How sensitive is your non-sensitive data?

In today’s digital world keeping private data like emails, phone numbers, names, addresses or IPs secure from theft or vulnerability is not as easy as putting a lock on a door. With the ability to share, store and transmit sensitive data across computer systems we’ve also faced the flip side of it.

Even taking all the precautions don’t guarantee the safety of your personal information. There are many ways that your identifying data or an online account info can be stored by another individual or in a company’s data management system which makes it vulnerable to data leakage. Once you’ve decided to share even a tiny bit of your personal information, your privacy is over.

One might think that such non-sensitive data like emails is no big deal, however, this can potentially lead to phishing attacks and consequently to the data breach. Of course, one of the most representative sensitive data examples as credit card information is considered more confidential but it doesn’t mean that email addresses don’t need protection.

Read more at: https://blog.hacken.io/how-sensitive-is-your-non-sensitive-data

October findings: “Non-sensitive data” databases with more than 120M records

It appears that it’s not a problem at all to get an access to databases containing personal information of individuals. Although the data provided there is not considered sensitive, the fact that it can be accessible by anyone including cybercriminals is shocking. Just in October we have found and reported three large databases, with more than 120 million records combined:

• The first one was simply called “database” and contained what looked like scraped LinkedIn related data. 49 million records in total were hosted by two IPs. Data fields included full name, personal email, location, skills, employment history (as taken from LinkedIn profile). No owner of the MongoDB hosted database was identified due to the lack of recognizable patterns in the dataset structure.

• Another database was operated by a Florida-based company, which specializes in job search aggregation. There were more than 22 million records hosted on a public Elasticsearch. Data included email, IP, full name and potential area where candidate would seek a job.

• Third database again contained around 48 million records with information on a person’s name, work email, phone and employee details

However, part of this data is now uploaded to HaveIBeenPwnd system, so you can check whether your profile has been scraped.

What’s interesting is that all databases did not contain any sensitive personal data such as credit card details or passwords. But those did contain a lot of private info like a professional background, names, phones, emails, addresses, and even IPs.

The question is whether it’s that safe or not?

Scraping your data

Nowadays information is priceless and while some think of legal ways to gather it, malicious users are always searching for new methods to bypass the sensitive data security and use private information of individuals for their own purposes.

One of the most widely used methods to gather data from the Internet is named web scraping or data scraping. Basically, the term means the use of a variety of methods for collecting data from the Internet using software that simulates user browsing behavior. While it may seem like not that serious, data scraping is quite a controversial method due to the potentially sensitive data exposure and breach of confidentiality. By the way, web scraping can be easily confused with web crawling which is an entirely different thing.

In this case, the targeted data of web pages is being downloaded automatically with the help of applications named crawlers (for example, Googlebot). Web crawling process implies creating a searchable index or a database and is generally used to build search engines.

Is web scraping legal or not?

To cut the long story short, data scraping without obtaining the individual’s prior written consent or in disregard to the Terms of Service is illegal. But it’s not that simple and the answer to this question can be different from case to case. It depends on how the extracted data will be used. It’s also important whether the information was obtained manually or via using the software. Since the data displayed on websites is meant for public consumption, it is legal to copy the information to file on your personal computer.

However, if the information is used in any way that can be against the interests of the owner, then it’s totally illegal.

Apparently, data scraping is an easy way to steal confidential data from web pages that do not take the necessary steps to ensure sensitive data protection. Of course, there are things all of us can do to ensure private information won’t be stolen by cybercriminals or scammers. Here are some of them:

• Try to provide the bare minimum of required information when creating a profile or an account;
• Analyze whether the data you plan on making public can be used to harm you in any way;
• Use different email addresses and passwords for your bank versus social network accounts;
• Consider any other private information you’ve already shared online and whether this information combined with the one you’re making public now can be potentially risky;
• Always read the Terms of Service before you agree to them. Check what kind of your private information you agree to share with other websites or applications;
• Contact the website’s support to ensure that their sensitive data storage is reliable.

What is the GDPR?

When you hear the term ‘personal data’ then the GDPR or General Data Protection Regulation applies immediately. Enforced from 25th May 2018, the law provides data protection and privacy for all individuals within the European Union and European Economic Area as well as their confidential data export outside the areas.

It means that gathering, processing, selling and buying private information of citizens from those areas is illegal without their prior written consent. However, the GDPR can also apply if a business is operating in the USA. Non-compliance and exposure of the GDPR sensitive data (name, address, phone number, email address, IP, job title, cookies etc.) lead to significant fines which can reach up to 20 million euro.

Conclusion

Nowadays, many aspects of our lives are connected with the Internet: social networks, cloud services, bank accounts, emails, online shops etc. It means that a lot of your confidential information is at potential risk. It may seem that such non-sensitive data as an email address, phone number or IP is not that important as opposed to credit card details.

But let’s think objectively. What does your email contain? Scan through every sent or received email and attachment. The reality is that we keep it all in one place: contacts, tax forms, invoices, photos, reset passwords for every one of your accounts or even credit card PINs! We don’t even realize that a malicious actor can easily get access to all that data and take an advantage of it just by hacking an email address.

Cybercriminals can use that private information to steal your identity and make financial operations in your name, take loans, open bank accounts etc. By getting access to your calendar, planner or travel itinerary they can basically do anything like breaking into your house or something even worse. Don’t let the idea that it can only happen to a celebrity or an important CEO mislead you. The reality is that one in four email accounts get hacked. Forewarned is forearmed.

With all that said, do you still think that your non-sensitive data is that non-sensitive?

Information for editors

Hacken Ecosystem is a community-driven business organization, consisting of the HackenHub, HackIT cybersecurity forum, HackenProof bug bounty platform, and Crypto Exchange Ranks.

Contact me: [email protected]