25 November 2019 (Paris, France) – Yes, I know. Yet another data breach story. They have become like rain water off the windshield of a car speeding down the information superhighway. But take a peak at “Unsecured Server Exposes 4 Billion Records, 1.2 Billion People“. And it’s a doozy because the victims in this case have not been notified because … well, nobody knows who was operating the server in question. Oh, the technology web we have weaved. Tis a veil of tears.
The write up states:
The data itself comes from the data aggregator and enrichment companies People Data Labs and OxyData.Io and contains basic personal information, such as names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.
The write up points out that the data losses included:
• Over 1.5 billion unique people, including close to 260 million in the U.S.
• Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada
• Over 420 million LinkedIn URLs
• Over 1 billion Facebook URLs and IDs
• 400 million plus phone numbers with more than 200 million U.S.-based valid cell phone numbers
The hosting provider may have been Amazon AWS. The software system was Elasticsearch. The individuals were those who set up the system.
Without replowing a somewhat rocky field, one might suggest that default settings for cloud services, software, and passwords need a rethink. One might want to think about the staff assigned to the job of setting up the system. One might want to think about the sources of the information the company named in the article tapped. In short, one could think about quite a few points of failure.
Another approach might be to raise the question of responsibility. I suppose this is a type of governance, a term which refers to figuring out what’s to be done and how to complete tasks without creating this all-too-common situation of whizzy tech systems that merely function as convenience stores for those who want data.
A few observations:
First, the individuals involved in setting up this system were not, it seems, managed particularly well. That’s a problem when managers don’t know what to stipulate their contractors and employees must do to secure online services. These “individuals” work at different organizations. Thus, coordination and checks are difficult. But the alternative? Loss of data.
Second, the developers of the software understand the security implications of certain user actions. The fix is to purchase additional security. Security is not baked in. Security is an option. That approach may generate revenue, but the quest for revenue seems to have a downside: loss of data.
Third, the operators of the cloud system continue to follow the “just a platform” approach to business. The idea is that the functionality of a cloud system makes it easy to deploy an application. In a hurry? No problem. Use the basics. Want something special? That takes time, and when done in a careless or partial way, loss of data.
It seems that “loss of data” may be preventable but loss of data now seems to be part of the standard operating procedure in the present managerial environment. How does the problem become lessened? Governance. Will companies and individuals step up and go through the difficult task of figuring out what and how before losing data?
Eh, I’m a cynic. It is unlikely. Painful lessons like the one revealed in the source article above are just like I said – slipping like rain water off the windshield of a car speeding down the information superhighway. Dangerous? Sure. Will drivers slow down? Nope. The explanation after an accident was, “I don’t know. The car just skidded.” There’s insurance for automobile accidents. For cloud data wrecks, no consequences of a meaningful nature yet. Just some curmudgeons writing blog posts.
I just finished a marathon run which I told myself I would not do this year (but the invitations kept coming in): a 3 week trip to the States which was preceded by a dash through Cologne, Lisbon and Paris – hitting six conferences that ranged across cyber security, data journalism, digitisation, enterprise search, and weaponised disinformation. It afforded me the opportunity to understand more clearly the tendrils of the Dark Web, security lapses, cyber security chimera, and data governance. And the unfathomable power of the technology driving weaponized disinformation. More to come.