Another day, another high profile hacking headline. In January it was Chinese hacks of newspapers, then it was think tanks, and now everyone from Beyonce and Jay-Z to First Lady Michelle Obama and Attorney General Eric Holder is having their personal data splashed upon the web. There’s one scary truth all these stories should highlight: The only reason your data hasn’t been compromised is because you haven’t been competently targeted yet.
This latest instance of hacking in and dumping someone’s personal data onto the web, a practice often called “doxxing” in hacker circles, is perhaps the strongest case yet for why you should be wary about the security of your personal information.
The full list of the compromised contains big names: Vice President Biden, LAPD Chief Charlie Beck, AG Holder, former Secretary Clinton, FBI Director Robert Mueller in addition to a string of celebrities of varying stature. Undoubtedly, the most prominent were using strong security procedures to avoid the exposure of their personal data. And yet, none of that mattered, thanks to the source of the breach according to NBCNews.com:
“The Equifax credit bureau confirmed Tuesday that criminals have stolen credit reports from AnnualCreditReport.com, the website designed to allow consumers free access to their own credit reports.
The theft suggests criminals have outfoxed AnnualCreditReport.com’s defenses, potentially giving them access to potentially 200 million Americans’ credit reports. According to the Consumer Financial Protection Bureau, 16 million consumers use AnnualCreditReport.com annually.”
AnnualCreditReport.com, a joint project between our nation’s three largest credit bureaus, itself was not hacked so to speak, but the hackers likely used a combination of trial and error and personal information that could have been gleaned from scouring the web or purchasing it from online data brokers to successfully authenticate themselves as the victims. The ease of the fraud raises a host of concerns: Consider that Equifax has assembled a private database of the employment and salary records of more than one-third of working U.S. adults. Plus, Equifax and its customers have previously agreed to pay a $1.6 million dollar Federal Trade Commission settlement for improperly selling lists of consumers late on mortgage payments. Does their data security record suggests an ability to competently secure access to that mountain of sensitive information?
The tactic used here against Beyonce and the First Lady could have been used on anyone in the database — the only thing separating you from these victims is that someone thought they were worth targeting, and took the initiative to do so. As President Obama noted Tuesday evening while declining to confirm or deny if the First Lady was compromised, “[w]e should not be surprised that if you’ve got hackers who want to dig in and devote a lot of resources, that they can access peoples’ private information.” And you don’t have to be a traditional celebrity be a target for hackers — just ask Mat Honan, the tech journalist who watched his digital life unravel when hackers decided they wanted his three-character Twitter handle. Or ask the women being spied upon by their own webcams and aren’t even aware their systems capture every keystroke or intimate moment with their laptop open in the background.
Three out of five U.S. adult internet users are worried they are vulnerable to being hacked, and they have reason to be: Regardless of how thorough your password hygiene, today’s technology means cracking a password is really only a matter of time — hence the move multi-step authentication among many web services. But, as the recent celebrity doxxing shows, the victim doesn’t even have to be involved or negligent in security practices to be vulnerable.
Private industries including critical infrastructure and federal networks are also vulnerable to cyberattacks and fraudulent access. And, as new sectors, like health care, become more integrated into the the digital world, the the amount of sensitive information somehow connected to networks will grow, leading to even more privacy and security challenges. There’s been some movement on the issue in the form of an Executive Order, but most Americans remain unprotected from our cybersecurity reality — and unless a compromise that respects civil liberties can be reached, they are likely to stay that way.