by Marc Goodman
Let us pause for a moment to consider the implications of this terrorist assault. Ten men, armed not just with weapons but with technology, were able to bring a city of twelve million people, the fourth-largest metropolis on earth, to a complete standstill, in an event that was broadcast live around the world. The militants proved fully capable of collecting open-source intelligence mid-attack (traditional media, Internet, mobile, and social data) and using it for synchronous operational decision making. LeT simply processed the data the public was leaking and leveraged them in real time to kill more people and outmaneuver authorities. That was terrorism in the digital age circa 2008. What might terrorists do with the technologies available today? What will they do with the technologies of tomorrow? The lesson of Mumbai is that exponential change applies not just for good but for evil as well.
Data Is the New Oil
Data is constantly being generated by everything around us. Every digital process, sensor, mobile phone, GPS device, car engine, medical lab test, credit card transaction, hotel door lock, report card, and social media exchange produces data. Smart phones are turning human beings into human sensors, generating vast sums of information about us. As a result, children born today will live their entire lives in the shadow of a massive digital footprint, with some 92 percent of infants already having an online presence. From their parents’ posting of their first in utero sonogram until the disconnection of their Internet-enabled pacemaker more than a hundred years later, every moment from birth to death will be digitally chronicled and preserved in the cloud in perpetuity. Our data creation cycle never sleeps, and in 2014 each and every minute of every day, we
• sent 204,166,667 e-mail messages
• queried Google’s search engine 2 million times
• shared 684,000 pieces of content on Facebook
• sent out 100,000 tweets on Twitter
• downloaded 47,000 apps from the Apple App Store
• uploaded 48 hours of new video on YouTube
• posted 36,000 new photographs on Instagram
• texted 34 million messages on WhatsApp
Put another way, every ten minutes, we created as much information as did the first ten thousand generations of human beings. The cost of storing all these data is dropping exponentially as well. For instance, as of late 2014, a six-terabyte hard drive can be purchased on Amazon.com for just $300 and store all of the music ever recorded anywhere in the world throughout history.
This vast growth in the world’s information infrastructure has been dubbed the big-data revolution. The promise of big data is that long-standing complex problems become quantifiable and thus empirically solvable. Consider medicine. As all patient data are cataloged in electronic medical records, it becomes easier for doctors to mine these data sets to identify the most effective treatments, spot deadly drug interactions, and even predict the onset of disease before physical symptoms begin to emerge. Untold lives could be saved.
Across all industries, whether retail, transportation, or pharmaceuticals, there will be tremendous economic value realized as a result of big data, so much so that the World Economic Forum recently dubbed data “the new oil.” There is a new-age gold rush afoot in which hundreds of companies such as IBM, Oracle, SAS, Microsoft, SAP, EMC, HP, and Dell are aggressively organizing to maximize their profits from the big-data phenomenon. And if data are the new oil, the modern currency of a digital world, then those in possession of the greatest amounts will have enormous power and influence. Just as the first oil barons, such as John D. Rockefeller and J. Paul Getty, ruled their era, so too will those who possess the largest amounts of data in today’s world, as Mark Zuckerberg and Eric Schmidt have demonstrated. Companies such as Facebook, Google, and Acxiom are creating the largest data sets about human behavior ever accumulated in history and can leverage this information for their own purposes, whatever they might be, whether profit, surveillance, medical research, political repression, or blackmail.
But if data are the new oil, then like other long-established natural resources, they must be safeguarded. We don’t leave 100 million barrels of oil unprotected, and yet for the most part that is exactly what we do with the vast majority of data created. The protection of our digital information is nowhere near the levels it should be. The 100 million barrels of oil are protected by guards, fences, guns, video cameras, and sensors in the ground and along the pipelines. But what about the 100 million credit cards and customer records stored by retailers such as Target? They, as we have seen, are stored in inherently insecure and poorly defended databases. When you aggregate such vast troves of valuable data and fail to protect it, what do you think is going to happen? Our ability to capture and store information is greatly outpacing our ability to understand it or its implications. Though the business costs of storing the world’s information may be driving toward zero, the social costs may be much higher, posing huge future liabilities for society and our world.
History here can be instructive. Willie Sutton, the famous American bank robber, stole nearly $2 million over his multi-decade career in crime, which began in the 1920s. After his capture by the FBI, a reporter asked Sutton, “Hey, Willie, why do you rob banks?” His answer, oft repeated, was, “Because that is where the money is.” Though Sutton could have robbed two million people of a dollar each, he chose a more logical and time-efficient approach, deciding instead to rob the currency aggregators (banks). Thus is it any surprise that criminals are going after Target, Sony, and other data aggregators when the rewards are so high and the risks so low? In today’s world, data are where the money is.
Taking a cue from Gordon Moore and his eponymous law, I too decided a dictum was in order to describe the risks associated with the growing mountains of data produced. Thus I present Goodman’s law:
The more data you produce and store, the more organized crime is happy to consume.
Eventually, your personal details will fall into the hands of criminal cartels, competitors, and even foreign governments. While big data may be the new oil, our personal data are more like weapons-grade plutonium—dangerous, long lasting, and once they are leaked, there’s no getting them back.
