The Consequences of Data Mishandling: Twitter, TransUnion, and WhatsApp

The Consequences of Data Mishandling: Twitter, TransUnion, and WhatsApp

Who should you trust? This week highlights the personal privacy risks and organizational consequences when data is mishandled or utilized against the best interest of the account holder. Twitter provides advertisers with user phone numbers that had been used for two-factor authentication, 37,000 Canadians’ personal information is leaked in a TransUnion cybersecurity attack, and a GDPR-related investigation into Facebook and Twitter threatens billions in fines.
Twitter shared your phone number with advertisers.

Early this week, Twitter admitted to using the phone numbers of users, which had been provided for two-factor authentication, to help profile users and target ads. This allowed the company to create “Tailored Audiences,” an industry-standard product that enables “advertisers to target ads to customers based on the advertiser’s own marketing lists.” In other words, the profiles in the marketing list an advertiser uploaded were matched to Twitter’s user list with the phone numbers users provided for security purposes.

When users provided their phone numbers to enhance account security, they never realized that this would be the tradeoff. This manipulative approach to gaining user-information raises questions over Twitter’s data privacy protocols. Moreover, the fact that they provided this confidential information to advertisers should leave you wondering what other information is made available to business partners and how (Source). 

Curiously, after realizing what happened, rather than come forward, the company rushed to hire Ads Policy Specialists to look into the problem. 

On September 17, the company “addressed an “error” that allowed advertisers to target users based on phone numbers.” (Source) That same day, they then posted a job advertisement for someone to train internal Twitter employees on ad policies, and to join a team working on re-evaluating their advertising products.

Now, nearly a month later, Twitter has publicly admitted their mistake and said they are unsure how many users were affected. While they insist no personal data was shared externally, and are clearly taking steps to ensure this doesn’t occur again, is it too late?

Third-Party Attacks: How Valid Login Credentials Led to Banking Information Exposure 

A cybersecurity breach at TransUnion highlights the rapidly increasing threat of third party attacks and the challenge to prevent them. The personal data of 37,000 Canadians was compromised when legitimate business customer’s login credentials were used illegally to harvest TransUnion data. This includes their name, date of birth, current and past home addresses, credit and loan obligation, and repayment history. While this may not include information on bank account numbers, social insurance numbers may also have been at risk. This compromise occurred between June 28 and July 11 but was not detected until August (Source).

While alarming, these attacks are very frequent, accounting for around 25% of cyberattacks in the past year. Daniel Tobok, CEO of Cytelligence Inc. reports that the threat of third party attacks is increasing, as more than ever, criminals are using the accounts of trusted third parties (customers, vendors) to gain access to their targets’ data. This method of entry is hard to detect due to the nature of the actions taken. In fact, often the attackers are simulating the typical actions taken by the users. In this case, the credentials for the leading division of Canadian Western Bank were used to login and access the credit information of nearly 40,000 Canadians, an action that is not atypical of the bank’s regular activities (Source).

Cybersecurity attacks like this are what has caused the rise on two-factor authentication, which looks to enhance security -perhaps in every case other than Twitter’s. However, if companies only invest in hardware, they only solve half the issue, for the human side of cybersecurity is a much more serious threat than often acknowledged or considered. “As an attacker, you always attack the weakest link, and in a lot of cases unfortunately the weakest link is in front of the keyboard.” (Source)

 

Hefty fines loom over Twitter and Facebook as the Irish DPC closes their investigation.

The Data Protection Commission (DPC) in Ireland has recently finished an investigation into Facebook’s WhatsApp and Twitter over breaches to GDPR (Source). These investigations looked into whether or not WhatsApp provided information about the app’s services in a transparent manner to both users and non-users, and about a Twitter data breach notification in January 2019.

Now, these cases have moved onto the decision-making phase, and the companies are now at risk of a fine up to 4% of their global annual revenue. This means Facebook could expect to pay more than $2 billion.

This decision moves to Helen Dixon, Ireland’s chief data regulator, and we expect to hear by the end of the year. These are landmark cases, as the first Irish legal proceedings connected to US companies since GDPR came into effect a little over a year ago (May 2018) (Source). Big tech companies are on edge about the verdict, as the Irish DPC plays the largest GDPR supervisory role over most big tech companies, due to the fact that many use Ireland as the base for their EU headquarters. What’s more, the DPC has opened dozens of investigations into other major tech companies, including Apple and Google, and perhaps the chief data regulator’s decision will signal more of what’s to come (Source).

In the end, it is clear that the businesses and the public must become more privacy-conscious, as between Twitter’s data mishandling, the TransUnion third-party attack, and the GDPR investigation coming to a close, it is clear that privacy is affecting everyday operations and lives.

