Another week has gone by and there are new data compromises for the Identity Theft Resource Center (ITRC) to educate businesses and consumers on in our “Weekly Breach Breakdown” podcast. Since 2005, the ITRC has tracked publicly-notified data breaches and has tracked over 10,000 breaches since then; using 25 different information fields and 63 different identity attributes that are updated daily. This week the ITRC is focusing on three different events that defy the traditional definition of a data breach.
The first non-traditional data compromise comes from what is known as a supply chain attack – where threat actors don’t attack an organization directly to steal data, but to instead find a vendor with weak security. In this particular case, hacktivist group “Anonymous” breached a web development firm and stole more than one million records from various law enforcement agencies that were stored in the company’s system. Anonymous turned the information over to leak-focused activist group, “Distributed Denial of Secrets,” who then published the 269-gigabytes of stolen data as part of the national protests focusing on police actions. Investigative files from over 200 local, state and federal law enforcement agencies were exposed, including emails, audio, video and intelligence documents.
It is important that businesses understand that while they may have cybersecurity practices that are nearly perfect, they do not matter if their vendors do not. Businesses should hold their suppliers to the same high security standards. That is good cybersecurity policy and, increasingly, it is the law.
The second non-traditional data compromise might not meet the definition of a data breach, as it included information being removed from the computer system where it was stored. There is a lot of unknown information regarding this data compromise. However, we do know that billions of records about individual consumers were exposed for nine months on the internet for anyone to see, all because someone forgot to add a password to a massive marketing database operated by BlueKai and a sister company, both owned by Oracle.
BlueKai is a marketing data firm that uses website cookies and other trafficking technology to follow people around the internet; reportedly more than one percent of all internet traffic flows through BlueKai’s system. Knowing which websites people visit allows marketers who use BlueKai to learn as much as possible about those people — including their income, education, political views and buying habits – to target them with ads that match their interests.
Online publication TechCrunch reviewed the data uncovered by a security researcher and found names, addresses, email addresses and other personal information in the open database. The data also revealed users’ sensitive web browsing activities, ranging from purchases to newsletter unsubscribes in, so far, the largest data compromise in 2020. In a statement, Oracle said it determined BlueKai and the sister company did not properly configure their services and additional measures were taken to avoid a repeat occurrence. However, Oracle has not indicated that billions of records were taken by anyone, a requirement to trigger a mandatory data breach notification to impacted consumers.
If someone’s business collects, uses and maintains information about consumers, they need to make sure they have the right cybersecurity and privacy protection tools in place; and that their security team configures the password feature on the database. They should also brush up on the latest data privacy and security laws and regulations that apply to them since they change rapidly.
The third and final non-traditional data compromise highlights the people who steal data to commit identity crimes and how crafty they can be. They are always looking for new and creative ways to separate people and businesses from their information and money. In this particular case, cybercriminals have been publishing fake data breach notifications online to spread malware or operate scams to steal personal information. For more information, click here.
Fortunately, there is a way to verify whether or not a data breach notification is real. Businesses and consumers can contact the ITRC via live-chat to speak with an expert advisor or they can call toll-free at 888.400.5530. Victims are also encouraged to reach out to an advisor. Advisors will help answer any questions people may have and help them create an action plan customized to their needs. Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.
Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.
You might also like…