Even the federal government is realizing it too can fall victim to this problem. Just look at the 2010 WikiLeaks debacle and the hundreds of thousands of classified diplomatic cables Private Chelsea (Bradley) Manning was able to steal while working as an army intelligence analyst in Iraq. Of course just a few years later, the world would meet Edward Snowden, who used his skills and access as an NSA system administrator to steal millions of highly classified files from America and its allies and share them with journalists for publication online. Some have called this type of mass information theft and disclosure the “civil disobedience of the information age.” But if Manning and Snowden could (after purportedly thorough background investigations) amass and steal such vast volumes of sensitive data from the federal government, what might they do if they were working for Target, Citibank, or Apple? The exponential growth in corporate data means that trade secrets, engineering designs, technical know-how, customer lists, employee salary tables, pricing strategies, suppliers, and any other information stored on a digital device can leak. Today, any company, large or small, can have a Snowden in its midst with notable implications for its data security, privacy, and long-term economic viability.
Just one compromised e-mail account on Facebook, Google, or Apple can give hackers access to years of your e-mail messages, calendar appointments, instant messages, photographs, phone calls, purchase histories on Amazon, bank and brokerage accounts, and documents in Dropbox or on Google Drive. It is important to note, however, that the data losses we imagine today will pale in comparison with what becomes possible tomorrow. In this world, our ability to aggregate all information created by both man and machine and store it in perpetuity is far exceeding our understanding of the concomitant risks.
Bad Stewards, Good Victims, or Both?
What I did in my youth
is hundreds of times easier today. Technology breeds crime.
FRANK W. ABAGNALE
When Sony, Target, and T.J. Maxx were hacked, whose fault was it? Were these firms innocent victims of ingeniously inventive cyber attacks perpetrated by sophisticated transnational organized crime groups? Or were they deeply lax with their security precautions, remiss in implementing the most basic of protections for the hundreds of millions of accounts entrusted to them? The answer lies between the two extremes. Not only are retailers doing an ineffective job of protecting their customer data, but so too are legions of Internet start-ups and the behemoths of social media. When you volunteer your data to Facebook, Google, LinkedIn, and others, you need to be aware not only of the numerous privacy ramifications of doing so but of the criminal implications as well. These firms are routinely hacked, and the data taken are yours. How often does this happen? Way more than you might ever imagine.
Facebook’s own security department has shockingly acknowledged that over 600,000 accounts are compromised every day. Did you get that? Not 600,000 accounts per year or even per month, but per day. That’s one account every 140 milliseconds (a blink of an eye is 300 milliseconds). These data can be used for identity theft, criminal impersonation, tax fraud, health insurance scams, and a host of other criminal offenses. Consider the tremendous volumes of personal data you share on Facebook, and now think what organized criminals might be able to do with them. Mother’s maiden name, check. Place of birth, check. Date of birth, check. Photographs of your kids, check.
Compromising your Facebook account is not the end goal; it’s just the beginning. Because 75 percent of people use the same password for multiple Internet sites and 30 percent use the same log-in information for all their online activities, once your Facebook account password is compromised, it can potentially be used to access your bank, credit card, and e-mail accounts. In addition, third-party companies are increasingly allowing you to use your Facebook log-on credentials as your passport to the rest of the digital world. While using your Facebook account to shop, listen to music, and play games is greatly convenient, once that single sign-on is compromised, so too are all the other services.
Many social media companies have been breached, including LinkedIn (6.5 million accounts), Snapchat (4.6 million account names and phone numbers), Google, Twitter, and Yahoo! Transnational organized crime groups are responsible for carrying out a full 85 percent of these data breaches, and their goal is to exfiltrate the greatest amount of data possible, with the highest value in the cyber underground. Sometimes organized crime groups don’t even need to hack into a computer system; it’s already wide open. Just as predators on the plains of the Serengeti won’t pass up an already dead animal as a free meal, so too are hackers happy to take advantage of any free data bounty that comes their way. Such was the case, for example, when the mega cloud storage data company Dropbox accidentally turned off the need for any account password whatsoever across its entire network back in 2011. As a result, any person could read any file posted on the Dropbox network.
You might think that if your social media or Internet accounts were compromised in such a manner and you suffered harm, such as identity theft or tens of thousands of dollars stolen from your bank account as a result of somebody else’s negligence, you might have recourse to sue those who put your information at risk. Of course, you do not. You waived all of those rights when you clicked “I have read and agree to the terms of service,” a caveat that holds these companies completely harmless for such breaches.
And Facebook makes it clear:
We try to keep Facebook up, bug-free, and safe, but you use it at your own risk. We are providing Facebook as is without any express or implied warranties … We do not guarantee that Facebook will always be safe, secure or error-free …[Y]ou release us, our directors, officers, employees, and agents from any claims and damages, known and unknown, arising out of or in any way connected with any claim you have.
