KENNESAW, Ga. | Jul 9, 2024
I have had my data stolen multiple times over the years when a company that has my data is the victim of a hack. It used to feel like a very infrequent event and often the data compromised was not particularly sensitive. Lately, it seems like every few weeks I am getting another letter alerting me that my data has been stolen. The list has included my employer, my cellular provider, my insurance company, and others. This has led me to conclude that, as disconcerting as it is, effectively none of our data is going to remain secure or confidential in the long run. Expect even your most sensitive data to be effectively public record.
I’ve written in the past how cybersecurity has a key difference from traditional physical security. Namely, a criminal must physically visit a specific locality to thwart physical security made up of a range of locks, safes, and monitoring devices. These measures work to keep the vast majority of people out. Despite all these tools, however, sophisticated, highly motivated criminals who want to access a given location often find a way to do so. Just this past year, in fact, a major cash storage facility was breached, and the thieves took away a massive haul.
A key fact about such heists is that someone must personally visit a site and physically break in. Not only is there risk involved with showing up in person, but it also largely limits which locations criminals can try to breach. Criminals halfway around the world aren’t realistically going to travel in for a heist and then return to their home base. When it comes to securing a physical property, you’re primarily at risk from the small pool of criminals who are both local and sophisticated.
It wasn’t long ago that most data, both electronic and paper-based, was only accessible from inside a secure building. Over the years, more and more companies allowed remote access to their systems and, more recently, public clouds have become ubiquitous. Most of our data is now exclusively stored electronically and it is specifically not stored at a company’s property, but rather in public clouds.
While these clouds and the applications that use them are highly secure, nothing is perfect. New angles of attack are constantly found and there is a never-ending battle between security professionals and the criminals (including well-funded state-sponsored groups) trying to breach systems. However, perhaps the biggest risk of this new reality is the lack of locality needed to breach a system and steal data.
Unlike a physical building, a criminal does not need to be local to a computer system today to breach it. Also, while there are only so many physical locations that a criminal can visit, there is no limit to how many sites a hacker’s automated bots can attack. It’s as if every criminal in the world was flown to your neighborhood! While almost all the hackers are repelled almost all the time, some still succeed. And, once they find a new vulnerability, instead of having to visit each physical location with the vulnerability, they can the remotely attack every system with the vulnerability regardless of its location.
Bringing the prior points together, where does that leave us? Unfortunately, I think that we are rapidly approaching (if not already part of) a world where for all practical purposes, you must assume any data is publicly available on the dark web. If you notice, all the letters from companies informing you of your data being stolen include credit monitoring and similar services. In other words, we get support focused on mitigating the damage of thefts. Nobody is suggesting the thefts are going to stop or that your stolen data will be taken offline.
You should expect that your tax records, medical records, bank records, and more will eventually be breached. It may be small pieces per incident over many years, but it will add up. Over time all of us will have our data stolen as part of a larger attack that isn’t aimed at us individually but aimed at stealing as many individuals’ data as possible.
Do we really want to live in a world where someone who is mad at us can buy and release potentially embarrassing medical or financial records? I don’t think most of us do, but I don’t see how we avoid it. A major bank has the resources to ensure that theft of account records will be a very rare event. However, think about how many small medical practices store electronic medical records. Even if the systems they are using are secured by capable firms, the risk of access via phishing attack or other indirect method is much higher for businesses who aren’t well versed in technology.
My disappointing conclusion is that no matter how diligent you are, it is almost certain that much of your sensitive data is going to get stolen and offered for sale eventually. In essence, it is all public record! I imagine some readers will be nodding in violent agreement while others will think I’m being too cynical. Let me know what you think in the comments. Am I spot-on or way off the mark?