Posted by Post Authored By: Natalie Elizaroff
COVID-19 is not the only virus that has been spiking in 2021. As of September 30, 2021, the total number of data breaches has risen by 17% in comparison to the total number in 2020. [1] These statistics account for some of the biggest data breaches to date, including: Colonial Pipeline ($2.3 million in Bitcoin); Facebook, Instagram and LinkedIn via Socialarks ($214 million); Bonobos ($7 million); Kroger via Accellion (Records Breached: 1,474,284); Twitch (Unknown extent); T-Mobile (Records Breached: 53 million); Volkswagen & Audi (Records Breached: 3.3 million); and many more. [2] As of early October there have been 1,291 breaches and over 281 million people that have been affected. [3] These numbers pale in comparison to the 2.5 billion data-breach victims in 2016, but in no way diminishes the issue of data privacy and the importance of proper online security. Even “old data” that was leaked from breaches several years ago can still be used with malicious intent. Zack Allen, Senior Director of Threat Intelligence, noted that “the LinkedIn breach from the early 2010s was used by the Guild of the Grumpy Old Hackers to guess former President Donald Trump’s Twitter username and password in 2016.” [4]
Given that October was cybersecurity awareness month, and many people are unaware as to modern security threats, this article will shed some light on data breaches, their impact, and what you can do to protect your information and push legislators to do the same.
What are data breaches and how do they happen?
Data breaches occur when a cybercriminal infiltrates a data source and exposes confidential or protected information. [5] They can be accidental or intentional, but most often cybercriminals target a weak network and hijack information for a profit at the individual’s, or companies’, expense. Data breaches have a myriad of detrimental effects on individuals and organizations, including, identity theft, financial losses, damaging reputation, and legal action. Additionally, when companies are breached, they must deal with the responsibility for notifying all victims about what information was stolen during the breach. [6]
Approximately 84% of data breaches are attributed to system intrusion, malware, and phishing attacks. [7] The remaining percentage of data breaches are caused by physical actions (stolen laptops/phones/card skimming), unauthorized or mishandled information (employees abusing their privileged access to information), and human error (sending sensitive information to the wrong party). [8]
System intrusion/Brute force attacks are generally done by cybercriminals that take the time to work through all the possibilities for a password until they guess correctly. This method also includes criminals that simply purchase credentials on the dark web and use that to access privileged information. Once credentials are compromised, a variety of other cyber attacks can follow, which include phishing and malware attacks.
Phishing is a social engineering attacks by a cybercriminal that is impersonating a legitimate organization via email, text message, advertisement or other means in order to steal sensitive information. These kinds of attacks are particularly common and easily performed against casual internet users. If you have ever stumbled across a Facebook/social media platform quiz that asked questions like: “What does your eye color say about you,” or “Make your own sentence” – these are tools to learn answers to common security questions. Participating and sharing this kind of information leads to hacked accounts and personal information being stolen. [9]
Malware is a blanket term that encompasses any kind of software that has malicious intent against your software and hardware. Malware is a software that is designed to target your system causing damage to a computer, server, client, or computer network. This is where viruses, worms, Trojan viruses, spyware, adware, ransomware, and more come into play. [10]
What is the future of online security?
Knowing about data breaches and being able to differentiate common hacking attempts are useful but being proactive on these matters is what will decide the future of privacy law. As of today, there is no blanket statute or Supreme Court decision that provides uniform data privacy protection to individuals. Other countries including Europe, Brazil, South Africa, Bahrain, the Philippines, Canada, the United Kingdom, India, Australia, and more all have comprehensive, uniform general data protection regulation laws to protect its citizens. The United States is one of the few developed countries that lacks comprehensive broad protection of its citizen’s data. Instead, there are hundreds of different laws that have been enacted on federal and state court level to protect personal data. [11]
Despite the hundreds of different laws, in reviewing the below infographic, most states lack comprehensive privacy laws. California, Colorado, and Virginia are the only states to establish a framework in controlling personal data. These three states have several provisions in common, such as establishing consumer rights to access and delete personal information, opting out of the sale of personal information, requiring data protection assessments, requiring consent for sensitive personal information such as race and religion, and more. [12]
Hackers and cybercriminals are not going away and implementing a cohesive, uniform approach to privacy law would eliminate confusion, encourage companies to adopt strict protection standards, and most importantly it would better protect people’s sensitive information.
[1] Third Quarter 2021 Data Breach Analysis: Number of 2021 Data Compromises Surpasses Total Number of Compromises In 2020, Identity Theft Resource Center, https://itrc–c.na151.content.force.com/file-asset- public/ITRC_2021_Q3DataBreachAnalysis_Report?oid=00D300000006Kp5EAE (last visited Oct. 30, 2021).
[2] See The Biggest Data Preaches of 2021 So Far, Bluefin (Sep. 9, 2021),https://www.bluefin.com/bluefin-news/2021-biggest-data-breaches-so-far/; Eugene Bekker, 2021 Data Breaches | The Worst So Far, IdentityForce (Jan. 11, 2021), https://www.identityforce.com/blog/2021-data-breaches; Luke Erwin, List of data breaches and cyber attacks in August 2021 – 61 million records breached, ITGovernance (Sep. 1, 2021), https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-august-2021-61-million-records-breached.
[3] Chris Morris, The number of data breaches in 2021 has already surpassed last year’s total, Fortune (Oct. 6, 2021), https://fortune.com/2021/10/06/data-breach-2021-2020-total-hacks/.
[4] Allison Ries, Top Four Damaging Consequences of Data Leakage, ZeroFox (June 3, 2021), https://www.zerofox.com/blog/damaging-consequences-data-leakage/.
[5] Data Breaches 101: How They Happen, What Gets Stolen, and Where It All Goes, TrendMicro (Aug. 10, 2018), https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101.
[6] Ries, supra note 4.
[7] Verizon Data Breach Investigations Report, Verizon, https://www.verizon.com/business/en-gb/resources/reports/dbir/2021/smb-data-breaches-deep-dive/, (last visited Oct. 25, 2021).
[8] Id.
[9] BBB Scam Alert: Bored at home? Think before taking that Facebook quiz, Better Business Bureau (Apr. 10, 2020), https://www.bbb.org/article/news-releases/16992-scam-alert-that-facebook-quiz-might-be-a-big-data-company-mining-your-personal-information.
[10] What is Malware?, Cisco, https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html (last visited Oct. 25, 2021).
[11] Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, Council on Foreign Relations (Jan. 30, 2018), https://www.cfr.org/report/reforming-us-approach-data-protection.
[12] Alysa Z. Hutnik, Aaron J. Burstein & Lauren F. Myers, Colorado Passes Privacy Bill: How Does it Stack Up Against California and Virginia?, Ad Law Access (June 9, 2021), https://www.adlawaccess.com/2021/06/articles/colorado-passes-privacy-bill-how-does-it-stack-up-against-california-and-virginia/.
About the author:
Natalie Elizaroff is a 3L at UIC School of Law, recently renamed from the John Marshall Law School. She is the Candidacy Editor of the Review of Intellectual Property Law, President of the Intellectual Property Law Society, and Treasurer of the Video Game Law Society. Prior to law school, Natalie graduated with a B.S. in Molecular Biology from Loyola University Chicago. Natalie currently works as a Law Clerk with Advitam IP, handling trademark litigation, patents, and other IP-related matters.