The Human Impact of Data Breaches

Modern Medical Technology is governed by HIPAA
Photograph by Nik Shuliahin

The world is limping from the relentless onslaught of cyberattacks which continue to grow more sophisticated. And 2021 was the year when eyes really opened up to the immediate human dangers of compromised systems.

A world that runs more and more “on-grid” means that hacked systems can now bring down basic infrastructure. That’s what happened when hackers took down the largest fuel pipeline in the USA because of something as ridiculous as a stolen password. (2FA, anyone?) The hack caused gas shortages and panic-buying. And we all know what ugliness that social evil brought to the world during COVID-19.

First-worlders don’t like it when their goods aren’t available.

Rapid escalation in cyber-threats

Some in the security field might’ve snickered back in 2011 at the irony of MySQL.com being the victim of a simple SQL Injection attack, but cybersecurity was easier to laugh about back then. That was before “one of the largest-ever Internet security break-ins”—77 million records of Sony Playstation users—occurred.

And that Sony attack would be dwarfed by multiple factors when Yahoo was bombed by a staggering 3-billion-record data breach less than two-and-a-half years later. This CNN article on it called it an “epic and historic data breach.”

After the MySQL attack, data breaches got real.

High numbers blind us to the human price

Humans are numbed by numbers. The higher the numbers we read, the less likely we are to feel sympathy and act.

Using words such as epic and historic inspires awe and reverence, but these words don’t help to convey the personal toll behind these enormous breaches.

At a personal level, these breaches have only one aim—to ruin human lives.

Whether attempting to steal bitcoins from friends or buying $2,400 worth of headphones under someone else’s name, the overriding purpose of data breaches is theft, extortion, and hard cash. That hard cash can come directly from the data breach—whether it’s 25 cents for a credit card record or up to $1,000 for protected health information (PHI)—or it can come in the form of using that breached information to carry out fraud.

At the supply-chain level, where hackers sell compromised records to the organized cybercriminal, even a modest price of $500 per PHI record would total nearly $900 million in profit for the Dominion Dental hack!

But $900 million is a drop in the ocean compared to the potential cash from opening up credit card accounts in someone else’s name or filing fraudulent health insurance claims.

For many living on the breadline, rising gas prices caused by a shut gas line could mean skipping meals or the difference between paying rent or not. And $2,400 worth of headphones could be the breaking point for nearly 60% of Americans who are not entirely convinced that they could come up with an additional $2,000 in the next month if an emergency arose.

The human toll of hacking

Numbers aside, here’s just a taste of the human toll of data breaches:

In 2016, someone called Stephanie discovered she could not get a credit card because of identity theft. The thieves had impersonated her, taken out several credit cards in her name, and driven her to bankruptcy.

In this story, a reader reveals how nude photos of her were being sent to male acquaintances. The story takes on chilling tones when we discover that the male acquaintances did not find anything suspicious in the sudden sharing of sexually explicit photos, but instead began conversing with her and asking questions.

But they were actually talking to the hacker, who responded to the emails.

The hacker was eventually discovered (one of the reader’s male acquaintances was smart enough to realize something wasn’t right and called the victim about it). But what if the hacker hadn’t been discovered? How would such a scenario play out in any potential sexual assault case where the defendant could pull out all these emails to try and prove consent?

Before #MeToo, that was a lot easier to do.

The human toll of data breaches is the gift that keeps on giving. And in a 2015 incident, the gift was $500 and then $1,000 when malware called CryptoWall held a mother’s files to ransom and extorted a total of $1,500 from her to decrypt the contents.

Wired magazine ran a proof-of-concept in 2015, showing that remote carjacking is now possible, fully taking control of a vehicle and making demands with the driver in it. The “hackers” took control of the steering, transmission, and the brakes of a Jeep Cherokee with only a phone connection to the car’s entertainment system—no access to the car itself required.

Car-hacking is where it all starts to get a little blood-curdling—the thought of mom’s Cherokee barrelling down the freeway with little Johnny in the backseat and a hacker’s electronic voice coming out of the speaker, telling her to transfer $10,000 now before he drives the car into a wall is a nightmarish picture.

But that’s not nearly as bad as what happened in Oldsmar, Florida, on February 8, 2021.

Cyberwarfare—poisoned water supply

On February 8, 2021, a hacker gained control of a computer at Oldsmar city’s water treatment plant and tried to poison the water by increasing the amount of sodium hydroxide in it by 100 times. The plant supplies water to approximately 15,000 people.

The hacker gained access to the computer via TeamViewer, and the computer that was accessed was able to then control the plant’s machines directly. Unfortunately, this is quite a common method used by companies to provide remote control of physical machines, and many of these methods of connection are even discoverable through the Shodan search engine!

It appears that companies are not only keeping the barn door open but also actively advertising it to the horse thieves!

Cybersecurity needs to be about the people, not the numbers

Cybersecurity has grown into a societal problem involving all sectors and industries. The direness of the situation means there is no more place in cybersecurity for proprietary wars and half-baked solutions such as poorly secured remote-access software that controls machines on which people’s lives depend.

The regulatory aspect is only one factor. A lot of companies, especially non-tech companies, simply don’t know what the best practices are. And a fragmented security world only makes the potential holes bigger.

The human problem of security makes it imperative that we come up with an effective, homogenous solution to reduce potential security holes across all sectors. Because people’s lives are literally at risk.

Ready to protect your data?

Learn the most common data protection opportunities and how Peacemakr works with your infrastructure and products to stop data breaches.