Who would raise an eyebrow at the news of another data breach? They’ve become tediously regular and all seem to follow the same pattern. A trove of personal data surfaces online. The company responsible is forced to issue a statement admitting the breach, usually downplaying its significance and stressing that the security failure has been patched, albeit too late. We’re encouraged to believe that everything is OK, that there’s nothing to see here.
And yet the cumulative total of these breaches is becoming truly astonishing. Infographics company Information Is Beautiful has been tracking the world's major data leaks for more than a decade, compiling them into a "balloon race" chart. The bigger the balloon, the bigger the breach. The chart for the past couple of years is exceptionally busy, with Facebook's recent breach taking centre stage, and those of other well-known names – Capital One, Microsoft, Quora, MyFitnessPal – also very prominent. But even the smallest balloon in the graphic represents close to a million personal records. "A lot of major breaches for lesser-known companies or non-English speaking countries go unreported," says Information Is Beautiful founder David McCandless. The problem looks to be getting out of control.
"A decade ago, hacker groups were not like they are today," says Karl Swannie, founder of security company Echosec Systems. "Today we're talking about organised criminal organisations with amazing infrastructure. They've become so technically advanced. It's a cat and mouse game, an escalating war that we haven't really acknowledged is out there."
As the number of these breaches increases, the more our personal financial security is threatened. But their relentless nature means that we end up suffering from a kind of breach fatigue. With comparatively few of us ending up affected, it becomes an uninteresting story with no personal consequences.
For an unfortunate few, however, it can mean financial ruin. “As this progresses, more people are going to be affected personally, and they are going to want to do a lot more about it,” says Swannie. “It’s not just going to be the responsibility of the Googles and Facebooks and all the rest. A societal effort will need to be put in place to be able to deal with all of this.”
Were it not for breach fatigue, there would be collective horror at the recent spate. On April 3, a trove of 533 million Facebook records was spotted by the co-founder of security company Hudson Rock, Alon Gal. This collection of phone numbers, names, birthdates and email addresses had been on sale online for a couple of years, but it was now being given away for free. Last week, data scraped from half a million LinkedIn profiles was put on sale, including more email addresses and phone numbers. In February, half a million French medical records were stolen. PDF software company Nitro had 77 million records breached in January.
Any organisation has become fair game, from energy suppliers to clothes shops. "Breaches are occurring all the time, stealthily, invisibly," says McCandless. "Hackers and bad agents are like bacteria, teeming, constantly active, probing defences, worming their way through our systems and then feasting on our storehouses of data. And the numbers are staggering. We actually had to develop a special sizing algorithm so the billions and hundred million figures didn't break our infographic."
Even breaches at companies we've never heard of can have a huge impact. In December, systems belonging to global cloud provider Accellion were attacked. Ever since, many organisations including universities, banks and local governments have admitted that the attack has left them vulnerable. One breach can very easily lead to another, with new victims piling up at an alarming rate.
"We've been specifically tracking data breaches for the past couple of years, and they're increasing exponentially," says Swannie. "It's all driven by money. Looking on our breaches database, I can see that the data of 30 million Facebook users was selling for a little over $1,200. All a hacker would need to do is to guess a few passwords, and I bet they would get into at least a couple of banks. Just two of those 30 million could make it worth their while. And if they can figure out your dog's name or your kids' names or where you live, they're one step closer to figuring out what your password is."
Odds of two in 30 million might not seem to represent much of a risk. But the cumulative effect of these data breaches alarms security experts like Swannie.
“What’s happening a lot right now is credential stuffing,” he says. “That’s where I can get into one account, use that to make your friends believe that I’m you, then take it a step further and a step further to the point that I’m doing real harm, not to just you but your organisation and anybody interacting with it.”
Our dangerous habit of reusing passwords – ones that may have been sold and resold several times online – does not help. Every reused password makes us more vulnerable. In the light of the recent Facebook leak, many articles recommend that people use the website Haveibeenpwned.com to reveal whether their email address or phone number appears in its trove of breached accounts, now 11 billion strong. But what do we do if it's there? It's not practical, after all, to change our email address, less still our phone number.
“If I had one word of advice it would be to use a password-generating tool like Lastpass to change your passwords to something complex and long,” says Swannie. “But it’s also a matter of us becoming more literate and security literate. That’s the price that we pay to participate in this thing that we created called the internet.”