Whenever we submit information to an online service provider or business, there’s an element of trust involved.
We accept that company might resell and reuse this data, but we simply have to trust they’ll keep it safe.
The protection of personally identifiable information (PII) is enshrined in laws like the EU’s General Data Protection Regulation.
However, even GDPR can’t prevent catastrophic data breaches, such as those enacted by agents of enemy states with substantial technical resources at their disposal.
So how do data breaches occur? And is there anything we as consumers can do to minimise our risk of being involved?
Breaching the defences
Business management software company Intact recently released the results of a study covering 16 years of corporate data breaches, from 2004 to 2020.
They concluded that over half of all breaches occurred as a result of hacking.
The initial response to this might be to suggest corporate security is nowhere near as good as it should be, but of course things aren’t that simple.
Hackers can be state-backed, based in warehouses full of computers running algorithmic password-guessing software and with enough bandwidth to force entire servers offline.
Throw enough resources at a firewall, and you’re likely to breach it. Have enough goes at identifying a weak password, and you’ll get lucky eventually.
Between coding weaknesses, application vulnerabilities, malware, Trojans and brute force attacks, there are plenty of ways to break into a database or server.
Of course, in some cases, data breaches occurred because companies were lax, apathetic or simply not doing everything they could to stay safe.
Facebook alone has lost around 865 million pieces of PII since 2010.
Some companies have been targeted more than once, like hotel chain Marriott, which has lost over half a billion records to hacking.
Certain industries are also prone to attack, with tech firms, healthcare and the public sector among the biggest targets.
Hacking isn’t the only data risk to beware of, either.
Other high-profile causes of data loss included devices which had been lost or stolen (15 per cent), poor security (12 per cent), and accidental publication (six per cent).
Human error is an often-overlooked aspect of security breaches, and sophisticated social engineering fraud can be a contributory factor.
What can be done?
Perhaps the biggest takeaway is the importance of not sharing information unless it’s essential.
Do you really need to inform social media about every aspect of your life, or sign up to a corporate membership scheme for a one-off perk or discount code?
Nobody has the time or patience to wade through lengthy privacy statements, but a quick Google search might reveal examples of irresponsible historic data use from these firms.
This might deter you from handing over PII to these companies in future.
With stolen databases of usernames and passwords being routinely traded across the Dark Web, avoid reusing passwords, and try to change sensitive login credentials periodic