NYC Digital Safety

Let's talk about who is behind data leaks, and why they are involved in this sort of thing.

We hear a lot about data breaches, but who is behind them? In our conversation with Erin, we learned more about how our data can get lost or stolen, and what happens to our personal information once it gets loose.

Transcript

Davis: In this video, let’s talk about how and why our data gets compromised. Erin welcome back and if you could please share a few ways that people have their information compromised that would be lovely.

Erin: Thanks, Davis. You know, our data is actually compromised in in quite a few different ways. A lot of times, a system is penetrated because your software or your operating system hasn’t been updated, or the company that created that software hasn’t actually created a patch yet to fix that security vulnerability. But one of the most common ways, actually, that our personal data is exposed is human error. So that might mean having a weak password, sharing a password, or falling for a phishing scheme. You know, a lot of times, people will have their data exposed through no fault of their own directly, like the Equifax breach, for instance. You know, major companies are often the target of these hackers who will try to get stolen credentials from employees. They’ll be social engineering, or they’ll even steal a physical device in order to gain access to that data.

A lot of times, a system is penetrated because your software or your operating system hasn’t been updated, or the company that created that software hasn’t actually created a patch yet to fix that security vulnerability.

Davis: Thank you. That’s a lot of different ways for data to get lost. So let’s focus a little bit on data breaches. Can you share a little bit about what’s going on behind the scenes and who is doing this, and maybe why?

Erin: Yeah. Thanks, Davis. Let’s actually start with the Equifax breach. I think that’s a good example. In that case, the hackers were able to take advantage of a widely known security vulnerability. And the engineers at Equifax had known about that security vulnerability, but they hadn’t patched it. So once in the system, the hackers were actually able to gain access and find the usernames and passwords of employees. And those passwords were stored in plain text, which means they were visible to the hackers when they entered the system. And they used those usernames and passwords to gain access to more and more systems. A strong password is pretty meaningless if it’s just stored in plain text. Another example would actually be the Home Depot data breach that happened in 2014. So, in that breach, hackers actually stole the credentials from a vendor, and then they were able to use that to log into the self-checkout machines and install malware.

In that case, 53 million email addresses were compromised. So what would a hacker do with that? Well, I think the next step on that is actually to use those to launch a phishing scheme. That’s likely what might have happened. And all of those 53 million email addresses might be sent a phishing email with the intention to get the recipient then to click on the link or download an attachment. And that would allow them to give over more personal information or allow the hacker to install malware on that person’s system.

Now, those are two examples from big companies, but the library world is not exempt from this. I mean, think if Equifax and Home Depot can get hacked, a very small library vendor can also get hacked. And that has happened, where there have been breaches in from our library vendors and exposed our library users’ data.

Davis: I think what’s really important for us to recognize is that our systems can be vulnerable. So I wanted to just maybe talk a little bit more about who is exactly behind these breaches if you can answer that Erin. I know that’s a big question for you.

A hacker that reaches a system and exposes your data could be from next door or they could be halfway around the world; there’s there’s never really any way of knowing that.

Erin: Yeah, you know, we don’t always know who’s behind these sorts of things. Sometimes it’s found out, sometimes we never end up finding out, but depending on the type of attack, you might see various different kinds of entities behind that breach. We’ve seen state-sanctioned hacking. A good example of that is when the DNC was hacked during the 2016 presidential election. More recently, we’ve seen that Solar Winds malware attack; that gave Russian hackers access to a bunch of different government agencies. You also might get individual hackers or hacker collectives that might target some of those bigger multinational companies. You might get, like in the case of libraries, you know, it might be just an individual who is looking for different systems out there that have vulnerabilities and seeing what they can penetrate. A hacker that reaches a system and exposes your data could be from next door or they could be halfway around the world; there’s there’s never really any way of knowing that. There’s lots of different pathways.

Davis: Yeah, that’s truly scary to think about all the different groups who might be engaging in these activities. So what happens next? How are these individuals and groups sharing your information?

Erin: So I would say that unless you specifically are the target of a hack, which is — probably most of us are not a high enough target; we’re not Hillary Clinton out there trying to get emails hacked. But it’s likely that your information is going to be packaged up and then sold on the dark web. I was actually recently reading an article that spoke about what value our data has on the dark web, and it was saying that our social security numbers would probably only fetch about a dollar, but a credit card number might be anywhere from like $5 to $110. But your passport information could fetch maybe $2,000 and a driver’s license maybe only $20. So if you’re thinking about this, you know, emails might only be a dollar, but thinking about that Home Depot breach, if they had 53 million email addresses, even if they’re only a dollar being sold on the on the dark web, that might bring someone quite a bit of money

Davis: Yeah. Again, that’s super scary. So I think that we could take a break here, and take a breath, because that’s a lot of really frightening information. But the good news is that in our next video we’ll be talking about what we can do to sort of help protect ourselves from these types of activities. So stay tuned and we’ll see you again soon.