Ripples in the Water

Data breaches can create ripples that disturb waters seemingly far removed from the source. As the threat landscape continues to evolve, and the quantity of personal data collected and processed increases, the importance of adopting safe and proportionate data security measures cannot be understated. For data controllers, such as businesses, schools and government departments, these controls are required as part of the Data Protection (Jersey) Law 2018. However, it takes two to tango and data subjects, the people who the data is about, also play a crucial role in protecting their own information and safeguarding their privacy.

Understanding the risks involved should your data fall into the wrong hands is key to privacy and security awareness. In this blog some illustrations are made as to how seemingly minor data breaches can trigger a cascade of events that lead to more serious consequences than initially envisaged.

How much does your name say about you?

Our names are useful tools. Others use it to communicate with us, and it allows people to be identified quickly rather than having to describe how tall they are and the colour of their hair. Our names are also generally un-unique. Regarding data security, this can be comforting. A leaked name is not automatically a direct link to you as an individual as there may be lots of people sharing your name. But names are also fashion, and history. If you were to look up the most popular baby names in the 50s, you would find that the top 10 are completely different to the 80s, and the 80s to the 2000s, and the 2000s to 2020 with only one exception.

Different cultures and religions often have different naming conventions. Information revealing an individual’s religion is classified under the law as 'special category data', as is information revealing an individual’s ethnic origin, which is subject to increased regulation and protection. Names are not classified as 'special category data'. However, certain names, for example Muhammad or Christopher, can give an indication of these characteristics.

Scammers use this to their advantage. They get hold of names through social media or other sources, and as long as they have an address, email or phone number, they can direct scam communications to those they consider to be most vulnerable. They can add pieces of information together to create a larger profile and they may tailor scam content to try to appeal to a demographic to increase the chance of success.

As illustrated in this example, one bit of personal information, such as a name, can begin a trail of breadcrumbs that can lead threat actors to more valuable data.

Don’t have a single point of weakness

It comes as no surprise that people often use the same username and password for different services. People reuse their login details, often referred to as login credentials, mainly because of the large number of services they have, and the fact that it is hard to remember passwords and it’s much easier to access our services if we use the same one repeatedly. However, this means that if one of your accounts or services is breached those login credentials also unlock others. The result is a large attack surface that only requires one point of weakness to gain access to other services. A breach of that one website you visited and created an account to check out that cake recipe 5 years ago could compromise your email account, PayPal or other important service.

One such example of this is an attack called credential stuffing. Credential stuffing attacks are a type of brute force attack that uses automation to inject stolen credentials, such as a username and password, into services like websites and applications to gain entry. It is a common attack that exploits the reuse of credentials.

From an organisation’s point of view, this can be difficult to prevent, particularly if the attacker uses botnets, networks of computers infected with malware, to send the requests. An attacker may obtain credentials through social engineering, a website breach, database dump, purchase them on the dark web or other sources. Once they have gained access, they may use the accounts to send phishing emails, use the information contained in the accounts for fraud or sell the valid credentials on.

This is just one example of how a single breach of your personal information can domino into multiple, more damaging, incidents.

Some data doesn’t matter, right?

Under the Data Protection (Jersey) Law 2018 businesses and other entities that process personal information are required to implement proportionate organisational and technical controls to effectively implement the data protection principles, one of which is data confidentiality and integrity. However, this is not always performed adequately. One such example is improper authentication.

Improper authentication is when a person claims to have a given identity, but the software does not sufficiently prove that they are who they say they are. This would be the case if only the first letter of a password was checked when logging in to a website rather than the whole thing. Improper authentication can lead to some data deemed harmless facilitating access to accounts by getting around the intended authentication process. For example, in the context of cars connected to the internet, there was a case where the vehicle identification number or VIN, which is typically displayed on the dashboard of a vehicle, can be used to remotely take over the air-conditioning system and view driving history. In this case it was intended that the vehicle system could only be operated by the authorised owner while logged into the app, which was protected by a username and password. However, by exploiting a weakness, an attacker could do it with only the VIN.

The main point to take away from this is that even if a piece of information shouldn’t be damaging if it falls into the wrong hands, it can be. As such, no piece of personal information should be considered insignificant, as a tiny drop of seemingly inconsequential information can create far reaching ripples.

What can I do to help mitigate these risks?

Practice good data privacy awareness. Before giving out your personal data assess the risks involved and the importance of the goods or service you may receive in return. Is it worth it.

Use multifactor authentication (MFA). MFA is when two or more pieces of evidence are required to access a website or application. Increasingly, a username and password is still used to secure access to a service, but is supported by an additional security measure. An example of MFA is, after inputting a username and password, an SMS containing a one-time code is sent to the telephone number associated with the account. Only after inputting this code will the user be able to login. A number of other MFA options exist: authenticator applications, biometrics and more. These options are usually found in the ‘security’ section of an application or service and may be called two step verification or 2 factor authentication. This on its own significantly reduces the effectiveness of credential stuffing attacks.

Avoid the reuse of passwords and ensure they are strong. Password strength is determined by a combination of length and complexity. This may be achieved by using a reputable password manager that generates strong passwords at the point of creation and saves them in a secure place, that only you can access. Ensure your email account credentials are strong, as this is often the place where your other passwords can be reset.

Summing up

Both data controllers and data subjects must take a holistic view of their data security. Data can be used by threat actors (the bad guys) for many different purposes, and one data breach can have rippling effects. Implementing certain practices can help to defend against these threats but developing privacy awareness and practicing privacy by instinct is crucial to stay ahead of the evolving threat landscape.