Who Gives a Damn about Data?

In light of Wiseasy allowing hackers to access nearly 140,000 passwords to payment terminals, Michael Tanaka, Chief Commercial Officer at MIRACL, offers some lively views on data security.

Of course the obvious answer is: we all do. Data doesn’t just define the world around us, more and more so, it also defines us.

Everything we are, what we have done, what we desire and even what we are likely to do in the future. For those geeks out there, we’re not to the level of Daniel Graystone in Caprica creating an AI based off of his daughters’ social media profile, but we’re heading that way!

We all know this and we all accept the fact that to operate in this world, our data needs to be available for others to process; but do we ever question what they’re doing with it and how they’re protecting it?

My next point: humans recycle EVERYTHING. It’s in our nature to go the path of least resistance and it doesn’t make (human) sense for us to recreate complex or hard to create data.

Need a new profile pic? Catfish-it with the same one you’ve been using for 15 years. Need a new bio? Copy/Paste from your last publication. A new password with 8-12 characters with at least one upper and lower case letter, numbers, letters and at least one special character…that’s right, use the same one you’ve used on ten other sites!

In fact, very few of us create unique passwords for every service, we cheat and we recycle our favourite ones. It turns out that only about a third of us use unique passwords for every service and 13% of us use the same password for every service. So it’s not surprising that usernames/passwords stolen from one service can be very effective to try and attack another service (where you’re also using the same password!)

Sometimes, we’re not even at fault… do you know what is some of the most valuable data a hacker can steal? Medical records. They define us, they’re a unique history and are often used to power various identity thefts and frauds. We can’t arbitrarily change medical records; we simply have to redistribute the same information again and again.

Given the self-evident fact that data is 1) important to us, and 2) valuable to an attacker, why do we rely on third party services to act in our best interests and assume they know what they’re doing?

  • Appreciate opinions? Plenty of other tech insights here

Here’s an embarrassing confession, I started an online service in 2006 and later that year one of my customers asked for help in logging in, we verified their identity and sent them their password. Ohh we sound so nice don’t we? But the fact is my 500,000 users’ passwords and personal data were all unencrypted and accessible to my entire tech team.

Really basic stuff, and my intentions were pure, my team honest, why should I feel bad about that? Because I was a complete idiot; that data is literally a cash honeypot to anyone who isn’t honest. It only takes one person with a flash drive and access to the server, and suddenly 500,000 people are now worse off.

As you might possibly guess, shortly thereafter we redesigned all of our security and never had a single security incident, but we weren’t smart – we were lucky. And it goes without saying, protecting data has been a core part of tech infrastructure in any business I have been involved with since.

Not everyone else is so lucky… just this month, it was reported that payment company Wiseasy allowed hackers to access nearly 140,000 passwords to Wiseasy payment terminals around the world due to admin passwords turning up for sale on dark marketplaces.

Tough luck for those account holders then? No, not just the Wiseasy account holders but the companies that those people work for as well. Why? Because company staff reuse passwords as often as we do for our personal use. So I can guarantee that there are tens of thousands of companies out there that are at risk, their payments, ERP, CRM, mail, accounting and even banking – you name it, they’re likely to experience the aftershock.

And while in Europe, Sweden’s Data Act came into effect in 1974 making it illegal for anyone to use information systems to handle personal data without a licence and the EU launched the Data Protection Directive in 1995, it took until 2018 for those laws to be updated in the form of GDPR taking into account the changes that the last 20 years had brought.

Yet, four years later, organisations are still getting to grips with what GDPR truly means – and seeing the consequential fines on their peers when it does go wrong.

As consumers, while these companies are still figuring things out, it makes sense for us to take a closer look at the companies entrusted with our data and not let them off the hook so easily – demand more when it comes to reliance on passwords and use strong MFA where possible. After all, it’s our data not theirs.

By Michael Tanaka, Chief Commercial Officer at MIRACL.

Guest Contributor
Guest Contributor
Follow on Twitter @eWeekUK

Popular Articles