By the way, it is not just organized crime groups that are going after the massive data repositories you’ve created with Google, Yahoo!, and Facebook; it is governments, foreign and domestic, as well. For example, in January 2010 Google went public with news of a massive attack across its network and blamed the attack on the Chinese government. Google reported that Chinese authorities were going after the Gmail accounts of activists in the United States, Asia, and Europe who had raised concerns about China’s human rights practices. Also targeted in the incident were trade secrets and Google’s source code—the very software that runs Google and its products.
Though Google admitted being attacked, the exact extent and nature of what was taken were closely guarded company secrets. Later, however, it was revealed that hackers tied to China’s People’s Liberation Army (PLA) took the source code for Google’s global password management system. The theft of Google’s source code could readily have provided the Chinese persistent access to the passwords of millions of Google’s customers worldwide and have allowed the PLA to remain hidden within Google’s systems on a long-term basis. Have you changed your Google password since 2010? If not, the PLA may have a copy of it. Whether Internet and social data companies are bad stewards of our data, highly targeted victims, or a little bit of both, the fact of the matter is that any data we entrust to the sites and companies could leak to criminals, terrorists, and others.
Data Brokers Are Poor Stewards of Your Data Too
One of the problems with having shadowy and poorly regulated data brokerages amass huge volumes of information on us is that these companies can readily be hacked as well. When firms such as Acxiom store trillions of records on each of us, those records will be targeted by organized crime because, as Willie Sutton reminds us, that’s where the money is. This theft of large-scale data sets from data brokers has been going on for many years, and back in 2002–3 more than 1.6 billion customer records were stolen from Acxiom and its clients. According to court documents, the hacker responsible for the theft, Scott Levine, was able to download more than eight gigabytes of Acxiom files, making it one of the largest ever intrusion cases involving the theft of personal data.
More recently, in 2013, the data broker Experian mistakenly sold the personal data of nearly two-thirds of all Americans to an organized crime group in Vietnam. The epic fraud meant that the Social Security numbers of 200 million Americans were now available to the thieves around the world. The data sets obtained were known as “fullz” in the criminal underground because they contain the full set of information required for criminals to apply for credit cards and take out loans in the names of their victims. The massive breach of security occurred because Experian failed to do due diligence on the Vietnamese hacking organization, which had established a front company posing as a U.S. private investigation firm in order to purchase the data for its crime commission. Get that? Experian sold 200 million user data files to an ID theft ring. The data were eventually put up for sale on dozens of hacker Web sites, including SuperSet.info and FindGet.me, selling for just sixteen to twenty-five cents a record, with payment accepted only via untraceable online currencies such as Liberty Reserve and WebMoney. Experian learned of the compromise and its complicity in the affair only after it was contacted by the Secret Service, which discovered the information for sale on the hacker Web sites.
And why on earth would a purportedly reputable firm sell the data without doing due diligence? The answer, as usual, lies in the money. Data brokers make money when they sell data, not when they protect it. In the course of the investigation, it was uncovered that criminals had accessed the Vietnamese data set at least 3.1 million times before it was taken down—but of course by then, the damage had been done.
Given the ready availability of data on any one of us, organized crime groups have now even started their own data brokerages and front companies providing illicitly obtained information on any particular target of interest. An example of this was seen when Russian hackers created a Web site known as Exposed.su
to demonstrate their hacking prowess to their fellow criminally inclined buying public—bona fides, if you will. Boasting of their ability to get data on anybody, the hackers freely hosted credit files on a wide number of public figures in politics, law enforcement, and entertainment.
To obtain their ill-gotten goods, the thieves subverted the security systems at Equifax’s AnnualCreditReport.com Web site and obtained the full credit reports of all those targeted. Those who fell prey to the attack included a who’s who of celebrities, among them Ashton Kutcher, Kim Kardashian, Jay-Z, Bill Gates, Beyoncé, Robert De Niro, Lady Gaga, and Sean Combs. Also breached were the credit reports of a number of extremely high-profile government figures such as First Lady Michelle Obama, Vice President Joe Biden, former president George Bush, the FBI director Robert Mueller, the CIA director John Brennan, and Attorney General Eric Holder, as well as the LAPD chief Charlie Beck.
Once the Exposed.su hacker crew obtained the complete credit reports on those listed above, they posted them in full online in PDF format. There for all the world to see were the Social Security numbers of the victims, their dates of birth, every address they had ever used, personal phone numbers, legal judgments against them, and other personally revealing information such as how many hundreds of thousands of dollars they charged every month on their American Express black cards or how many millions they owed on their mortgages. The credit reports of those affected were viewed nearly one million times before the sites were eventually taken down.
As noted in the last chapter, large data brokers create highly segmented lists of clustered individuals such as “Caucasian, high school educated, rural, family oriented, and interested in hunting, fishing and watching NASCAR.” Now it appears as if certain data brokers are also creating lists that are of direct benefit to organized crime groups, who will pay top dollar for such criminal leads. Scammers are a lucrative fountain of revenue for data brokers, and as such the data industry is happy to create lists that cater to criminal customers as well. Though data brokers would disagree or disavow any responsibility for what happens with the lists, clusters of individuals such as “ ‘gullible’ pensioners who ‘want to believe their luck can change’ ” are nothing more than an invitation to defraud senior citizens of their life savings.