The problem of leakage of PD users of social networks and web services is increasingly being discussed in the media. Probably, everyone has heard the story of Cambridge Analytica, an analytic company that was able to acquire the personal data of 87 million Facebook users (including
data from Mark Zuckerberg himself ).
However, there are less well-known cases with PD leaks, the scale of which is no less. Let's look at a few examples and talk about what measures regulators and IT companies are taking in trying to prevent such incidents.
/ photo by Mike Rickard CCThe situation with leaks of personal data
In 2016, the number of cases of theft of PD
increased by 40%, compared with a year earlier. In late spring of 2016, hackers
put up for sale 360 million credentials of users of the MySpace service. The same fate
befell 164 million e-mail addresses and passwords on the social network LinkedIn and 100 million
accounts from vk.com users .
And the "volumes" of leaks only grow. According to the information security company InfoWatch, for the first half of 2017, 7.78 billion records
were compromised with personal and payment information of users of international services. This is almost eight times more than in the first half of 2016 (1.06 billion), and twice as many as in the whole of 2016 (3 billion). Moreover, both hackers and company employees become
responsible for leaks (intentionally or unintentionally).
For example,
hackers were to
blame for Yahoo’s users ’leakage several years earlier. In 2014, they stole personal data of more than 500 million users of the service. According to the company, the names, addresses and telephones, as well as the dates of birth, could “leak”. Later it turned out that in 2013 there was another, more serious case of hacking, when hackers obtained information from more than 1 billion Yahoo users, including passwords and answers to secret questions.
And in the case of the
analytical company LocalBlox , which became known a couple of months ago, the data was “drained” by the company's employees. LocalBlox collected data about users of several social networks at once - Facebook, LinkedIn, Twitter and Zillow. Among these data were listed: name and surname, links to accounts in social networks, address, date of birth, mail and telephone, salary, interests and much more. The whole “dataset” of 48 million people (its volume was 1.2 terabytes) was “left” by the Amazon in the open storage. He was
discovered by employees of UpGuard , dealing with cybersecurity issues.
You can not ignore the situation with Equifax,
which is called the “worst leak”. In 2017, the numbers of soc. insurance, credit cards and driver's licenses, which kept the credit bureau, fell into the hands of intruders. Total hit 143 million customers.
There are also cases when data brokers were involved in PD leaks of users. In 2011, the marketing company Epsilon was
hacked . Then the e-mails of millions of people hit the network, and their owners came under a series of phishing and spam attacks. And in 2015, Experian was hacked. Hackers "leaked" personal information of 15 million users.
To avoid reducing the damage from similar incidents in the future, American telecommunications companies have even decided to stop selling customers' geodata to brokers. We wrote more about this in one of our
past blog posts .
Tightening standards - a decision or a new round of contradictions
Many world experts and politicians
agreed that past cases of leakages and thefts demonstrate the need for tighter state control over the processes of storage, distribution and protection of users' PD. One of the most famous laws passed recently is the GDPR.
The GDPR should give EU citizens more control over their data that various online services request. In particular, users can now prohibit social networks to distribute personal data without their knowledge and require the provision of information on how they are used.
In case of violation of the requirements, companies face serious fines. They can reach
20 million euros or 4% of annual turnover . Therefore, many services have already changed their privacy policies accordingly and introduced new features. For example, in order to meet the requirements of the GDPR regulation, WhatsApp added the ability to request account information - these are settings, profile photos, group names, etc. And on Instagram they announced a new data upload option. On other changes in the policies of media companies,
we have prepared a separate material .
Also, regulators set the time frame within which the company
must report on the "loss" of personal data. According to the GDPR, this “window” is 72 hours after the detection of a “drain”.
/ photo Descrier CCIn different countries and even in different states of America, regulators set
their own rules regarding reports of incidents. For example, in Florida and Colorado, regulators must be
notified within 30 days of a leak. At the same time, according to research, it now takes an average of
206 days for American companies to detect the loss of confidential information. Therefore, as noted in the Ponemon research agency, companies will have to improve their performance.
If a company hides information about a leak or hacking that has occurred, then it risks a large fine. At the end of April 2018, the US Securities and Exchange Commission said that Altaba (in the past, Yahoo)
had to pay a penalty for silencing 2014 personal data leaks. The amount of the fine (for keeping silent about the scale of the theft, and not for the fact of its admission)
amounted to $ 35 million.
In Russia, the size of fines for violations in the processing of PD is less. However, regulation may soon follow in the footsteps of the West. The authorities of the country
plan to insure the risk of leakage of personal data. The fate of the initiative should be decided this month.
Whether such government projects will prove effective in the long term, and how they will affect the online life of users, remains to be seen. As in this area there are still bills, which are not so simple. As in the case of the recent
EU copyright reform , which was
rejected by the European Parliament this week.
PS What else do we write in the First blog about corporate IaaS:
PPS Posts on the topic from our blog on Habré:
The main activity of the company IT-GRAD is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | Rent 1C in the cloud