part0010

Looking out of the rain-streaked window down onto the mix of tourists in ponchos and business people striding along under the cover of umbrellas, a man in his early thirties contemplated leaving his office building in a busy area of central London. He had already changed into a pair of trainers that were way too loud to wear around the office, in anticipation of heading down the stairs and out of the door imminently. Glancing at his watch he saw that he still had 25 minutes until he needed to be there. Not a particularly pressing engagement, but a few drinks with some old friends and colleagues whom he hadn’t seen for a while was always something to look forward to.

It shouldn’t have been looking this dark at 6pm in late March, but the wintry weather had other ideas. He didn’t relish a twenty-minute walk in the rain so he decided to leave it five or ten minutes to see if it eased off. A couple of minutes of silent contemplation was rudely interrupted by the sharp and shrill ringing of the press office phone, leading him into the eternal dilemma of this hour. Should he answer it, or ignore it and hope they send an email or call back tomorrow? Just after six is not a usual time to get a call to this line, so he was loath to leave it, but on the other hand, by answering he could be opening the door to an extremely stressful and miserable evening.

Despite the day being officially over, professionalism won out over the need for a beer and he picked up the phone, belatedly, after five or six rings. The voice on the other end explained that he was from a news organisation and was writing a story on the hacking of a company product which happened recently. Unsure of how to respond, and kind of regretting answering the phone, he told the journalist that he would need to discuss internally to provide a response and requested further details from the cold caller. The evening was only just beginning.

This is the true story of a hacking incident beginning to unfold within a technology company a few years ago. Unfortunately I cannot name the company or go into any further detail, but the records over the last few years show that this scenario could have played out in a vast number of companies across the globe. Wired magazine wrote an interesting run down on some of the biggest data breaches in recent years 4 , back in September 2018, and in 2020, nothing has really changed.

The chances are that you’ve been affected by a data breach of a global company, whether you realise it or not, and the advice is always the same – users are asked to change their passwords. It appears in the case of almost any data breach, at least some of the burden of change falls on the users.

An example of such a data breach happened in September 2018 when British Airways revealed that hackers had breached its systems and had access to website transactions, including payment details, for 15 days between 21st August and 5th September. I was actually personally impacted by that breach and received an email from British Airways on the afternoon of 7th September to inform me of this. The advice: Don’t follow any links in emails that purport to be from BA, don’t respond to any emails or calls requesting information as they’re not from BA, review your bank and credit card statements and contact your bank if necessary. The email was very apologetic, and they said they would compensate any financial loss, but it was clear that the responsibility for stopping any harm stemming from this kind of incident was (and continues to be) really on each individual customer.

In April 2020 a similar incident befell easyJet where it was estimated that around 9 million traveller records were accessed, with a small number of customers having their passport details and payment information accessed. Again, all you could really do was be cautious and keep an eye out for unusual activity.

The response of British Airways and easyJet to these data breach incidents was actually relatively quick, but that’s not always been the case historically. At the end of 2016, around the time it was revealed that Verizon would be buying Yahoo!, news began to break of historical data breaches at the ailing internet giant. This began with a disclosure of a data breach which impacted 500 million accounts dating back to 2014 and was followed only a few months later by news of the biggest data breach in history (at the time anyway). This impacted one billion Yahoo! accounts and apparently took place in 2013. It was subsequently revealed in October 2017 5 that, following investigations, the breach had actually affected all three billion Yahoo! accounts, a truly staggering development.

Anyone remotely au fait with technology knows that by this point, Yahoo! was nowhere near the internet giant it had once been; I even remember seeing people joking about accounts they hadn’t used in years. “If anyone has hacked my Yahoo! Mail account, can you let me know the password,” one journalist quipped on Twitter. However, despite being long-surpassed by companies like Facebook and Google, three billion accounts is still a lot of people – and data.

In this case the breach was revealed so long after it had actually happened, the usual advice to users to change passwords wouldn’t really hold much weight; if users were going to suffer any consequences from the data breach, they likely would have already. This puts a spotlight on one of the weakest points in the connected world – the password. In a later chapter we’ll talk about why the password could be replaced in future, and more to the point, probably should.

However, one thing that these examples have in common is that they are all companies that we happen to give our data to in the course of doing business with them. It doesn’t excuse these lapses in security, but in all these instances most of the private data exposed is relatively easily changeable. But what about a company where storing and providing access to our most private and permanent data is their business, data we’ve not proactively given to them, but data that they hold whether we like it or not?

The fact is, it’s not just services that we choose to use that have been shown to be vulnerable to data breaches. If you’re not aware of what a credit reference agency is, then you’ll also not be aware of the information they hold on you. A credit reference agency is a company whose records get checked any time you apply for any sort of financial product, from a mortgage to a credit card or car finance, for example. If you’ve ever been ‘on the grid’, i.e. had your existence recorded in one way or another, then there will be a file on you. You didn’t proactively provide the information they hold on you, but it will include your name, current and previous addresses, your financial connections with other people (e.g. spouse or partner), whether you’ve had any County Court Judgements (CCJs) or insolvencies, what credit cards, loans, mortgages and other borrowing you have and how much you owe.

While it is just credit focused information, it is still likely something you want protected and, given that providing and safeguarding this information is the main focus of the companies that operate in this space, you’d think that their security would be a level above. Well that may be the case for some, but not all, as was demonstrated by Equifax in September 2017. Along with Experian and TransUnion, Equifax is one of the three largest credit reference agencies in the world.

Unfortunately, when a massive data breach of potentially 143 million consumer records was discovered by Equifax in July 2017, these data assets could potentially have been used to power better decisions for criminals. The breach affected primarily consumers in the US and, according to a TechCrunch article when the breach was disclosed in September 2017, information including Social Security Numbers, dates of birth and even driving license numbers was taken. Essentially all the information any competent criminal would need to steal your identity and begin taking out products in your name.

So, what can you do if impacted by a breach like this? In the chapter on passwords, we’ll go into detail on the actions you can take if your personal data and accounts are compromised, but when it comes to data you have no control over like this, the answer is, not a huge amount.

You don’t control the account, there’s no password to change, so all you can really do is be vigilant on your credit profile and financial accounts for any suspicious activity and check if there’s a case for compensation. In the case of Equifax, it immediately offered free credit monitoring for people whose information was involved and later it agreed with the Federal Trade Commission (FTC) to pay between $575 million and $700 million in compensation.