With the recent news around password breaches and the subsequent impact as a result of password reuse by individuals on other sites, we thought it would be prudent to discuss the collateral damage from an end user’s perspective. It seems as if every day there is a new data breach of which enterprises and consumers should be aware. We decided to compile the most talked about breaches happening right now in a series of posts to provide education on not necessarily how these breaches occurred, but how a data breach impacts the end user.
Data Breach – Why should we talk about it?
For those who haven’t followed the recent news on password breaches and their fallout as a result, here is a brief summary. Consider the recent LinkedIn attack where the thief stole username/password and dumped them on a public site. Those passwords were then reused to hijack those users’ account on other sites leading to their entire accounts being compromised. Even though LinkedIn forced their users to change the password; it does not by any means translate into users changing their passwords on other sites. This leaves the users exposed to account hijacking by the bad guys resulting in compromised data in which can be used later for a very targeted attack.
The Data Breach Big Picture
The number of people with Internet connectivity reached over 3.4B in early 2016, which represents over 46% of the total global population of 7.4B. Whether it is banking, shopping, healthcare accounts or social media, the shift to online transactions and personal interactions has resulted in almost every one of these individuals having at least one account that requires access via a username and password. The average internet user has 26 on-line accounts and only 5 common passwords that are used to access these accounts. Of the 3.4B people with connectivity, if just 20% of this total represents an average Internet user with 26 accounts, this means that there are 680M people with over 17.68B individual online accounts registered to them. With 17.68B online accounts present cyber criminals are continuously incentivized by a potentially enormous monetary reward to illegally access and hijack accounts, impersonate users and/or steal information or money. Once an attacker accesses a different account from the one that was first compromised, depending on the type of account, the impact could be anywhere from mild to severe with no recourse for the user.
There are some laws that protect a user’s confidential data like SSN or Medical Information, but it is limited to a certain extent. What is noteworthy is that not all user data is treated as confidential under the law. This leads to companies treating various types of data differently, which in case of a data breach, they may or may not have any legal obligation to protect the user or even notify them about the breach.
For example, LinkedIn was not/is not obligated to disclose that they lost passwords of their users. Compound that with the fact that users used the same passwords on multiple sites. Hence, if someone steals their financial information, medical information and other types of confidential data or posts something inflammatory on their social profiles, it’s the end users who will suffer and the companies, by law, cannot be held accountable.
This is only one of many examples of collateral damage from a data breach. In this case, the data being the username and password. In the following posts in this series, we will analyze the collateral damage from other data breaches related to various types of user data including Medical Information, SSN, PII and more.
Up next, collateral damage of electronic health records data breach.
Interested in mitigating the causes of data breaches at your organizatino?