats cause more than half of data leaks. Employees remain the biggest source of information leaks, both intentionally and unintentionally.
However, my area of research does not focus on whether or not what was predicted actually comes to fruition, but instead I focus on what are the threats of the future. I think everyone reading this brief post has some ideas on what those major threats may be, but I would like to suggest one on which there seems to be very little focus at this moment. The threat of public databases and the internet search engine and how that data should be influencing what should be considered personal and/or sensitive information that companies expose or use for research.
Let’s consider Sensitive Personal Data and Personal Health Information (PHI):
Sensitive Personally Identifiable Information(PII) / personal data means personal data consisting of information as to the data subject’s;
- racial or ethnic origin,
- political opinions,
- religious beliefs or other beliefs of a similar nature,
- membership of a trade union,
- physical or mental health or condition,
- sexual practices,
- the commission or alleged commission of any offence, or
- any proceedings for any offence committed or alleged to have been committed by the subject, the disposal of such proceedings or the sentence of any court in such proceedings.
Under US Law and specifically the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care including:
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000,
- Dates (other than year) directly related to an individual,
- Phone numbers,
- Fax numbers,
- Email addresses,
- Social Security numbers,
- Medical record numbers,
- Health insurance beneficiary numbers,
- Account numbers,
- Certificate/license numbers,
- Vehicle identifiers and serial numbers, including license plate numbers,
- Device identifiers and serial numbers,
- Web Uniform Resource Locators (URLs),
- Internet Protocol (IP) address numbers,
- Biometric identifiers, including finger, retinal and voice prints,
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
These items seem quite easy for a company to protect but are they really? What about “inferred” personal or sensitive personal information? Who protects that data? If we look at insider threats and consider social media, search engines and public databases the insider threat is us, the data subjects. This is because friends, family, and ourselves like to share and sometimes overshare. This information becomes easy to find over time and can be used for good or bad ends.
Here are two simple examples:
Example One – The Diner
Recently, I went to meet a friend of mine at “The Red Arrow Diner” to discuss politics in Manchester, NH. It was crowded but we were fortunate to get a booth. My friend and I discussed climbing and our desire to go peak bagging of NH’s 4000 footers (1220m) in New Hampshire. I discuss other mountains I have climbed including Mt Aconcagua. He says, “Rob let’s do it!”
Unfortunately, there was a bad actor in the diner. They leave and go to Google.com, where they type in Rob NH Aconcagua. At the speed of light, they find out:
- My full name
- Where I have lived for last 30 years
- Who my family is and where they live
- Where I work
- I am a member of the Freemasons and I have undergone my 32nd Degree with the Scottish Rite.
- I am a pilot and they get my US Pilot License number and my medical certificate
- I am a HAM Radio Operator and they get my FCC License and station ID
- My Court Records
- That I Believe in a God
- Personal and Professional Blogs
- My email addresses
- Every book I published
- Every Country I have been to
- Every company I started
So there is some personal and sensitive information here, and if a bad actor is smart enough they can use this information to launch attacks against me. Here are some possible attacks:
1. Theft or Burglary-Another climber or an opportunistic thief was in the diner, he knew that I had to have extreme altitude climbing gear or expensive gear to climb to the peaks that I have already done – He has my address and enough information to case my house and plan to attempt to rob me before my dogs get him/her.
2. Spear phishing combined with social engineering-The person can find all my email addresses so they send me a mail from a “cousin in Philadelphia”. I fall for it and transfer them money for some crisis, or worse I open a funny party video, that they downloaded from my cousins YouTube site and malware is installed on it, say a key logger, and they get my data and account information.
3. Retribution or Discrimination-For some reason I offended someone with my political views, they found my information on line and were enraged by my views and blamed them on the fact that I believed in God and drove to my house, sliced the tires on my car and broke windows, letting my dogs out before getting caught by the dogs.
There are more damages that can come from this and I will leave that to your imagination.
Example Two – The Plane
On a trip back from Moscow last year I met a nice woman on the flight, I will leave out the names and specifics so as not to leak her information and I will use other fake data in an attempt to protect her Identity. Carol (not her Name) was in a rush to get back to NJ as she missed her daughter and her boyfriend had been elected to a State Office in NJ (Not the actual state) when she was away and she wanted to celebrate with him. We had a great talk and discussed the cast on her arm (Not actually on her arm) and her profession “Kickboxing Teacher” (not her actual profession). Our conversation was interrupted a few times by a person sitting behind her that kept kicking her seat. Carol also got the attention of some men sitting around us that seemed to be listening to our conversation. She discussed her upcoming trip to Berlin and that she would be gone for two weeks and her daughter would be keeping her dog for that trip as there was no one local that could take care of the dog. In the end Carol said it was great talking to me and asked me if I wanted her email address so that we could stay in touch. I smiled and said “I bet I can find your email and full name without you telling me”, she smiled and said “you are on”. We exchanged no information. On getting home I went to my PC and I typed Carol, Kickboxing Teacher, NJ, Cancelled Classes. I found the place where she worked with a nice personal Bio of Carol, that discussed that how her dog (that she loved) was a great companion, particularly as she was living alone since her daughter had moved out. I also found her Boyfriends full name and the office to which he was elected to in NJ. With the full name I then found her emailed her and sent her the steps on how I found the information. She was shocked that I found so much and grateful that I pointed out these leaks of personal information to her.
So there is some personal information here, and if a bad actor is smart enough they can use this information to launch attacks against her. People on the plane around us could have overheard and used that very same information to impact her, her family and possibly even to impact an elected official. Beyond social engineering, she too could be impacted by the threat of burglary, harm or many of the very same issues I listed above in the first example. I am sure you can imagine more harms and of course remedies.
In closing, for individuals, just like in corporations-we are the insider and many times we may pose the biggest risk to ourselves. We may be our very own biggest threat for data leaks. This raises some new considerations as well:
- Should companies allow employees to post personal public or internal information on company web sites or collaboration mediums?
- Should companies have to control the release of customer PII if the same information when combined with public search engines and public databases will lead to the release of personal health or other sensitive information?
- Are we sharing to much information and does that information put us at risk?
Without intention, we may be harming ourselves, our families, or our career opportunities by sharing information that data aggregators can combine to paint any picture of us to suit their needs, and all of that data massaging is done at the speed of light. There is no simple answer to all of these problems, but one good piece of advice, from Data Privacy Day is before everything else “Stop, Think, and then Connect.”
FBI – Spear Phishing:https://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109
Social Engineering Description on Wikipedia:https://en.wikipedia.org/wiki/Social_engineering_(security)
EEOC – Types of Discrimination: https://www.eeoc.gov/laws/types/
FBI – Cyber crime – https://www.fbi.gov/investigate/cyber
Stop Think Connect: https://staysafeonline.org/stop-think-connect/