Last week I argued that requiring backdoors in strong encryption would result in the effective end of encryption and provide a veritable buffet of sensitive data to both the government and those with malicious intents. Encryption with backdoors is not encryption at all.
I mentioned the U.S. Office of Personnel Management hack and the loss of highly sensitive data on 18 million U.S. government employees, including those with high security clearances. I mentioned the Hacking Team hack that resulted in the loss of its Galileo software, which was used by law enforcement and governments to hack into suspected terrorist and criminal computers -- software now turned against those very same governments and law enforcement agencies.
But I also said it’s not only money at stake here. In addition, the loss of sensitive data provides criminals with leverage against those with money and power who have had their personal details compromised. The very day that column ran, news broke of the Ashley Madison data breach.
After the Adult Friend Finder breach in May, I suppose it wasn’t much of a stretch to think this could happen. Rather, the shocking detail here is the huge number of people potentially affected. Reportedly data on almost 40 million user accounts were lost, including names, credit card information, and other personal details.
Sadly, this sort of data breach is common among major retailers. But the consequences of a retail breach, as painful as they are, are generally not as dire as they might be in the Adult Friend Finder case. Customers of Target, Home Depot, Kmart, TJX, and so on were forced to get new credit card numbers, deal with the annoyances of changing bill payment and automatic billing information, and in some cases wrestle with identity theft. But in general, they didn’t have to fear that their lives, or the lives of their families, would be completely altered.
Lives altered is certainly a danger in the Ashley Madison breach. If that data becomes public, we will absolutely see a significant rise in divorce rates. You can place the blame on the adulterous spouse, but it doesn’t change the raw facts that this corporate data breach will have a traumatic impact on thousands or even millions of lives. Perhaps even more unnerving, the group that took this data could possibly release it after adding hundreds of thousands of records from other data heists. People with no connection to Ashley Madison would be presumed guilty -- it’s that easy.
There are ripple effects from this one that we haven’t quite seen before. Given the highly personal nature of this breach and the potentially massive ramifications of that information becoming public, scammers and phishing operations will be mining serious gold. If a nervous ex-member of Ashley Madison gets an email stating, “Your Ashley Madison details can be deleted, click here,” or “Your Ashley Madison details are being released! Click here to stop it!” the temptation may be too great to resist.
This will lead to many more successful fraud and phishing attempts, as well as easier access to corporate networks for hackers, via compromised users within those organizations. If even 5 percent of users take the bait, that’s roughly 2 million people -- and the scammers will have confirmation that their targets were victims of the Ashley Madison data breach and could use that knowledge to their advantage down the road.
Those scammers aren’t even part of the Ashley Madison hack. They’re simply using the publicity to further their own scams. If we think about the hackers who actually have the Ashley Madison or OPM data, the success of phishing attempts and scams skyrockets. Not only could that data be used to direct scams and attacks, but the data contained in those messages and emails will be 100 percent accurate, making them essentially indistinguishable from legitimate contact.
A victim of the OPM data loss event will not be able to trust most verification information in an email or on a website ever again. They can’t use relatives, bank account information, home or car ownership (to a specific date anyway), or any of the myriad other ways that legitimate businesses use to verify identity.
The OPM and Ashley Madison data loss events aren’t only about losing money or even small-scale identity theft. These data breaches are life-altering events for the victims. The OPM breach can and will cause a lifetime of headaches for people who essentially lost their entire personal histories. The Ashley Madison breach will directly lead to the dissolution of families. Yet we hear from heads of state and law enforcement that we should be installing backdoors in strong encryption. The mind boggles.
We’re in the Wild West of data security, overrun by the bad guys. We need to strengthen our defenses, not hobble them.