The creepy truth about where your information goes in a big data breach

The noted Swiss psychiatrist, Carl Gustav Jung, who’s credited with creating the field of analytical psychology, observed in 1933, when talking about human nature, that duality is a fact of life. “Every good quality has its bad side, and nothing that is good can come into the world without directly producing a corresponding evil. This is a painful fact.” What does this have to do with the internet, modern technology and data breaches? A lot it seems.

Want an easier way to find a ride? There’s Uber or Lyft. Want to check your credit score or dispute an inaccuracy? There’s Equifax. Do you like selling things online? Try eBay. Feel like managing your banking and portfolio information from the comfort of your chair? JPMorgan has an app for that. Looking for a good deal online and in-person? Maybe Target has the answer.

ADVERTISEMENT

Of course, if you want to stay in touch with your friends and share pictures, memories and more Facebook is the platform of choice. Want to book a weekend get-away? Plenty of places Marriott can take you. If you’re looking for an easy way to email, then Yahoo and Gmail will definitely make your life easier.

Many of us willingly sign up for free services, and give away our personal data, because the tradeoffs are applications and technologies that make our life easier. These companies have answered the age-old sales question of “What’s in it for me?” — what these same companies don’t tell you is what’s in store for you as well.

You’re signing up for data breaches, sale of your personally identifiable information, and furthering espionage by our adversaries.

Every company listed above has had a major data breach. Every one. Breached companies quickly put out the obligatory press release that usually follows a specific template:

  • First, blame someone, like Equifax did in 2017: “Criminals exploited a U.S. website application vulnerability to gain access to certain files.”
  • Second, tell the public what didn’t happen, regardless of how irrelevant the finding is: “The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.”
  • Third, demonstrate your heroic response to discovery of the breach: “Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion.”
  • Fourth, make sure to wave the flag and demonstrate your unwavering commitment to cooperation: “Equifax also reported the criminal access to law enforcement and continues to work with authorities.”
  • Fifth, make an attempt at empathy: “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.
  • Sixth, make a patently absurd statement that is in direct contradiction to the facts: “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
  • And seventh, offer up a band-aid for the gaping wound your incompetence has caused: “Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.”

This is not that much different than the press release Marriott put out when the Starwood guest reservation database was breached last month. This breach like many others has links to state actors, notably China.

Here’s the dirty little secret: Many of these major breaches aren’t about identity theft, or stealing your credit card data, or even “inconveniencing our guests.”

The breaches are about information warfare. It’s about our adversaries collecting information from us that we would otherwise refuse to provide. I’ve detailed China’s extensive role in compiling our information to build an intelligence weapon similar to Facebook.

A reported data breach that actually happened in China highlights a little-noted but important aspect of what’s going on — or not going on, as the case may be. A hack of Huazhu Group, China’s largest hotel chain, compromised up to 130 million people. The data was posted on a dark web site, offering to sell the 520 terabytes of data for about 8 bitcoin.

The information ended up for sale on the dark web.

That sits in stark contrast to other breaches attributed to China, including OPMUnited Airlines and Anthem. At the time of this column, I have failed to find information anywhere, including legal settlements, that indicates the purloined data was used to commit identity theft or fraud.

In fact, an investigation by seven states into the Anthem breach reached the conclusion “… that previous attacks associated with this foreign government have not resulted in personal information being transferred to non-state actors.”

As a victim of the OPM breach myself, I have no doubt the details on my SF-86 (Standard Form 86) are in the hands of the Chinese security services. The SF-86 is a 136-page “Questionnaire for National Security Positions” designed to collect every intimate detail of your life so our government can decide whether they trust you or not.

ADVERTISEMENT

I maintain a robust service to monitor threats to my personally identifiable information (PII). Three years and not a peep about OPM. Yet, in every instance some form of credit monitoring and identity theft protection was offered as part of the ‘solution.’

That’s just another band-aid over the gaping wound of incompetence.

The solution is to actually let consumers know what’s being done with their PII. Imagine if the privacy disclosures explicitly told you your information was most likely in the hands of China, Russia, Iran or North Korea. And, to add insult to injury, there was nothing you can do about it because you don’t control your own privacy or PII.

For years, the United States has passed numerous laws on truth in advertising. Maybe it’s time for truth in privacy. That would be a real eye-opener for everyone.

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He’s currently a Senior Fellow at the Center for Digital Government. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.