Dearly beloved, we have gathered here today to get through this thing called “data theft”. Data theft means forever and that’s a mighty long time. But I am here to tell you, there is something else: The After Hack. A world of never ending misery. You can never see the sun: day….or night. What happens to all of that data that gets stolen? Well, let’s take a look. Then let’s go crazy!
The Background In 2015, The US Office of Personnel Management was hacked, and 21.5 million data records of government employees were stolen, including their names, addresses, date of birth, place of birth and Social Security numbers, plus all of their sensitive military credentials. Who did it? The rumours are that it was the Chinese, as they wanted to compile a database of American military personnel. However, it cannot be proven. Suffice to say, “bad guys stole the data”. How did it happen? School boy error. Security experts have stated that the biggest problem with the breach was the "lack of proper encryption of sensitive data”. Back to the exam question - What was the impact of the After Hack? Fast forward a few years….to June 19, 2018: Karvia Cross and Marlon McKnight pleaded guilty to using the personal data contained in the hack in order to obtain fraudulent credit. In 2015 - 2016, just after the hack, Cross and other defendants began using the information to create new bank accounts with the Langley Federal Credit Union and to apply for personal and automotive loans. The loans were approved, and the proceeds were paid out to the second set of bad guys. Why do I care? This is a faceless crime. We all talk about the breach, not the unfortunate people who are left with a mound of bad debt. Think about the details that were stolen – the key part of PII is in the title: Personally Identifiable Information. Those fraudulent loans weren’t just ripping off the Bank…a corporate entity that people don’t care about. They were taking out the loans in the name of people. People like me. People like you. People like us. People who now have years of bad credit because someone couldn’t be bothered to encrypt their person data. How would you feel if it was your data that was stolen and you find out that you have 2 car loans and a personal loan in your name, all of which are destroying your credit rating. Good luck explaining that to a person in a call center. Moral of the story The impact of data leaks can linger on for years. In this case, from 2015 until 2018. Secondly, crime does not pay: Karvia Cross is looking at 30 years in the slammer (or the clink). Thirdly, where did she get the data from? Did she steal it? Did she buy it? No one is saying. Lastly, why aren’t individuals demanding that their personal data be encrypted? Or tokenised? Or pseudonymised? If we take away one thing from GDPR it should be this:
If you steal protected data, then it is useless and you can’t screw over the good people of the world.