Join our newsletter


How to Decode a Privacy Policy

How to Decode a Privacy Policy

How to Decode a Privacy Policy

91% of Americans skip privacy policies before downloading apps. It is no secret that people and businesses are taking advantage of that, given that there’s a new app scandal, data breach, or hack everyday. For example, take a look at the FaceApp fiasco from last month.

In their terms of use, they clearly state the following;

 “You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public” (Source).

However, these documents should actually be rendered important, especially since it discloses legal information about your data, including what the company will do with your data, how they will use it and with whom they will share it. 

So let’s look at the most efficient way to read through these excruciating documents. Search for specific terms by doing a keyword or key phrase search. The following terms are a great starting point: 

  • Third parties
  • Except
  • Retain
  • Opt-out
  • Delete
  • With the exception of
  • Store/storage
  • Rights 
  • Public 

“All consumers must understand the threats, their rights, and what companies are asking you to agree to in return for downloading any app,” Adam Levin, Founder of CyberScout says. “We’re living in an instant-gratification society, where people are more willing to agree to something because they want it right now. But this usually comes at a price” (Source).

New York Passes Data Breach Law

A New York law has recently been passed, known as the SHIELD Act, or the Stop Hacks and Improve Electronic Data Security Act. This act requires businesses that collect personal data from New York residents to comply. Below are some of the act’s enforcement and features: 

  • requires notification to affected consumers when there is a security breach,
  • broadens the scope of covered information, 
  • expands the definition of what a data breach means, 
  • and extends the notification requirement to any entity with the private information of a New York resident (Source)

Why Apple Won’t Let You Delete Siri Recordings

Apple claims to protect its users’ privacy by not letting them delete their specific recordings. “Apple’s Siri recordings are given a random identifier each time the voice assistant is activated. That practice means Apple can’t find your specific voice recordings. It also means voice recordings can’t be traced back to a specific account or device” (Source).

After it was reported that contractors were listening to private Siri conversations, including doctor discussions and intimate encounters, Apple needed to change its privacy policies. 

The reason why Siri works differently than its rivals is because of how Google Assistant or Alexa data is connected directly with a user’s account for personalization and customer service reasons. Apple works differently, as they don’t rely too much on ad revenue and customer personalization like their rivals – they rely on their hardware products and services.

LAPD Data Breach Exposes 2,500 Officers’ Data

The PII of about 17,500 LAPD applicants and 2,500 officers has been stolen in a recent data breach, with information such as names, IDs, addresses, dates of birth and employee IDs compromised.

LAPD and the city are working together to understand the severity and impact of the breach. 

“We are also taking steps to ensure the department’s data is protected from any further intrusions,” the LAPD said. “The employees and individuals who may have been affected by this incident have been notified, and we will continue to update them as we progress through this investigation” (Source).

Join our newsletter


Capital One: An Expensive Lesson to Learn

Capital One: An Expensive Lesson to Learn

As part of their business practices, organizations are uploading private customer information to the Cloud. However, just focusing on how secure the data is and not thinking about privacy is a mistake.

Capital One’s recent data breach proves that organizations need to be more conscious and proactive about their data protection efforts to prevent potential privacy exposure risks. Organizations have an obligation to ensure their customers’ data is fully privacy-protected before it is uploaded to the Cloud. This doesn’t just mean eliminating or encrypting client names, ID’s, etc. It also entails understanding the risks of re-identification and applying as many privacy-protecting techniques as needed.

Capital One’s $150 Million USD Mistake

This month, one of the United States’ largest credit card issuers, Capital One, publicly disclosed a massive data breach affecting over 106 million people. Full names, addresses, postal codes, phone numbers, email addresses, dates of birth, SINs/SSNs, credit scores, bank balances and, income amounts were compromised (Source).

Former AWS systems engineer, Paige Thompson, was arrested for computer fraud and abuse, as a result of obtaining unauthorized access to Capital One customer data and credit card applications (Source). “Thompson accessed the Capital One data through exploiting a ‘misconfiguration’ of a firewall on a web application, allowing her to determine where the information was stored”, F.B.I. officials stated. “These systems are very complex and very granular. People make mistakes” (Source).

To make amendments, Capital One is providing any affected customers with free credit monitoring and identity theft insurance. They will also be notifying customers if their data has been compromised (Source). 

Unfortunately, the company is expecting the breach to cost about $150 million USD, and these costs are driven by customer notifications, credit monitoring, technology costs, and legal support.

How the breach could have been avoided

Simply encrypting data clearly isn’t enough, because Thompson was able to exploit a security system vulnerability and decrypt the data (Source). 

Organizations should apply as many privacy-protecting techniques as possible to their dataset to minimize risks of customer re-identification in case of a data breach.

