Common sense data security – keeping privacy private

I was recently reminded that data privacy is a two-way obligation. Not only must the data supplier (“user”) take steps to take care what data they share with whom the receiving business must take steps to collect personal data responsibly and legally then honour the trust they have been given to keep that data safe and process it in a guarded way ensuring that it is kept safe at every step and doing nothing that gives the now millions of online crooks, bots, and AI scanners easy access to personal data that is simply given away.

Both parties involved in supplying, processing and storing personal, private data must learn how to – and how NOT to upload. transfer and store personal data or expect the crooks and bots to gain access to it.

Hands up anyone who thinks it’s acceptable to send personal data by email.

Spoiler alert, it’s not. And if you do it or encourage it as a business it represents (at least in Europe) a potential existential threat to your business and when (increasingly likely) traced back to you certainly do enough reputational damage that you’d wish you’d listened to some helpful advice.

As an individual, if you send personal data (such as account logins) via open email you may as well post the data on social media and invite crooks to empty your wallet.

I recently had to change the company my wife and I use to complete our personal tax returns (France: 4 income streams = 4 numbers = 4 multi-page forms to record the same data and one slip = big fine).

We don’t need a “Big-5” accounting firm to file our taxes – just someone who knows which boxes to put the numbers in this year.

The company chosen talked the right talk, seemed to understand how international income and disability has to be treated so information was sent off and tax return awaited to check.

Then came the problem. In order to file the return the company needs my login ID AND password to access my on-line tax account.

“Send them to us by email” I was told.

I replied saying that email (in general) is insecure and completely the wrong communication method for providing such information. The tax site contains enough personal data that anybody accessing it could conduct a comprehensive identity theft – for example; all personal bank accounts are listed along with enough personal data to pass most bank security questions. Not only would a criminal with access be able to perform account takeovers but would be able to open new accounts (eg; the new breed of online neo-banks have pretty poor security) then run up debts in your name. The list gets worse.

The company said it had been collecting this information “for years” using email and claimed they “had never had a problem”.

As the business’s email address is with a well-known, free email service provider whose name begins with “G” and that service not only refuses to accept or establish an encrypted connection between email servers (which would at least protect message content while transiting the open Internet) ensuring that anybody monitoring passing traffic could read message contents the tax business has at least a double-whammy of a problem.

Enough of a problem that, should the login data be stolen while en-route – to the email server or to their email reader – they would be liable for damages caused by unauthorised use AND the small (but ever more enthusiastically wielded) spectre of GDPR (which requires businesses to protect and secure personal data at all stages of its processing – that includes its collection). If anybody does not yet know how expensive a breach of GDPR can be I suggest you look it up now.

I responded by sending an email setting out my credentials (I like to think I still understand a thing or two about IT matters) and offering – free, gratis the names or mechanisms for some simple, low cost or free ways to collect the data safely – the simplest being to add a form to their already https secured website to collect the desired data. An open and generous offer to help.

Get this – the company responded by telling me they were charging me for the time it had taken them to read my email. Quite rudely.

Am I making a mountain out of a molehill?

The US Bureau of Justice (the most concise document I could find) reports that in 2021 (the latest statistics I could find) 9% of the adult population of the United States reported being victims of identity theft – at a cost to them of $16.4 billion. The data from Europe is similar both in terms of percentage of population affected and scale of financial loss.

The fact is that gaining access to personal data is frighteningly easy and the “rewards” to crooks that use such data to commit theft and worse is so great and such low cost that identity theft is growing at 70% compound per annum (see: https://bjs.ojp.gov/library/publications/victims-identity-theft-2021).

This means that in 2024 45% of the population can expect to fall victim to the crime and the scale of theft worldwide is likely to reach at least $250 billion.

Using open (unencrypted) email to send login and other personal data is only one vector for the crooks. Another is appalling data security by businesses who hold personal data – one example being the “Mother of all Breaches” (“MOAB” for short – see: https://www.entrepreneur.com/science-technology/what-business-leaders-need-to-know-about-the-mother-of-all/469510”). In total, the unprotected database discovered open to anybody with access to the Internet contains 12TB of data comprising 26 billion personal data records.

Stop for a moment. Do some simple rough maths. Consider that the current global population is “only” 8 billion – less than half of whom have Internet access and a further half are children (so a quarter – 2 billion people affected) and it quickly becomes obvious that the average Internet user appears in this data trove an average of 13 times.

Who had left this database open to the Internet without so much as simple password protection? Nobody can tell for sure but the origins of the data are more easily identified. To quote from the Entrepreneur
article:

“LinkedIn, Twitter.com, Tencent, Dropbox, Adobe, Canva, Telegram and other platforms. Government agencies in the U.S., Brazil, Germany, the Philippines, and Turkey are also among the organizations hit by the ‘mother of all breaches’“

It does not actually matter who (some shady data broker probably) collected and left in the open all this personal data. The common factor with use of unencrypted email to pass such data around is simple: human failure to use simple, well understood mechanisms and – to put it bluntly, simple common sense – to safeguard data while being transferred or stored.

