Let's talk about who is behind data leaks, and why they are involved in this sort of thing.

We hear a lot about data breaches, but who is behind them? In our conversation with Erin, we learned more about how our data can get lost or stolen, and what happens to our personal information once it gets loose.

Transcript

Davis: In this video, let’s talk about how and why our data gets compromised. Erin welcome back and if you could please share a few ways that people have their information compromised that would be lovely.

Erin: Thanks, Davis. You know, our data is actually compromised in in quite a few different ways. A lot of times, a system is penetrated because your software or your operating system hasn’t been updated, or the company that created that software hasn’t actually created a patch yet to fix that security vulnerability. But one of the most common ways, actually, that our personal data is exposed is human error. So that might mean having a weak password, sharing a password, or falling for a phishing scheme. You know, a lot of times, people will have their data exposed through no fault of their own directly, like the Equifax breach, for instance. You know, major companies are often the target of these hackers who will try to get stolen credentials from employees. They’ll be social engineering, or they’ll even steal a physical device in order to gain access to that data.

A lot of times, a system is penetrated because your software or your operating system hasn’t been updated, or the company that created that software hasn’t actually created a patch yet to fix that security vulnerability.

Davis: Thank you. That’s a lot of different ways for data to get lost. So let’s focus a little bit on data breaches. Can you share a little bit about what’s going on behind the scenes and who is doing this, and maybe why?

Erin: Yeah. Thanks, Davis. Let’s actually start with the Equifax breach. I think that’s a good example. In that case, the hackers were able to take advantage of a widely known security vulnerability. And the engineers at Equifax had known about that security vulnerability, but they hadn’t patched it. So once in the system, the hackers were actually able to gain access and find the usernames and passwords of employees. And those passwords were stored in plain text, which means they were visible to the hackers when they entered the system. And they used those usernames and passwords to gain access to more and more systems. A strong password is pretty meaningless if it’s just stored in plain text. Another example would actually be the Home Depot data breach that happened in 2014. So, in that breach, hackers actually stole the credentials from a vendor, and then they were able to use that to log into the self-checkout machines and install malware.

In that case, 53 million email addresses were compromised. So what would a hacker do with that? Well, I think the next step on that is actually to use those to launch a phishing scheme. That’s likely what might have happened. And all of those 53 million email addresses might be sent a phishing email with the intention to get the recipient then to click on the link or download an attachment. And that would allow them to give over more personal information or allow the hacker to install malware on that person’s system.

Now, those are two examples from big companies, but the library world is not exempt from this. I mean, think if Equifax and Home Depot can get hacked, a very small library vendor can also get hacked. And that has happened, where there have been breaches in from our library vendors and exposed our library users’ data.

Davis: I think what’s really important for us to recognize is that our systems can be vulnerable. So I wanted to just maybe talk a little bit more about who is exactly behind these breaches if you can answer that Erin. I know that’s a big question for you.

A hacker that reaches a system and exposes your data could be from next door or they could be halfway around the world; there’s there’s never really any way of knowing that.

Erin: Yeah, you know, we don’t always know who’s behind these sorts of things. Sometimes it’s found out, sometimes we never end up finding out, but depending on the type of attack, you might see various different kinds of entities behind that breach. We’ve seen state-sanctioned hacking. A good example of that is when the DNC was hacked during the 2016 presidential election. More recently, we’ve seen that Solar Winds malware attack; that gave Russian hackers access to a bunch of different government agencies. You also might get individual hackers or hacker collectives that might target some of those bigger multinational companies. You might get, like in the case of libraries, you know, it might be just an individual who is looking for different systems out there that have vulnerabilities and seeing what they can penetrate. A hacker that reaches a system and exposes your data could be from next door or they could be halfway around the world; there’s there’s never really any way of knowing that. There’s lots of different pathways.

Davis: Yeah, that’s truly scary to think about all the different groups who might be engaging in these activities. So what happens next? How are these individuals and groups sharing your information?

Erin: So I would say that unless you specifically are the target of a hack, which is — probably most of us are not a high enough target; we’re not Hillary Clinton out there trying to get emails hacked. But it’s likely that your information is going to be packaged up and then sold on the dark web. I was actually recently reading an article that spoke about what value our data has on the dark web, and it was saying that our social security numbers would probably only fetch about a dollar, but a credit card number might be anywhere from like $5 to $110. But your passport information could fetch maybe $2,000 and a driver’s license maybe only $20. So if you’re thinking about this, you know, emails might only be a dollar, but thinking about that Home Depot breach, if they had 53 million email addresses, even if they’re only a dollar being sold on the on the dark web, that might bring someone quite a bit of money

Davis: Yeah. Again, that’s super scary. So I think that we could take a break here, and take a breath, because that’s a lot of really frightening information. But the good news is that in our next video we’ll be talking about what we can do to sort of help protect ourselves from these types of activities. So stay tuned and we’ll see you again soon.

It happens to all of us, it's true: data we share online can be exposed via a leak or a breach. Let's talk about it.

We’ve all heard nightmare stories about data breaches. In fact, I know I am one of the millions whose data was lost in the Equifax breach in 2017. That one is scary because credit reporting agencies collect so much information about us.

Lately, I’ve heard stories from my sister about having her credit card information stolen through an online service. And just a couple of weeks ago, I ordered a tote bag. Days later, I got an email saying the company had been hacked.

A couple weeks ago, I ordered a tote bag. Days later, I got an email saying the company had been hacked.

So I wanted to talk to my friend Erin Berman, who chairs the Privacy Subcommittee of the American Library Association’s Intellectual Freedom Committee, about how these things happen, and why they seem to be happening more and more often.

Transcript

Davis: Hello and welcome to the first in a series of videos from NYCDigital Safety: Privacy & Security. This project is funded by the Mayor’s Office of the Chief Technology Officer of the City of New York, and our project partners are Brooklyn Public Library, The New York Public Library, and Queens Public Library.

My name is Davis Erin Anderson. I’m Assistant Director for Programs and Partnerships at Metropolitan New York Library Council, and I’ll be talking with experts on data privacy, information security, and libraries on a bunch of upcoming videos. For this first series, we’ll be talking about why and how our data gets compromised, and what we can do about it. And I’m very excited to introduce our special guest for this conversation, Erin Berman.

Hi, Erin! Welcome and please introduce yourself.

Erin: Hey Davis! It’s great to be here. Thank you for having me. I’m Erin Berman. I am the chair of American Library Association’s Intellectual Freedom Committee’s Privacy Subcommittee. I know, quite a mouthful to say, but I’ve been serving in that role going on my fourth year right now. And I’ve been working on privacy issues in libraries for quite a bit now and leading national campaigns to provide support and resources to libraries of all kinds can really uphold those privacy values that we hold so dear.

Are you hearing from your library patrons about these types of issues? And what are you telling them?

Davis: So these privacy issues are happening more and more. Literally just the other week, I bought a tote bag online and then like three days later I got an email that said “guess what, your email and your password have been leaked.”

For those of you out there, is this happening to you? Are you hearing from your library patrons about these types of issues? And what are you telling them? We’re going to get into it in this series of videos.

So join us for video number two coming up shortly about how and why data breaches happen.