Summary of 2019: Personal Data Continues to Leak

Carelessness, negligence, recklessness, incompetence still is the summary of the attitude to the safety and security of data in a few words. Everywhere on the globe, data arrays are collected, accumulated and stored in such ways and in forms that are convenient for those who use them, and the threats of loss and misuse are overshadowed by the race for profit and the narrow interests of state and corporate structures.

The competition encourages endless movement, absorption and consumption: while you think, others take your piece of the pie. Most likely, this is a consequence of the rapid development of information technology: just a few decades ago, the capabilities of modern technology in the field of data generation and processing seemed fantastic. This gift of progress has fallen on the head of people who see its advantages, anticipate benefits and do not notice threats.

Alarm bells have been heard for a long time: global leakage of personal data is happening more and more often; the amount of information flowing away to attackers or simply becoming accessible to anyone is growing. Here BNT presents a few illustrations of this statement: hacks, thefts and facts of the discovery of personal data in the public domain of recent times.

DoorDash: a third party with access to the database

4.9 million customers, workers and sellers — these people’s data became available to outsiders as a result of the actions of an “unauthorized third party”. The information that leaked includes names, phone numbers, delivery addresses, the last four digits of bank cards, the last four digits of bank accounts, order history, driver’s license numbers and hashed logins and passwords.

A leak was discovered on May 4, 2019 — among the victims were users and sellers which registered in the service before April 5, 2018. The company took measures to block access to the data of its customers for unauthorized third parties, consulted with experts in the field of security and strengthened measures to control information.

Sberbank: 60 million — 200 — 5 thousand

Computer security experts discovered 60 million credit cards of the largest Russian bank on the black market — at least, the seller claimed this amount. An investigation conducted by law enforcement agencies together with the organization’s security service revealed the culprit of the leak: the head of one of the bank’s departments, who later was arrested.

The actual amount of customer data that has become available to outsiders is unknown. According to contradictory statements of the bank itself, it’s difficult to compose a picture: the “final” investigation claimed of only two hundred leaked records, later it became known that the attacker had already sold the data of five thousand cards.

Sberbank re-issued active credit cards. The total number of active Sberbank cards in circulation is about 18 million. However, there are doubts that a simple re-issue of cards will eliminate problems for customers whose data has been compromised. Name and surname, passport number, address and place of work, date of birth, home address, credit limit — all this information has leaked. A simple re-issue of the card will not deprive criminals of this information.

Dunkin 'Donuts: A strike from the past

In September, a lawsuit was filed in a court in New York against this company, which alleged that Dunkin 'Donuts had known, but hadn’t taken action, and had not warned customers about the vulnerability of their user data storage systems to hacker attacks. It is reported that the company issued special loyalty cards that their customers could use for purchases. In order to use these cards, they had to be registered in personal accounts and connected to bank accounts or cards.

In 2015, hacker attacks began on users' personal dashboards, as a result of which attackers became aware of data tied to accounts. As a result of these actions, about 20 thousand people were affected.

Canva: 139 million users

The graphic web service developed by the Australian company was attacked in May this year. Attackers gained access to the database of service users. The personal information of clients falling into the hands of hackers includes usernames, logins, email addresses, countries of residence, addresses of personal websites and hashed passwords.

The number of users in the database is 139 million. It is also reported that attackers could view information about bank cards of service customers who registered before September 28, 2016, where one could see the payment history, the last four digits of the number, owner’s name, expiration date and the name of the company that issued the card. It is said that all this data was not downloaded by hackers, they simply could view them.

Tax agency: all adults in the country

A complex hacker attack on the Bulgarian tax service servers cost the leak of personal data of more than five million residents in June this year. It is reported that several servers were hacked, and the amount of stolen data from many databases allows to estimate that all adult residents of Bulgaria were affected.

The tax service filed a lawsuit in the amount of almost three million dollars against an agency providing cyber security of information systems. Experts believe that the validity of the claims is justified: analysis of the data leak showed that hackers used fairly primitive hacking techniques.

Accusations made by the press against the ubiquitous Russian hackers can be considered quite curious: the conclusion was made on the basis that the letter from the attacker who offered to sell the stolen data was sent from a Russian postal service.

Conclusion

The European GDPR, the Russian Law on the Protection of Personal Data, the American CCPA are examples of how states try to put things in order in the circle of personal information of their citizens. However, as the examples above show (which are not an exhaustive list of leaks — there are more), these measures are clearly not enough. There is a need for an integrated approach combining cryptographic technologies, blockchain and transparency of working principles, and Bitnewstoday has already spoke about digital identity projects working to implement this approach.

What needs to happen so that the need for their implementation becomes apparent at the state level? Perhaps future much larger and more destructive leaks will become such an incentive.