Look at that list of corporations and government organisations who had let such sensitive data “escape”. Escape is entirely the wrong word. The correct phrase is “gave that sensitive data away”.

At the personal level, individuals must learn to make better choices of whom they entrust with
their personal data, whether the data demanded is reasonable and actually necessary and how they transmit that data. Open email is a definite no-no when it comes to transmitting personal data. Ensure that personal data is only ever sent by secure means – eg; HTTPS encrypted web site being the simplest and most easily implemented safe method.

On a business level, enterprises big and small must learn that encouraging clients to transmit personal data in the open is straightforward illegal (certainly in jurisdictions as Europe) and governments, in response to such a massive and rapidly growing crime are cracking down on organisations who use or encourage the use of insecure mechanisms to pass personal data around – or fail to keep it secure once they have it. The risk to reputation and financial compensation cost should the source of a leak lead back to a business’ door has the potential to cause enormous harm – perhaps on an existential threat level.

How can this enormous crime be stopped? Simple – everybody needs to take the time to stop giving personal data away. Whether it’s just responding to a demand from a company to supply personal data over an open channel or its a global enterprise who cannot or will not train its staff and implement policies to fully secure personal data it holds in trust while moving it around remember that there are armies of criminal hackers and “AI” bots constantly searching for personal data.

As people – individuals and corporations – have proven time and again they are just too lazy and cavalier (I know – insulting, right? – but sadly true) to take the time and effort to stop this problem at source it will probably take a few more $multi-million or $multi-billion fines to drill the need to act into most boardrooms and on a personal level, perhaps time that banks and credit card companies stopped compensating clients for unauthorised use of their accounts when the client is essentially claiming compensation for burglary after they scattered copies of their house keys and alarm codes around the streets.

Returning to our tax filing company. The full story gets longer and worse. In short they claimed they knew better than me (hope that admission never reaches a court room), my attempt to send the information they need in a password encrypted ZIP file was prevented by the “G” email service they use – whose “advanced AI” (huh!) rejected the message claiming they were protecting their users by refusing an “unsafe” (their claim) attachment.

Proof that alleged “AI”s are as dumb as the smallest microbes on the planet – and those who deploy them in decision making roles are equally stupid and deserving of whatever consequences befall them.

So, having access to my own public-facing secure cloud storage I created a new login and posted the document – all 152 bytes of it – to the server space and told the tax company to log in and collect it.

They did – while at the same time rudely and stupidly ignoring the advice (admittedly free – so worth what they were asked to pay for it … except the advice was being offered by somebody who does know what they are taking about) – repeating that they “already know all this stuff” and stating that they weren’t going to read it as it would only add to the charges they applied to me!

Begging the question, if they “already know all this” why haven’t they taken the simple steps to protect their company and its clients? Also begging to have those statements read back to them some day before a court or data protection registrar. A more open admission of arrogance, negligence and guilt can’t be imagined.

I doubt they will be getting any awards for customer service any time soon. In fact I doubt their business will survive for long.

ADVICE:

1. To individuals: If you want the advantages the Internet can provide learn how to use it safely and sensibly. It’s no more difficult than learning to drive without crashing causing yourself injury and vehicle repair costs. Or, just remain one of the mindless millions and don’t whinge when your bank account gets emptied or a bailiff arrives at your door demanding repayment of a huge loan you never took out – or wants to evict you for non payment of the 90% mortgage “you” took out on your home.
   
2. To enterprises, large or small: Don’t be arrogant. Don’t be lazy. Start today to examine all your data collection, processing and storage procedures to ensure they follow common sense and certainly comply with all law and regulation. This NOT a simple risk management matter that can be delegated down the line. This is a board level matter and almost certainly involves retraining of everybody in the organisation – eg; ask how many staff understand and can explain the differences between (hopefully) secure internal email and external email. Ask your IT Director to write down (he/she should know them all by heart) the names of every member of staff with access to move any personal data out of the building or “safe zone”. Then have an independent IT auditor answer the same question. When you get the results back start to get really worried – and hopefully start to understand how big-name enterprise data gets published on open, publicly accessible servers.

Simple fact is that data does not “escape” into the public domain because of program bugs (or whatever other shades of wool someone might attempt to pull across your eyes). It “escapes” because some human error, laziness, lack of training or negligence gave it away.

If you want to stop it happening then take the time to educate yourself and start to first accept responsibility then put in place an effective plan to educate and control how data that belongs to you or your company or has been entrusted to it becomes effectively secured.