The Eternal Leak: How Regulators Fight Personal Data Drain

    The problem of PD leakage of users of social networks and web services is increasingly being discussed in the media. Probably everyone has heard the story from an analyst firm Cambridge Analytica, which was able to get the personal data of 87 million Facebook users (including the data of Mark Zuckerberg himself ).

    However, there are less well-known cases with PD leaks, the scale of which is no less. Let's look at a few examples and talk about what measures regulators and IT companies are taking in trying to prevent such incidents.


    / photo by Mike Rickard CC

    The situation with leaks of personal data


    In 2016, the number of cases of theft of PD increased by 40%, compared with a year earlier. In late spring of 2016, hackers put up for sale 360 million credentials of users of the MySpace service. The same fate befell 164 million e-mail addresses and passwords on the social network LinkedIn and 100 million accounts from vk.com users .

    And the “volumes” of leaks only grow. As noted in the company of InfoWatch, dealing with issues of information security, the first half of 2017 turned out to be compromised7.78 billion records with personal and payment information of users of international services. This is almost eight times more than in the first half of 2016 (1.06 billion), and twice as many as in the whole of 2016 (3 billion). Moreover, both hackers and company employees become responsible for leaks (intentionally or unintentionally).

    For example, hackers were to blame for Yahoo’s users ’leakage several years earlier.. In 2014, they stole personal data of more than 500 million users of the service. According to the company, the names, addresses and telephones, as well as the dates of birth, could have “leaked” It later emerged that in 2013 there was another, more serious case of hacking, when hackers obtained information from more than 1 billion Yahoo users, including passwords and answers to secret questions.

    And in the case of the analytical company LocalBloxabout which it became known a couple of months ago, the "discharge" of data occurred due to the fault of the company's employees. LocalBlox collected data about users of several social networks at once - Facebook, LinkedIn, Twitter and Zillow. Among these data were listed: name and surname, links to accounts in social networks, address, date of birth, mail and telephone, salary, interests and much more. The whole “dataset” of 48 million people (its volume was 1.2 terabytes) was “left” by the Amazon in the open storage. He was discovered by the employees of UpGuard , dealing with cybersecurity issues.

    You can not ignore the situation with Equifax, which is called“Worst leak”. In 2017, the numbers of soc. insurance, credit cards and driver's licenses, which kept the credit bureau, fell into the hands of intruders. Total hit 143 million customers.

    There are also cases when data brokers were involved in PD leaks of users. In 2011, the marketing company Epsilon was hacked . Then the e-mails of millions of people hit the network, and their owners came under a series of phishing and spam attacks. And in 2015, Experian was hacked. Hackers "leaked" personal information of 15 million users.

    To avoid reducing the damage from similar incidents in the future, American telecommunications companies have even decided to stop selling geodata to clients to brokers. We wrote more about this in one of ourpast blog posts .

    Tightening standards - a decision or a new round of contradictions


    Many world experts and politicians agreed that past leakage and theft cases demonstrate the need for tighter government control over the processes of storage, distribution and protection of user APs. One of the most famous laws passed recently is the GDPR.

    The GDPR should give EU citizens more control over their data that various online services request. In particular, users can now prohibit social networks to distribute personal data without their knowledge and require the provision of information on how they are used.

    In case of violation of the requirements, companies face serious fines. They can reach 20 million euros or 4% of annual turnover. Therefore, many services have already changed their privacy policies accordingly and introduced new features. For example, in order to fulfill the requirements of the GDPR regulation, WhatsApp added the ability to request account information - these are settings, profile photos, group names, etc. And on Instagram they announced a new data upload option. We have prepared a separate material on other changes in the policies of media companies .

    Also, regulators set the time frame within which the company must report on the “loss” of personal data that has occurred. According to the GDPR, this “window” is 72 hours after the discovery of a “drain”.


    / photo Descrier CC

    In different countries and even in different states of America, regulators setits rules regarding the reporting of incidents. For example, in Florida and Colorado, regulators must be notified within 30 days of a leak. At the same time, according to research, it now takes an average of 206 days for American companies to detect the loss of confidential information. Therefore, as noted in the Ponemon research agency, companies will have to improve their performance.

    If a company hides information about a leak or burglary, then it runs the risk of a large fine. At the end of April 2018, the US Securities and Exchange Commission said that Altaba (in the past, Yahoo) must pay a finefor hushing up personal data leaks in 2014. The amount of the fine (for keeping silent about the scale of theft, and not for the fact of its admission) amounted to $ 35 million.

    In Russia, the size of fines for violations in the processing of PD is less. However, regulation may soon follow in the footsteps of the West. The authorities of the country plan to insure the risk of leakage of personal data. The fate of the initiative should be decided this month.

    Whether such government projects will prove effective in the long term, and how they will affect the online life of users, remains to be seen. Since in this area there are still bills, which are not so simple. As in the case of the recent EU copyright reformwhich was rejected by the European Parliament this week.



    PS What else do we write in the First blog about corporate IaaS:


    PPS Posts on a topic from our blog on Habré:




    The main activity of the company IT-GRAD is the provision of cloud services:

    Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | Rent 1C in the cloud




    Also popular now: