Everyone Knows Your Secret

Who Cares? If your personal identifiable data is stolen... Who gains from this in the first place and do I really need to worry about it? Because my data is being stolen every week.

Yesterday's LA Times report stated that hackers may have stolen every American, Canadian, and UK citizen's social security number. Here are three perspectives to consider and why data loss is changing the world.

Average Joe

The everyday American citizen is not a cyber expert, more than half of Americans are not tech savvy and routinely fall for victim to social engineering in the form of fake emails solicitations and phone calls. Phishing works. Have you ever heard the following question?

Can you please verify your information?

I am often concerned about this question because I know that with my date of birth, social security number, phone and address...a lot can be done by criminals to open false accounts or to pose as me for other unauthorized actions. Luckily cybersecurity experts have been making us use multi-factor authentication to login to sensitive accounts. For the everyday American, it sounds like we have a data breach so often that they no longer make headlines. Most of the people I talk with are frustrated about feeling powerless to safeguard their personal information and the common rely I get is, "What's the point of doing anything? They (hackers) already have it." Sadly, there is some truth in this statement. Through the combination of public records, paid data bases (think about background checks), and hacked information, virtually all of your private information is compromised.

Criminal syndicates have a business of your data. They sell it, re-sell it, and use it to exploit you when you aren't paying attention. Although your personal information never changes, somethings do change, like your bank account, your job, the size of your family, your purchase history, and with it your cyber profile changes. Therefore, the data collected needs to be refreshed because people do change phone numbers and emails more frequently now than in the past. All of this explains in part, why your data is constantly being stolen and sold again and again. You may be thinking, okay...that's all fine but I'm not worried about it.

Your data is being aggregated to create a profile which is evident in marketing and social media. We know that large corporate companies are collecting data to "meet your needs" and suggest items that you may be interested it even though you haven't expressed that interest yet. Statistically, this is the great beauty of AI at work in the future because with enough data points about consumers...your decisions may not even belong to you as much as you think they do and psychology proves this through heuristics and primers. Unwanted solicitations or suggestions as marketers call them, are adds designed to prime you for future purchases. Fine. Let's accept that this is part of modern digital life. However, when life changes and you find yourself in a stressful or unexplored territory, this is when your behaviors change because you are perceiving the need to do things differently.

Criminals see this behavior change, too. And this is why suddenly your profile matches with the type of person who might be susceptible to a phone call scam about healthcare because you lost your job or a scam about credit because you have a newborn and your credit cards are maxed out.

How many times have you taken the call, answered the questions, just find out that you don't qualify or that you could qualify under a special program?

Raise the red flag. If you don't think criminals are watching...they are and your data is your secret but it is no longer a secret. With enough data and emerging cyber tools, statistical calculations (AI algorithms) are being created to identify when you are most vulnerable to exploitation. Criminals are motivated by money and this is their business. Understanding their methods of operation, tactics, and ploys will help you protect yourself and others. Educate your family and friends because sitting in silence only aids criminal activity.

National Security

Large scale data breaches are the perfect storm of personal data and while China, Russia, Israel, Iran, or other "friendly" nations may not be targeting you...they have your data. From their standpoint and from ours, knowing who is crossing boarders or attempting to enter your country has become an increasingly important topic. Now imagine, as you make that connecting flight onward to your final destination and you pass through security, customs, or immigration what has just transpired? You have provided facial recognition, personal data (passport or ID), and potentially biometric (finger, hand, or eye scan). All of these pieces of data are now together creating your identity. Match that with the compromised data breach information and we have a complete picture of you and your spending habits, online habits, and preferences.

Nation states use this information to one, identify you, and two, assess you for threat or exploitation. Most people are not aware of these seemingly passive collections and even agree to them when traveling because they are required to move about. Yet, the nation states purchase your data or steal it to aggregate and understand who you are, what you do, and if you have anything of value to them. As the geopolitical landscape shifts and the economy changes, so do the interests of the nation state. Owning your data puts them in a position to exploit those who may have access to information.

We are not talking about top secret data here, we are talking about intellectual property and proprietary data that businesses own.

China's well known of its economic espionage campaigns. Their efforts have led to quantum advances in their technology and manufacturing. At a national level, data loss or theft creates poor economic conditions which at the lowest level means greater competition and lower margins. These conditions lead to increased volatility in jobs, which is why we see so many large companies laying off thousands of employees. Data breaches at companies happen many ways but one of the most significant way is through phishing and credential compromise. Could you be the weak link? Yes! because all your other seemingly useless data has been stolen, now nation states can run an effective social engineering campaign against you to compromise the systems you use at the office or for work and gain access to confidential data.

I recently saw an a scam that was perpetrated using the National Observatory of Athens in Greece. The legitimacy of the email seemed okay because it was originating from the NOA domain but in fact this was a compromised or legacy account which the hacker was using to obfuscate their true location and identity. Sometimes complex schemes take time to unfold because they require a bunch of smaller compromises to occur first. In this case, no doubt an employee at NOA was compromised, probably someone with admin privileges and a false email account was set up to forward responses to another account which could be shutoff if needed. If you've received phishing or scam attempts, your data has been stolen at some point.

Society

The larger implications of these large data breaches is more severe than you might think and has led the EU to implement GDPR (Global Data & Protection Regulation) in an effort to respond to privacy. The State of California Consumer Privacy Act (CCPA) https://oag.ca.gov/privacy/ccpa and the US federal government have put policies in place to protect data privacy. However, these measures have not truly resulted in the protection of your data. They help...but they are only one step in the bigger picture of global digitally connected society. Your data is housed all over the world which means that all the laws and governance over your data are not equal. They are not enforced the same way, they are not applied evenly, and they do not take into consideration your opinion because you are not a voting constituent in their country. Other nations don't care about your data.

Where is this leading us?

Complex large scale problems often result in a sweeping reform that over reaches and if we are not careful, will result in greater digital control over our personal decisions and choices. It will happen in the name of safety and security which will be good but if applied the wrong way could lead to the unintended consequences of what we see in China today with their social credit system (https://www.technologyreview.com/2022/11/22/1063605/china-announced-a-new-social-credit-law-what-does-it-mean/ ). A new paradigm of data privacy and governance is needed.

Data is a currency of exchange. Protecting it is everyone's responsibility.

There is hope...more of a consolation really, but everyday Americans could make a few changes in their cyber/online behaviors and practices which would add difficulty to accessing or hacking data. The real challenge is in educating EVERYONE about the risks of data loss, what they can do themselves, and why it matters. Most people are not overly concerned about a problem that seems to affect everyone but not them. It is just a matter of time. In a world designed to remove barriers to connect...there must also be awareness about how and when to connect.

Protecting our data by changing passwords, reporting compromises, and using good cyber hygiene (https://www.cisa.gov/cyber-hygiene-services ) is the best way anyone can help themselves. Choosing to limit what mega companies can collect about your cyber/online activities is the next great mountain that society will have to climb because the risk is that at some point corporations will own more data and thereby influence that governments. Both scenarios should be limited with checks and balances. Otherwise misuse of your data will occur to exploit your through influence and psychological warfare. We are seeing the struggle of social media misuses over the past 10 years combined with "targeted" marketing and it is equating to a personal risk: free will.

Education is the best way for all Americans to understand and apply sound judgement regarding data, privacy, and information.

If your secret is out...then everyone knows your secret and that means you are compromised. And we have all been compromised...