There is little doubt that fear sells security products, hikes law enforcements agency (LEA) budgets and sells newspapers. Both the security industry and government agencies benefit from sensational headlines; leaving people wondering what the real truth may be. So when UK newspaper The Times ran a headline, ‘Everyone has been hacked, say police’, it leaves the question, is this just more scaremongering or a true reflection on the state of security?
To my knowledge and belief, I have not been hacked (yet) — so the headline is patently untrue. But I (and indeed everyone) am frequently targeted; I’m fairly certain I have dozens of unclicked malicious links and files in my mail system. Here’s the first method of scaremongering: security vendors, LEAs and parts of the media will often claim, ‘millions of users hit by new malware’. The truth is most likely that millions of users have been targeted or can potentially be affected, not that millions of users have been infected.
The Times headline is very clear: everyone has been hacked. But this is not what the police actually said. According to The Times’ own report, “Virtually everyone in the country is likely to have had their personal data hacked and placed for sale on the dark web, police have said.”
This is bad enough, but it is not the same as being personally hacked. What the police (in this case Peter Goodman, the National Police Chiefs’ Council lead for cybercrime and the Chief Constable for Derbyshire) is saying is that everybody will have had some personal data taken by cybercriminals via third party breaches (such as Yahoo, LinkedIn, TalkTalk and more recently Equifax). Whether the amount of personal data stolen in this way is more or less than the personal data we willingly give to Google, Microsoft and Facebook is a separate — but equally valid — question.
Nor do we know what personal data has been stolen — some personal data is clearly more valuable to cybercriminals (and dangerous to us) than other personal data. However, we should never dismiss any data loss as being unimportant. Cybercriminals, and especially state-affiliated criminals, have as much ability to use big data correlation and analysis as the big security vendors and government agencies. Little bits of data from different sources can be matched together to form a surprisingly detailed picture of us.
The question then remains, how accurate is the police view that we have all been affected by third-party data loss?
Chris Morales, head of security analytics at Vectra, comments, “Anyone who has performed any online transaction has personal data on the internet. Even worse, personal information exists in locations people are not even aware of or have any control over.
Equifax impacted more than 145 million consumers. Of those, around 700,000 were believed to be in the UK. That is just one recent breach.
Based on data reported from breachlevelindex.com [a site sponsored by Gemalto], there have been 9,198,580,293 data records lost or stolen since 2013. That’s more data records than people in the world. For the UK specifically, they report a number of 137,516,163 records stolen since 2013, double the population. Therefore, it is a reasonable assumption to make that everyone has been hacked and some more than once.” (Notice that Morales accepts the Times’ use of the term ‘hacked’.)
Chris Roberts, chief security architect at Acalvio, takes a similar stance. “Healthcare has lost between 600 and 700 million records since we started counting,” he told SecurityWeek. “That’s almost twice the population of the United States. Between all the various high visibility breaches and government losses, it’s arguable that everyone’s data is already out there. Finally, the quantity of credit cards that are breached on an annual basis would arguably demonstrate that almost everyone has had financial breaches.”
Ilia Kolochenko, disagrees with the headline, but agrees with the content. “Digitization has become an inalienable part of our everyday lives,” he told SecurityWeek. “Even people who have never used a PC or a smartphone have their personal data stored and processed somewhere. Cybercrime is skyrocketing, and the vast majority of digital systems have been breached. However, I think that it’s technically incorrect to say that every person was hacked, as our common notion of “hack” implies at least some motive and targeting. Otherwise, we can reasonable say that every person in the world has been hacked many times over.”
He has concerns over the headline, but has no issue with the content. “In the matter of general awareness, such announcements are beneficial, as many people still seriously underestimate the growing hydra of cybercrime. Hopefully, the government will finally allocate additional resources that are necessary to fight cybercrime on national and international levels. Right now, law enforcement is seriously under-equipped with technology, qualified personnel and financial resources to prevent, investigate and prosecute digital crime.”
The general consensus is that (apart from the headline), the views of Peter Goodman do not represent scaremongering. Stephen Burke, founder and CEO of Cyber Risk Aware adds a rider: “There is a high percentage of people that have been affected by cybercrime — however, it would be unfair to say that everyone has been a victim. It’s possible they could be by virtue of the data that is readily available online and the data that they give out via social media and to companies who handle billing. If this were the case, then there would be too much data for hackers to handle.”
Nevertheless, statistics suggest that everyone, from corporate manager to stay-at-home mum and her kids, have had personal data stolen by cybercriminals. Goodman has his own solution: “Mr Goodman said that providing lifetime security for digital devices should be mandatory,” says the Times.
That’s a big, and frankly unrealistic ask. “We have learned prevention is never going to be enough and at some point it is realistic to assume a breach will occur,” said Morales. “At that point, we must be better prepared to detect and respond to the breaches that do happen and that can cause the most damage. The goal should be to reduce the impact of those breaches.”
The implication is clear. Just as business is exhorted to plan its response to an inevitable breach, individuals need to plan a response to the seemingly inevitable misuse of their stolen personal data.