Big data has big implications for our future, but anyone would be remiss to overlook the possible security issues inherent in the big data industry. As with the birth of all new technology, the learning curve associated with understanding and ultimately perfectly securing our collected big data is steep. Worse, even when we believe to have figured it out, a bug like Heartbleed comes along and reminds us that fighting big data breaches will be a continually evolving issue, always requiring expertise and our undivided attention. Think of it as chasing bacteria with antibiotics -- it’s a field forever up for reinvention and out of the box solutions.
And, as is always the case with new frontiers, there are the good guys and the bad guys. Today, the world of computer users is starkly divided between programmers and non-programmers, making those with the knowledge to find and fix breaches much fewer in number. In fact, Jer Thorp mentioned in a recent Ted Talk that Bill Atkinson, a founding development team member for Apple Macintosh and the man behind Hypercard, a programming software that came installed on the first Apple computers, would be deeply confused and frustrated in knowing that most computer users don’t know how to program.
“If you talked to the people who invented the computer and you told them there would be a day, a magical day, when everybody had a computer, but none of them knew how to program,” he said. “They would think you were crazy!”
But, this is our reality. Save for the professional or hobbyist programmers amongst us, few habitual computer users know how to program — meaning that few computer users know how to navigate the backbone structure of software. For those who do, and who do so well, the hacking capabilities are endless. This is why so many digital companies land on the list of those that have had their data breached — because hacking is like a game of chess: you better be prepared for your opponent’s next move.
Here are the 8 biggest data breach scandals of the past few years, excluding the 200 million records stolen in the first quarter of 2014 alone.
1) Heartbleed - 2014
It’s unclear exactly how much information was hacked via the Heartbleed bug, but with two-thirds of the web vulnerable for two years, it is clear that the issue was, and continues to be, severe. Passwords, credit card information and more were exposed to hackers on sites many people access on a daily basis, including Gmail, Facebook, Netflix, Healthcare.gov, Dropbox and Wordpress. The bug affected OpenSSL, used as a security measure across the web, prompting sites to revoke their current digital certificates and have them reissued, before asking users to change all passwords.
Few fully know the extent of how much information was hacked, with many sites revoking and reissuing their digital certificates as a precaution, but one Canadian man was arrested and charged with unauthorized use of a computer and mischief in relation to data for allegedly exploiting the Heartbleed bug to steal personal data including social security numbers from the Canada Revenue Agency’s website.
More than 500,000 certificates were affected by the bug, with 130,000 of those being revoked within the first two days of the Heartbleed bug announcement. As of May 2014, reports show that 67% of users affected have yet to change their password.
2) Target - 2013
Over the course of little less than a month, spanning the peak of holiday shopping season, malware on Target’s systems resulted in the theft of 40 million credit and debit card records and another 70 million telephone number and address records. According to reports, Target HQ received multiple malware alerts from the company’s security system made by FireEye. The system enabled automatic deletion of such malware, but that functionality had been turned off in favor of manual deletion — and the Minneapolis HQ didn’t do so right away.
The breach impacted Target’s holiday sales, with a decline of 2.5% in sales in comparable stores, and caused the store’s CEO to resign amid the fallout. Though, since the breach, Target has invested $100 million to equip its stores with advanced chip-enabled technology for additional security. The company will also be issuing their own smart chip credit and debit cards that further help to prevent against fraud.
The breach affected shoppers nationwide, but surveys found only 5% of regular Target customers vowed to never shop there again, enough of a disruption to cause Target CEO Gregg Steinhafel to step down in May.
3) Evernote - 2013
This online note-taking service underwent a security breach resulting in the resetting of all 50 million users’ passwords. A blog post from the company stated that they had found suspicious activity that looked like “a coordinated attempt to access secure areas of the Evernote service.” Hackers were able to access usernames, Evernote-linked email addresses and encrypted passwords.
All users were prompted to change their password upon login after the breach was discovered and Evernote used the breach to improve their password resetting user experience in the meantime.
