Introduction
Privacy is an important aspect of people’s daily lives, as well as a fundamental human right. The fast-paced digital age, which is largely multidimensional through data sharing, has brought an unstoppable threat to privacy through intensive data collection and the advantages of new technologies, giving rise to the cynical and hypocritical notion that privacy is dead. But not only is privacy still alive, but people should respect and value it. In the context of the digital age, the concept of data privacy applies primarily to private and important personal information, including personally identifiable and health information. These often range from basic phone numbers, dates of birth, and home addresses to derived financial status, medical records, and more. For companies, data privacy extends beyond the archiving of customer and employee information to include internal information about business operations, project development data, etc (Altshuler, 2019). Data privacy has also become particularly important as a result of the widespread use of data and our growing dependence on the fast life on the Internet mode, where more and more complicated information is shared online either publicly or privately
Privacy effectively sets the boundary line of authorization, and users should have the right to open or close the blinds that determine and influence personal music preferences or shopping choices. It gives us the ability to choose which parts of certain areas are accessible to others and to control the extent and timing of the use of the selected disclosed parts (P. Romansky & S. Noninska, 2020). The fact is that most people are still not deeply aware of the extent to which our privacy is compromised. Has anyone ever wondered if the ratings of TV shows are directly related to our daily viewing actions and habits? When people turn on the TV to change the channel and then stay for a longer period of time is used as collected data, and the analysis based on this data is enough to drive the future marketing and strategy deployment of TV platforms (Schreiner, 2019). Privacy has always been secretly leaked; you just don’t know it. Digitization keeps information in a state of perpetual potential discoverability. Whenever a website is clicked or a piece of information is searched for, an invisible digital fingerprint is left behind, sometimes even after the history has been deleted.
The Yahoo Data Breaches
In December 2014, Yahoo’s security team discovered that Russian hackers had compromised at least 500 million Yahoo accounts involving phone numbers, emails, birth dates, passwords, and even security questions and their answers. While passwords are ostensibly well protected, when it comes to a state actor with vast resources, passwords are likely to be at risk of being leaked to the public. Yet the same passwords are often applied to multiple websites, and the privacy of other implicated accounts can be exposed to danger as a result. The SEC claims that within days of the discovery of the data breach, Yahoo’s senior management and the legal team received a message from Yahoo’s Chief Information Security Officer reporting internally the theft of hundreds of millions of Yahoo users’ personal data (McAndrew, 2018). The situation did not die down after the breach was discovered, and internal security teams tracked hackers believed to be the same operators as the previous breach targeting Yahoo’s user database throughout 2015 and early 2016, and even reports of user information available for sale had begun to appear on the dark web. In fact, however, Yahoo has released very little official information about the data breach. For example, no official announcement was made about the demographic distribution of the 500 million accounts that were compromised, nor was it reported how many of those users had multiple accounts at the same time.
The breach undoubtedly had a massive impact on the company’s finances, as well as the need for Yahoo to pay for the investigation and emergency remediation of the incident. Verizon agreed to acquire Yahoo’s operations for $4.6 billion in July 2016, but the existence of the breach may affect the partnership in a number of ways (Weiss, 2016). While negotiating specific details of the partnership with Verizon, Verizon asked Yahoo questions about the data breach for investigation. In response, Yahoo told a huge lie by claiming that Yahoo was internally aware of only four incidents involving account breaches and provided the other party with a spreadsheet that was not true. In fact, in June 2016, Yahoo’s new CIO concluded that there was a high probability that Yahoo’s entire database had been stolen by nation-state hackers and that there was a huge possibility that it would be massively exposed to the dark web in the near future. Unfortunately, Yahoo failed to acknowledge this fact to Verizon and related investors and instead squeaked in a series of false statements submitted in the stock purchase agreement.
Finally, on September 22, 2016, Yahoo truthfully reported the 2014 data breach to Verizon, while posting the official statement draft in an attachment. Subsequently, the day after admitting the incident, Yahoo’s stock price had begun to plummet. Yahoo reduced its purchase price for Verizon by 7.25 percent and claimed to share responsibility for the breach, which was disclosed in late 2016 that hackers had stolen about 1 billion users’ data as early as August 2013. Yahoo described the 2014 data breach in early 2017 as being perpetrated by “state-sponsored actors,” while the earlier 2013 hack was operated by an “unauthorized third party.” Yahoo’s disclosures have also had an impact on internal senior staff movements. Internal perceived failures in management, communication, and investigation ultimately led to a lack of sound handling and the aftermath of the 2014 breach. Marissa, then Yahoo’s chief executive, had her annual bonus canceled for this major failure.
Lessons
- Privacy breaches pose a significant threat to both businesses and individuals, and cybercrime is growing and gradually expanding in scope in the form of services.