One way in which data can be privacy-protected to reduce the risk of re-identification is by anonymizing it. The best privacy technique to accomplish anonymization is differential privacy, which uses mathematical guarantees to hide whether an individual is present in a data set or not. 

A second way to reduce the risk of re-identification is by combining pseudonymization of direct identifiers with generalization and suppression techniques of indirect identifiers. Optimal k-anonymity is a privacy technique that generalizes and suppresses data to make it impossible to distinguish any specific individual from the rest of the individuals.

Organizations should elevate their understanding of privacy-protection to the same level at which they understand cyber-security. There are two essential questions that every organization need to be able to answer:

  1. What is the re-identification risk of my data?
  2. What privacy-protecting techniques can we implement throughout our data pipeline?

To learn more about how CryptoNumerics can help you privacy-protect your data, click here.

Join our newsletter


Protect Your Data Throughout the Pipeline

Protect Your Data Throughout the Pipeline

Organizations all over the world have embraced the opportunity that data and analytics present. Millions of dollars are spent every year in designing and implementing data pipelines that allow organizations to extract value from their data. However, data misuse and data breaches have led government bodies to promote regulations such as GDPR, CCPA, and HIPAA, bestowing privacy rights upon consumers and placing responsibilities upon businesses.

Maximizing data value is essential, but, privacy regulations must be satisfied when doing so. This is achievable by implementing privacy-protecting techniques throughout the data pipeline to avoid compliance risks. 

Before introducing the privacy-protecting techniques, it is important to understand the four stages of the data pipeline:

  1. Data Acquisition: first off, the data must be acquired, which can be either generated internally or externally from third parties.
  2. Data Organization: the data is now stored for future use, and needs to be protected along the pipeline to avoid misuse and breaches. This can be achieved using access controls.
  3. Data Analysis: the data must now be opened up and mobilized in order to analyze it, which allows for a better understanding of an organization’s operations and customers, as well as improved forecasting.
  4. Data Publishing: analysis results are published, and/or internal data is shared with another party. 

Now that we have talked about the 4 stages of the data pipeline, let’s go over the sixteen privacy-protecting techniques that can be implemented throughout the pipeline to make it privacy-protected.

These techniques can be categorized based on their function into four groups: randomizing, sanitizing, output, and distributed computing.

Within the randomizing group, there are two techniques: additive and multiplicative noise. In applying these techniques, random noise is added or multiplied on the individual’s record to transform the data. These techniques can be used in the Data Acquisition stage of the data pipeline. 

The sanitizing group has five privacy techniques in it. The first technique is k-anonymity, where identifiable attributes of any record in a particular database are indistinguishable from at least one other record. Next comes l-diversity, which is an extension of k-anonymity. However, this technique solves the k-anonymity shortfall by making sure there is a diversity of sensitive information in each group. Another technique is t-closeness, which makes sure that the distribution of sensitive elements in each group remains the same as the distribution in the whole group. This technique is used to prevent attribute disclosure by maintaining a ‘t’ threshold. Additionally, there is the personalized privacy technique, in which privacy levels are defined and customized by owners. The last technique in this group is ε-differential privacy, which ensures any single record does not affect the overall outcome of the data’s analysis. These techniques can be used in the Data Acquisition stage, Data Organization stage, and the Data Publishing stage of the data pipeline. 

The output group has three techniques, which are used to reduce the inference of sensitive information from the output of any algorithm. The first technique is known as association rule hiding, where information used to exploit privacy can be taken from the rules identified in the data set. Next, there is the downgrading classifier effectiveness technique, where data is sanitized to reduce the classifier’s effectiveness to prevent information from being leaked. Finally, the query auditing and inference control technique, where data queries can output data that can be used to detect sensitive information. These techniques can be applied to the Data Publishing stage of the data pipeline. 

Last but not least, the distributed computing group, made up of seven privacy-protecting techniques. 1-out-of-2 oblivious transfer is where two messages are sent, but only one out of the two messages, are received and encrypted. Another technique in this group is homomorphic encryption, a method of performing a calculation on encrypted information (ciphertext) without decrypting it (to plaintext) first. Secure sum receives the sum of inputs without revealing these inputs to others. Secure set union shares and creates a union of sets without compromising the owners of each set. Secure size of intersection figures out the size of the data set’s intersection without revealing the data itself. The scalar product technique computes the scalar product between two vectors without revealing the input vector to each other’s party. Finally, the private set intersection technique computes the intersection of two sets from each party without revealing anything else. This technique can be used in the Data Acquisition stage, as well. All of the techniques from the distributed computing group prevent access to original, raw data while allowing analysis to be performed. All of these techniques can be applied to the Data Analysis stage and Data Publishing stage of the data pipeline. Homomorphic encryption can also be used in the Data Organization stage of the data pipeline.

