Carelessness, negligence, recklessness, incompetence still is the summary of the attitude to the safety and security of data in a few words. Everywhere on the globe, data arrays are collected, accumulated and stored in such ways and in forms that are convenient for those who use them, and the threats of loss and misuse are overshadowed by the race for profit and the narrow interests of state and corporate structures.
Alarm bells have been heard for a long time: global leakage of personal data is happening more and more often; the amount of information flowing away to attackers or simply becoming accessible to anyone is growing. Here BNT presents a few illustrations of this statement: hacks, thefts and facts of the discovery of personal data in the public domain of recent times.
4.9 million customers, workers and sellers — these people’s data became available to outsiders as a result of the actions of an “unauthorized third party”. The information that leaked includes names, phone numbers, delivery addresses, the last four digits of bank cards, the last four digits of bank accounts, order history, driver’s license numbers and hashed logins and passwords.
A leak was discovered on May 4, 2019 — among the victims were users and sellers which registered in the service before April 5, 2018. The company took measures to block access to the data of its customers for unauthorized third parties, consulted with experts in the field of security and strengthened measures to control information.
Computer security experts discovered 60 million credit cards of the largest Russian bank on the black market — at least, the seller claimed this amount. An investigation conducted by law enforcement agencies together with the organization’s security service revealed the culprit of the leak: the head of one of the bank’s departments, who later was arrested.
Sberbank re-issued active credit cards. The total number of active Sberbank cards in circulation is about 18 million. However, there are doubts that a simple re-issue of cards will eliminate problems for customers whose data has been compromised. Name and surname, passport number, address and place of work, date of birth, home address, credit limit — all this information has leaked. A simple re-issue of the card will not deprive criminals of this information.
In September, a lawsuit was filed in a court in New York against this company, which alleged that Dunkin 'Donuts had known, but hadn’t taken action, and had not warned customers about the vulnerability of their user data storage systems to hacker attacks. It is reported that the company issued special loyalty cards that their customers could use for purchases. In order to use these cards, they had to be registered in personal accounts and connected to bank accounts or cards.
In 2015, hacker attacks began on users' personal dashboards, as a result of which attackers became aware of data tied to accounts. As a result of these actions, about 20 thousand people were affected.
The graphic web service developed by the Australian company was attacked in May this year. Attackers gained access to the database of service users. The personal information of clients falling into the hands of hackers includes usernames, logins, email addresses, countries of residence, addresses of personal websites and hashed passwords.
The number of users in the database is 139 million. It is also reported that attackers could view information about bank cards of service customers who registered before September 28, 2016, where one could see the payment history, the last four digits of the number, owner’s name, expiration date and the name of the company that issued the card. It is said that all this data was not downloaded by hackers, they simply could view them.
A complex hacker attack on the Bulgarian tax service servers cost the leak of personal data of more than five million residents in June this year. It is reported that several servers were hacked, and the amount of stolen data from many databases allows to estimate that all adult residents of Bulgaria were affected.
Accusations made by the press against the ubiquitous Russian hackers can be considered quite curious: the conclusion was made on the basis that the letter from the attacker who offered to sell the stolen data was sent from a Russian postal service.
What needs to happen so that the need for their implementation becomes apparent at the state level? Perhaps future much larger and more destructive leaks will become such an incentive.