Introduction
When we think of how our data finds its way into the hands of bad actors or the public domain, we tend to think of two usual culprits. The first is when an organisation has been breached usually due to poor data security systems & practises by a skilled & motivated bad actor. The second is due to our own individual poor cybersecurity practises or Security Fatigue. On top of those main two there are other well documented ways – public WiFi, public computers, signing up for multitudes of surveys and accounts, downloading malware etc. Today we highlight the less obvious and often overlooked sources of data leaks.
Culprit #1: Employee Data Theft
Corporate and Industrial Espionage isn’t new; indeed, one classic example involved the Russian development of the Tupolev Tu-144 which was remarkably similar to the French & British Concorde. Whilst theft of various documents and intelligence no doubt ran both ways it serves as a good introduction to the first culprit, for context to this Concorde example have a read of this article.
As touched on in Challenging the way you imagine Data & Privacy we know there is a monetary value placed on an organisation’s consumer data. This is as opposed to their internal company data such as Intellectual Property or plans and blueprints relating to new projects, such as the Concorde / Tupolev Tu-144 which used to be the only real sellable data before the digital age. The taking of data is done by those termed ‘malicious insiders’ and defined as:
“Malicious insiders can be employees, former employees, contractors or business associates who have legitimate access to your systems and data, but use that access to destroy data, steal data or sabotage your systems. It does not include well-meaning staff who accidentally put your cyber security at risk or spill data”. 1
A 2019 Verizon Data Breach Investigations Report (2) found:
- 34% of worldwide data security incidents were done or aided by employees or contractors from within an organisation
- 71% were motivated by financial gain
- 25% could be considered an attempt to give a competitor an advantage or espionage
A Ponemon Institute report (3) also found:
- 75% of employees say they have access to data they shouldn’t have access to
- 25% of employees are willing to sell data to a competitor for less than $8,000
There are countless and growing examples of employee data theft which you can read for yourself with a search – we won’t list them here. Indeed, you may not even need to search, for example, I’m aware of a Real Estate agent who used to download all data (rental clients and prospective sellers) before leaving each agency and prospected them at their next agency. Departing employees may feel as they have nothing to lose, especially if they want to ‘get back’ at their boss, colleagues, or the whole company.
In a previous role I suggested to my boss the organisation gain lending accreditation status with major banks for prospective investors. The process involves the bank seeing some financial records (amongst other documents) to ascertain how the business operates and decide if how easily they will fund future investors based on their risk metrics. This was to ease the hurdle for prospective investors having difficulty gaining finance for the opportunity. My boss replied that he did not wish to go down this path as “you never know who works at a bank, sees our numbers, and where they go next or what they can do with that knowledge”. He put protecting sensitive data ahead of potential expansion of the company – a great response and an insight that has stuck with me since.
Unfortunately, there isn’t too much an individual can do as malicious insiders specifically and employee data theft broadly is heavily influenced by each organisation, its security systems and culture toward storage, access, and use of consumer data. The best protection to take as an individual is to have accounts (offline & online) with the least amount organisations as possible and to delete accounts with organisations you make one-time purchases from. Whenever you close accounts down, remember to request the company deletes their stored data about you during the process.
Long term the less we as individuals are willing to share with companies and our threat to leave an organisation who has a data breach as a result of poor internal systems & practises is worth following through. If organisations understand that irrespective of loyalty, consumers will leave for a competitor, it will force a wakeup call for all organisations to take serious precautions against employee data theft and protect consumer data the same way they protect all other types of company data.
Culprit #2: Someone from your past ‘Jordan’
As we grow older in this globalised world, we are moving around more and more, gone are the days one is born, grows up, works, and passes in the same town or city. This movement means we develop various new relationships and leave them behind as we start a new chapter somewhere else. In the context of this section we refer to ‘Jordan’ being a unisex name for someone from your past and usually an ex-partner. However, keep it in mind that Jordan can be a former friend, acquaintance, neighbour, colleague, or boss too.
As we said in Challenging the way you imagine Data & Privacy, there is no avoiding the Jordan you befriend or love today knowing your deepest, darkest secrets and vulnerabilities. This disclosure or creation of vulnerability is an unavoidable part of relationship building; however, Jordan today may not be the same Jordan tomorrow. In the mobile age it’s too easy to share intimate photos and sensitive messages coupled with the usual access to social media, bank accounts and emails (shared accounts or not).
McAfee have found the following through various surveys (4):
- 36% of Americans plan to share a salacious photo with their partner over SMS, email or social media on Valentine’s Day
- 50% of people shared their passwords with a partner
- 10% of exes have threatened to post a revealing photo of a former partner online, 60% of those following through
- 60% of people who have sent or received intimate content have saved it on their device permanently
- 28% have snooped on the content of their significant other’s phone
Trust is built between you and Jordan by showing your willingness to share secrets and vulnerabilities as your relationship matures. The top 5 reasons a partner decides to expose personal data are, in order: lying, cheating, breaking up with them, calling off the wedding, and posting pictures online with someone else (4). Again, recall Jordan doesn’t have to be a romantic lover, they can be a former friend or colleague who may feel you wronged them to get ahead (for example) – the emotions felt (lying, cheating…) are the same irrespective of the type of relationship Jordan has with you.
What can you do to protect yourself?
- Keep an eye on red flags in any relationship and act early
- Ask your partner to delete intimate pictures or message over time
- Don’t argue or make threats which can be taken out of context through written mediums (sms, email etc)
- Agree with your partner about what accounts are shared and which are personal. Practise good password hygiene with the personal ones particularly.
- Prevention is obviously the best measure, try to not burn bridges when you leave an organisation or neighbourhood. When you do move to another place or relationship, ensure you resolve outstanding issues with people who may cause you harm later (for example: the neighbour you sent a threatening letter to)
Don’t forget in the examples we’ve listed Jordan tends to have a motive that we’re aware of or is otherwise not surprising. However, you and your data may be undermined or betrayed by a Jordan you didn’t know you previously wronged or had any idea they were seeking to do you some kind of harm.
Culprit #3: Human factors & errors
This is also often overlooked when considering how a data leak could happen or where one could have originated from and can include:
- Misdelivery of sensitive documents (email or post)
- Loss or theft of mobile phones, USB drives, laptops etc
- Break & enter or burglary of organisation or home
- Bribery or extortion of employees or a Jordan (Jordan may not be scorned enough to act but is willing to sell or supply data to someone who is willing to do the dirty work)
Conclusion
The three culprits listed today are quite difficult to protect from and often the most difficult to predict in advance or control as they happen. Having an email account or bank account compromised is easy to identify but it’s much more difficult to know how it could have happened if you can’t point the finger at a publicised company data breach (or another equally as obvious event). Data can be used to hurt you and it can be done so even if you do everything right with respect to your privacy and security. Sometimes it’s the skeletons in your closet that can come back and undermine you given so much of our lives continue to have a digital footprint. Sometimes you are caught in the crossfire of a disgruntled employee and their organisation, sometimes it’s just incompetence, sometimes it’s just bad luck.
References
1 Malicious Insiders: https://www.cyber.gov.au/acsc/view-all-content/threats/malicious-insiders
2 Verizon Data Breach Investigations Report: https://enterprise.verizon.com/resources/reports/dbir/2019/summary-of-findings/
3 Ponemon Institute Report: https://info.varonis.com/hs-fs/hub/142972/file-2194864500-pdf/ponemon-data-breach-study.pdf
4 McAfee Surveys:
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.