These sixteen techniques help protect data’s privacy throughout the data pipeline. For a visual view on the privacy-exposed pipeline versus the privacy-protected pipeline, download our Data Pipeline infographic

For more information, or to find out how to privacy-protect your data, contact us today at [email protected].

Join our newsletter


The Three P’s of Retail Success

The Three P’s of Retail Success

Facebook privacy issues

As a retailer, you have a limited view of your customer based on what you gather from your POS data and social media because you don’t know how customers are spending their money outside of your store. All this can be solved if you acquire access to a very useful piece of data –financial data.

By combining financial data from millions of customers with your POS data, you can achieve a solid 360-degree view of your customer based on their preferences and habits, and grow your ROI by running more targeted marketing strategies. Additionally, you can also outperform your competition by spotting trends and offering better deals.

Adding Financial Data to the Mix: The Benefits

With access to customer’s financial data, not only will you be able to make more informed business decisions, but think of all the efficiencies you would gain from additional customer knowledge and optimized marketing expenditure.

Personalization

   

The amount of personalization possible with all this added financial data allows for stronger customer experience and retention. Talk about a mutual benefit!

There are two advantages when it comes to pairing financial data with POS data to boost personalization: increased customer intimacy and increased customer loyalty. With customer intimacy, we are talking about being able to better anticipate customer needs by analyzing buying patterns and understanding shopper behaviour. On the other hand, with customer loyalty, you can customize your offerings and deals according to a target group’s needs, or even an individual’s needs, to ensure the customers feel heard and important.

Thus, personalization is always adding value to both the customer and the company by boosting relevance and customer retention.

Promotion

   

With financial data in the mix, you are further able to maximize the quality of your marketing spend.

You could optimize your marketing expenditure by combining your sales data (for example, what was purchased at your store, when it was purchased and how much it was purchased for), and financial data (for example, how much was spent at your store versus a competitor’s). Seeing these customer preferences allows you to obtain valuable insights which will help you make smarter products, pricing, and promotional decisions.

Another important aspect of leveraging financial data is knowing what percentage of your customer’s wallet is going towards you as opposed to your competition. But wait, that’s not all! In terms of data insights, unlocking this greater potential will help your organization build more powerful models. Financial data will make it easier to forecast future sales and buying preferences.

Financial data can help to better direct your promotional efforts in terms of efficiency and information such as data insights, saving you both time and money.

Privacy

   

Using privacy-protected financial data that is secure and compliant with all legislative regulation helps you be worry-free and avoid any problems or PR nightmares.

Luckily, there are companies out there that combine security and privacy to form an optimal solution to comply with regulation, ensure privacy and IP protection as well as secure the best possible ROI for your company. Additionally, their privacy and security methods are intact throughout the data pipeline, from acquisition to publishing, using access controls and cryptography.

Combining financial data to your existing pool of information will help you (1) increase local demand, (2) optimize media spending and promotional activities, (3) focus on customer experience, and (4) compliment your privacy compliance. Modelling all these functions will help you forecast future sales and growth as well, thus increasing performance.

Still not convinced? Let’s check out a large corporation that stands by this…

See How Walmart is Implementing this Solution

“Walmart uses big data to make the company’s operations more efficient and improve the lives of customers”.

To power its goal to provide the best shopping experience possible, Walmart is maximizing its use of big data to reveal consumer patterns. Transactional, online, and mobile data, all combine to help them serve the customer better so that they keep coming back.

They use data mining to extrapolate trends from their POS data, to see what the customer buys, when they buy it, how they buy it (online or in-store), and what they buy before or after a certain product. POS data allows the organization to see shopping patterns to determine how to display merchandise and stock shelves. Furthermore, they can send out personalized rollback deals and vouchers based on consumer spending habits. Not only do they use this data to create customer value, they also use it for staffing purposes. For example, to help lower the amount of time it takes to fill a prescription, Walmart looks at how many prescriptions are filled each day to determine staff scheduling and inventory.

Additionally, Walmart has created its own credit card, which gives them firsthand knowledge of their customers. Using the expenses from the financial data of customers helps them gain a solidified understanding of consumer habits and preferences. This enables the company to anticipate demand for each product or service.

The outcome of using this big data includes improving store checkout procedures, managing its supply chain, and optimizing product assortment.

To Sum it Up

Without data, companies are not able to grow and digitally enhance their business model according to the needs of their target market. So, being able to leverage data to its full ability is a competitive advantage on its own, especially with data being such a huge commodity today. Unlock greater potential with respect to increasing your customer value by expanding your access to the data available around you.

Join our newsletter