H4cked Off: Plugging the Leaks

08 Apr 2011

It seems to me that we're all getting leakier, and I'm not just talking about decrepitude brought about by advancing age.

Every day appears to bring about a new data breach story. In the past week we've seen the ‘Epsilon Affair' (surely a good title for the overdue sequel to Len Deighton's 'The Ipcress File'), where email marketeer Epsilon lost potentially millions of customer addresses to hackers (including those from Marks & Spencer and Mothercare). This follows hot on the heels of a similar breach at another email marketing firm, Silverpop.

My own details were among those obtained by hackers in the latter attack, so we can all look forward to more outraged screechings from me soon when the hackers brute force my password and take over my online life again.

And last night the US Airline Pilots Association mentioned it had leaked the personal details of 3,000 pilots. There's a pun in there somewhere about pilots leaking into the cloud, but it's probably best avoided.

In all these cases the leaking bodies released statements expressing their concern. They're treating the matter with the ‘utmost seriousness'. Investigations are ‘ongoing'.

I have in my inbox an email from Play.com CEO John Perkins (Play's customer data was breached in the Silverpop case) informing me that ‘necessary steps' have been taken to avoid further leaks.

Please excuse me if I fail to appear entirely reassured.

Apologising to customers is all well and good, but what's going to happen to these companies as a result of their failure to safeguard our personal data? Huge fines? Government sanctions? Criminal investigations? Or a big dose of nothing?

I'm looking at you ICO. The Information Commissioner's Office has the power to impose fines of up to £500,000 on firms found guilty of breaching the Data Protection Act. OK, it only applies to UK companies, but there have been plenty of significant UK-based breaches since the ICO was given this power.

And how many fines have they imposed to date? Four.

The most common result of an ICO investigation into a breach of the DPA is that the guilty party signs an ‘undertaking'. Basically it's a gentle slap on the wrist and a ‘try to do better next time'.

How many undertakings have been issued (since April 2010 when the ICO gained its powers to fine)? 44.  And 90 in total.

Imagine the chaos on urban streets on Saturday evenings if that was the penalty for drink driving.

You might not think these breaches are that serious. Why should you care if a hacker gets hold of your email address?

Well to begin with, it means more spam. Possibly not a terrifying prospect in itself, in these days of junk filtering, but where an email marketing outsourcer has lost your information, you should expect the spam to come branded from a company you actually do business with.

And the message will include your real name too, for added authenticity.

That's called spear phishing, and it's much harder to spot than the traditional non-personalised kind.

Then there's the possibility that they'll be able to hack your account, now that they know your username.

Regular readers won't need to be reminded about the cascade of online service and data loss that can result from a compromised email account. Suffice to say when I lost my Hotmail account, Facebook, LinkedIn and Gmail were quick to follow, and only prompt action on my part prevented my Ebay, PayPal and online banking accounts following suit.

So please ICO, use your teeth to plug these leaks. See, I may avoid puns but I can still mix a metaphor with the best of them.

blog comments powered by Disqus