4) LivingSocial - 2013
A month after Evernote’s 50 million user password reset protocol, LivingSocial announced that the data for 50 million of their users might have been compromised, including usernames, email addresses, dates of birth and encrypted passwords. The databases that stored the merchant credit card and banking information were not compromised in the attack.
LivingSocial sent email notifications out to all users whose data had been breached, prompting them to update their passwords.
5) Adobe - 2013
In October of 2013, Adobe announced the theft of 3 million encrypted customer credit card records and 38 million encrypted passwords of active users. The combination of active and inactive users, however, included more than 150 million usernames and encrypted passwords.
Adobe reached out to those accounts that were breached, urging them to change their passwords. A spokesperson for the company also stated that there appeared to be no suspicious activity on any Adobe ID account involved in the incident.
6) Snapchat - 2013
Hackers posted the account information of 4.6 million Snapchat users to the website SnapchatDB.info, making usernames and at least partial phone numbers downloadable. In less than 24 hours, the site had been suspended.
The hacker remained anonymous, though it is now known it was 16-year-old Dallas resident Graham Smith, and the attack itself was believed to be intended to urge Snapchat to tighten its security measures. Smith stated that he used an exploit in a new version of the app to extract the information.
"Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does," Smith said in a statement to technology blog TechCrunch.
Snapchat co-founder Evan Spiegel received a lot of criticism in the aftermath of the attack after he refused to apologize saying, “We thought we had done enough,” and pointing out that no photos were compromised in the attack. Much of the criticism generated was due to Snapchat executives having been forewarned before the attack to fix the issue — and not doing so.
7) Massive American Business Hack - 2012
Over the course of seven years, 2005-2012, five Russians hackers and one Ukranian hacker funneled $9 million from debit cards around the world as well as untold amounts of revenue from the selling of credit card numbers online (where American numbers went for $10, Canadian for $15 and European for $50). In all, $300 million was lost to companies and individuals across the globe, including Citibank, Nasdaq and even 7-Eleven.
Five of the men have been charged in New Jersey and two others in Manhattan (one man has received charges in both) with various crimes ranging from computer hacking to bank fraud to wire fraud — counts with varying maximum prison sentences of up to 30 years each.
8) Zappos - 2012
Where credit card information is exchanged, hackers are prominent. In this 2012 breach, 24 million Zappos customers’ names, email addresses, addresses, the last four digits of their credit cards, their phone numbers and their encrypted passwords were stolen. The company changed passwords for all users affected by the breach, and urged those users to also change their passwords on other sites where they use the same or similar one.
“We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” Chief Executive Officer Tony Hsieh wrote to Zappos employees in an email. “I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.”
Transparency and security are key when it comes to big data collection and use. Hacks happen. The best we can do as companies is to make sure we are armed with the best and brightest programmers, use the best tools out there and have a strong plan for preempting attacks as well as reacting responsibly and gracefully in the face of a breach.
As consumers, we can certainly react with fear and try to hide all of our data -- but that is neither a practical nor fulfilling way to live and prosper in the Internet age. Instead, a more beneficial approach is to be diligent about only giving our personal data to companies you trust, and be responsible about changing passwords regularly -- an annoying, but necessary reality. In general, it is everyone’s responsibility to stay informed of the going ons within the big data industry because, after all, we can’t expect to have an upside with no downside.
Computers and big data afford us numerous conveniences that we have come to rely on, and maybe not even be able to live without, but there is responsibility that comes with the territory. It's time for us to grow up, and maybe even learn a little bit about programming ourselves.
Overall, our collective militia gets stronger with each and every breach. There may be some inevitable casualties, but the actual benefits far outweigh the risks. And, if you do stay in touch with the news, and regularly change your passwords, then there is, more often than not, enough time to protect yourself from any significant damage.
Sharing your data with companies you trust allows the building of more meaningful brand relationships, more relevant content and products based on your actual needs, and the end of obnoxiously irrelevant advertising. When big data is used well, the quality of our on and offline lives will dramatically improve. And that’s one benefit no breach can take away.