Personal data leakage (PD)
A modern person provides personal data every day: he provides personal information to the security guard at the entrance to the business center, to the seller to obtain a loyalty card, when ordering an installment plan at a bank or ordering goods on the Internet. A few days later, he was attacked by mailings with offers to visit a hairdressing salon or purchase tickets for a concert and a theater. Where do spammers get contact information? Most often, they receive client databases from unprincipled employees.
The PwC Analytics Center conducted a study on the security of personal data in the world, including Russia. The research results are as follows:
- The largest increase in the number of personal data leaks - by almost 50% - was recorded in 2014. A year later, the increase was 40%.
- According to information received from ten thousand top managers from 127 countries, in 2015 there were 60 million data leaks.
- The cumulative damage from leaks of protected personal data was two and a half million dollars.
- Most of the leaks were due to the fault of employees: current (35%) and quit (30%).
- Another culprit for leaks is contractors, who are responsible for 22% of data thefts;
- Companies spent $ 5 million in 2017 to protect personal information.
- In Russia, personal data is the most unprotected type of information; in two years, the number of personal data leaks has grown from 65% to 81%.
Examples of personal information leaks
Since 2007, the world community has been celebrating the International Day for Personal Data Protection on January 28 This is a reason to emphasize how important it is to protect personal data, when neither private companies nor government agencies in any country in the world are immune from leaks of confidential information. Here are just a few cases of personal data leakage ...
... at the pharmacy
An online pharmacy in the UK with a public health system (NHS) certificate has illegally sold personal data to at least 20,000 customers without their consent. Lottery scammers received the data of three thousand pensioners. The misconduct cost the pharmacy a £ 130,000 fine.
The former prison guard herself ended up behind bars for divulging information about George Michael. For driving a state of drug intoxication in 2010, the singer was sentenced to eight months in prison, the last part of the term he served in Highpoint prison. With the light hand of the warden, the journalists received information about the singer and the best angle for the photo. For the sale of exclusive information to the tabloid The Sun, the prison employee earned two thousand pounds - and 12 months in prison.
…in the bank
Copies of passports and bank agreements ended up in a trash can in the very center of Nizhny Novgorod. A folder with documents containing personal data of the bank's clients was found next to the bank's branch by a resident of the city. Information about the improper storage of customer data was reported by the local media, which got hold of a video of the find.
... in the management company
A management company in Ulan-Ude called "Uyut-Plus" had to pay an administrative fine for placing lists of tenants with arrears in the entrances of subordinate houses. The actions of the organization contradicted the norms of Article 7 of the Federal Law "On Personal Data", according to which employees of organizations who have gained access to personal data of citizens are not entitled to distribute or transfer data to third parties without the permission of the data owners.
... in an internet company
Amazon was accused of the online giant systematically transferring users' personal data. The leak was revealed by a blogger and a former customer of the service, who is convinced that Amazon customer support was responsible for transferring data to the attackers. The client noticed that messages were exchanged with the support service from his account, although he himself did not contact there. The user found out that the attackers received his address and phone number from Amazon. The data obtained would be enough for the scammers to obtain a copy of the victim's credit card. Then the user contacted support and asked to set a cautionary comment for his account on the store's website. However, the company did not fulfill the client's request. In the meantime, appeals on his behalf continued, so the user deleted the Amazon account.
... on the game resource
About six million personal data of users of the Internet resource Nexus Mods were in the public domain due to three authors of the site, who set simple passwords. Using weakly protected accounts, the attackers uploaded malware onto Nexus Mods, which they used to steal user data. The stolen database contained information about email addresses, hashes and passwords. After identifying the incident, the support service asked users to change their passwords.
... in an insurance company
American insurance company Centene lost six hard drives with personal data of 950 thousand citizens. Moreover, the Centene administration did not even say whether the data on the disks was encrypted. The stolen databases contained information about names, dates of birth, residential addresses, insurance policy numbers, passport details and health information. The quality and type of missing data allows fraudsters to use it for various purposes, such as blackmail and phishing attacks.
... in the retail network
The hackers managed to find logins with passwords and obtained data from five thousand clients of the Neiman Marcus Group retail network. After reporting the leak, the company's administration advised customers not to use identical accounts on other Internet sites. It was this habit that the cybercriminals took advantage of: they sorted out e-mails and passwords received on other resources. As a result, hackers stole personal data and financial information of users: names, addresses, contact numbers, the last four digits of bank card numbers. Scammers used 70 accounts to make purchases. However, the purchases were canceled and the money returned to the affected customers.
…at the market
Due to the actions of Chinese hackers, 20 million active customer accounts of the Taobao resource, owned by Alibaba Group, were compromised. The attackers used the leaked accounts to make fake purchases and resell them to other scammers. The Alibaba Group administration was able to detect the leak at the initial stage and prevent data theft. The users were asked to change their passwords, the attackers were detained.
... in financial firms
Bank card and checking account details were sold at £ 1.67 on Bestvalid.cc. Together with financial information collected from various sources, attackers transmit secret information when purchasing, which opens up additional opportunities for fraud on behalf of the victim. The announcement of the sale remained on the site for six months, but none of the law enforcement officers was interested in the offer. Every year the UK economy loses about 27 billion pounds due to such incidents.
How to protect against personal data leakage?
The State Duma adopted in the first reading the amendments to the Administrative Offenses Code and the Federal Law "On Personal Data", initiated by Senator Valentina Matvienko five years ago. The adoption of the amendments will oblige employees who process personal information to notify a specialized service of all incidents related to personal data leakage. The algorithm of the informing procedure is under development. Legislators want to coordinate the mechanism with data operators.
It is assumed that the amendments will allow data owners to remotely give or withdraw consent to the processing of personal data, and operators to identify the owner.
If the initiative finally receives approval, government agencies will have the right to process personal data without the consent of citizens to provide an established list of services. Operators will be able to transfer personal data when the terms of the user agreement or the operating rules guarantee their adequate protection. Thus, the amendments will legalize, for example, the operation of cloud services.
By the end of 2018, it is planned to make other amendments to the legislation, which will reduce the amount of personal data processed by state information systems. These amendments provide for the mandatory identification and registration of subjects processing personal data, monitoring their work, and a unified procedure for data processing.
The draft of the Digital Economy program, prepared by the Ministry of Communications, provided for the creation in 2019 of a portal where every citizen can track where and to whom he left personal data, as well as prohibit the use of his own personal data. Roskomnadzor will coordinate the work of the Internet resource that processes personal data. Such innovations are explained by the need for constant monitoring of the collection and processing of personal information.