Janie Slaven: LEFT TO MY OWN DEVICES: Data breaches: The gifts that keep on giving

Janie Slaven, The Times-Tribune, Corbin, Ky.
·5 min read

Dec. 21—Have you seen the news today? If so, you likely stumbled across a headline that implicates the thievery of data breaches. To be fair, not every data breach results from malum in se, which is legalese culled from Latin meaning an inherently wrong act. Stealing, alongside murder and sexual assault, is one of those types of crimes. You don't need any sort of governing law or statute to know, as a thinking human being, that theft is wrong. It is, per se.

In another Latin-borne lane of criminality are acts that are mala prohibitum. These crimes are not, in their own rights, against social norms but are prohibited under legal proscriptions enacted by lawmakers. Speeding, for example, is malum prohibitum. That's because, theoretically, if you're on some stretch of wide, well-maintained highway, all alone, and bear driving skills, why not take the car to its limit, speed-wise? I'm the wrong one to ask this, frankly. I've lost count of my speeding tickets, and until losing count of the states I earned them in I was keeping a cheeky state map puzzle with each locus of infraction memorialized.

No matter their criminal category, data breaches are no goodies for you or for me. Many data breaches are not criminal in nature at all. All too many incidents occur because of user error, poor corporate policies, and other technological bumblings. Some in my line of cybersecurity parse those from data "breaches" and refer to them as data "leaks." Meh ... comme ci comme ça, to invoke the third language within these thousand words. I'll presume that you, like me, could give two hoots about whether your personally identifiable information finds its way onto the dark web by accident or by criminality. We pay the same no matter. Today, I'm not distinguishing, therefore.

I've discussed breaches many times in this column. Now that we're winding down another calendar year, the industry reports are starting to describe how 2022 has been in terms of the penultimate signs of your personal privacy, second only to your most personal strands of DNA and RNA. The data that is at risk, or was before that risk materialized, includes all the regular players. Your full name, date of birth, addresses, Social Security number, financial and healthcare details, and so on. There are many formal definitions, though my sense is that the actual list of personal data types is inexhaustible. Also, it's more complex than simply determining whether your information has been compromised based on some pat list of data points. A savvy hacker can combine seemingly innocuous pieces of the puzzle into forming a fuller picture.

Since the throes of the global pandemic sent conventional work practices into the retooling hopper, and because so much of our personal information is maintained (or not) by companies, breaches have continued their historical upward trend during the past few years, with a sharp rise having occurred quite recently. Malware attacks—these are intentional crimes rather than whoopsie-doodles—jumped over 350% in frequency between 2019 and 2020. Now, they've settled back to the more typical year-over-year growth of around 125%. The same period, of course, has contained the Russian invasion of Ukraine, a political event that because of at least one side of the war's equation made any resulting cybercrime activity all the more evident. During the first few months of 2022 alone over 3 million Russians' personal information was subject to data breaches.

Back on home soil, mainly, the amount of investment fraud has been an important contributor to 2022's breaches. With all the cryptocurrency hijinks, not to be flippant (but ... I've told you so), this should not be too surprising. The average investor is not only prone to data breaches as much as the wealthiest market player, but may be more at risk because of the stakes. In run-of-the-mill phishing attacks, typically resulting in some form of data breach, the average loss per victim hovers around $150. Not chump change, but many might bounce back from that hit, and oftentimes if a payment card is at issue the banks help victims recover. However, the average investor who's stung by hackers suffers to the tune of $70,000! Now, that's a decimating effect most of us could not bounce back from with even the tautest springboard.

So, how prone are you? That depends. Have you ever been online? Do you use a payment card. Do you visit a doctor? Use a bank? Inhale oxygen and exhale carbon dioxide? If any of these fit, you're at risk. You cannot rely on the most powerful and resourceful stakeholders in all this. The banks, hospitals, schools, all of them do their darnedest. The bad guys keep pushing. The errant actors keep bumbling. Even the trillion-dollar company that is the federal government, with millions of employees, cannot contain the risk.

Heads-up if you happen to use Medicare or Medicaid. Just last week over a quarter-million beneficiaries were added to the list of data breach victims. Incidentally, I think I'll never run into a human who isn't on the growing, nearly complete list of victims, all told.

The Centers for Medicare and Medicaid, an agency with a 2016 budget of $992 billion (!), got smacked with a ransomware attack resulting in the data breach. It's yet another case where the hackers targeted a third-party vendor, here a subcontractor of a CMS contractor. The CMS will alert you if your information was stolen.

If you're a CMS beneficiary who does not receive that unwelcomed message, maybe you, too, got an early Christmas gift. The Grinch, however, is lying in wait somewhere else patiently awaiting some other time. Eventually, you'll join the rest of us on the list not of Santa's making, but of the hackers' taking. Nevertheless ....

Merry Christmas to All, and to all a good night!

Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.