- An online account is not an independent entity and is often implicated in the compromise of other accounts associated with the targeted user. User credentials remain a prime target for hackers, providing targeted users with constant and unauthorized access to their online accounts.
- There is a significant potential for nation-state cyber actors to use criminal hackers as proxies to attack brick-and-mortar businesses and individuals.
This blog will then delve into the vital causes of privacy breaches in the digital age, based on and in the context of Yahoo’s data breach, and conclude with corresponding suggestions on the protection of private data and prevention of information breaches.
Causes of Privacy Breaches
There exist numerous categories of privacy breaches in the digital age, we will go forward specifically to the fields of human and technical perspectives to investigate hinge information.
Human Error
Human error is a major cause of privacy data breaches and is estimated to account for approximately 65% of data breaches. Technology is designed, managed, and operated by humans, so this preserves the possibility and space for human error. However, the triggers for such errors can be traced back and involved in multiple directions, including the stresses imposed by the work environment and other situational factors. In terms of the threats accompanying insiders, employees can act as cyber attackers or assist outsiders in stealing data (Thielman, 2016). Such behavior can be a sign of retaliation for employees who attack by trying to disrupt internal operations, or they can be an attempt to funnel benefits by stealing core data from the company and subsequently trading it on the dark web for financial gain. However, insiders with access to core data are not limited to current employees but can extend to former employees, co-advisors, and even business firms.
It is difficult to define the nature of the privacy breach in a given situation, and it may be difficult to determine whether the perpetrator acted maliciously or by mistake. Yahoo also considered the human error of their internal cyber-attack that direct the privacy breaches under the frequent theft. When an employee sends a core document with sensitive content, he or she can mistakenly replace the confidential delivery option with a similarly worded copy field or send it to another recipient, and once the confidential document falls into the hands of someone who does not have access to it, the mistake is largely irreversible. Of course, data leaks do not only exist in the electronic transmission of information but can also be exposed to physical theft. Physical files that contain private information or devices that hold file data can be targeted by attackers, and often computers, USB drives, and hard drives, which are commonly used in office operations, are at great risk of being exposed.
Technology
When an intrusion occurs, there is usually one or more technical root causes. Yahoo’s Chief Information Security Officer believes that the hackers who caused the data breach used forged cookies, which are simply pieces of code that are located in a user’s browser cache while the user is visiting the site without a login action. These cookies allow intruders to access a user’s account even without a password, so the Yahoo data breach is thought to be linked in part to the theft of their proprietary code. In fact, unencrypted data is actually the most basic source of data breaches. In U.S. data breach law, if personally identifiable information is stolen but encrypted, there is no breach because the stolen information has no existing value (Alharbi, 2020).
Encryption is a method of mathematically encoding data using encryption algorithms, and when sensitive data is not encrypted, an attacker is able to view the data as clearly as if it were being viewed and read normally. Phishing attacks are becoming progressively more common and targeted at large enterprises. Attackers have a habit of using third-party social media sites to target employees within the enterprise. While these social media sites may not disclose any specific information, attackers will also attempt to research the conventions a company may use for employee email addresses to obtain corporate account credentials. Once a valid target address is successfully obtained, the attacker will use the credentials to log into the company’s internal email system, potentially stealing intellectual property, trade secrets, or other personal employee data.
Protection and Prevention
The following section will bring three necessary precautions for companies to take to prevent privacy data breaches.
Develop a response plan
For small and medium-sized businesses, few companies have a sufficiently well-developed privacy breach response. When privacy has been exposed, the risks and compensation companies need to take are unimaginable. In the past, there have been many large companies like Yahoo! that have had records or data stolen by cyber attackers who were initially reluctant to release the truth about the theft of their data (Crawford, 2018). By the time they announced that a data breach had occurred, they had downplayed the severity of the incident, and the true details of the breach were not revealed until even years later. This is unacceptable to consumers or partners of a company’s brand, and it can greatly impact the company’s image and future growth.
Having a comprehensive privacy breach response plan in place can make both employees and employers aware of the potential damage that could be done. An effective response plan should have a comprehensive assessment mechanism that includes the content of the breach as well as the timing of the breach and identifies those responsible to the extent possible and within their capabilities. By taking decisive and effective action, unnecessary losses can be reduced while gaining the trust of employees and the community.
Screening partners
Collaboration with third parties is inevitable for both large and small businesses and can range from suppliers, processors, and sellers to business consultants. It is especially important to fully understand the background of these companies or collaborators, and it is necessary for companies to have strict rules regarding third-party access to files. While putting in place a series of investigations and precautions against them places a higher demand on IT and security departments, the screening for uncertainty is worth the large amounts and sensitivity of private information (Crawford, 2018). Taking a strong stance on privacy and security issues and implementing appropriate systems can drive change and progress throughout the enterprise.
Employee Training
Companies can conduct training sessions on professional awareness and effective prevention of privacy security. According to relevant surveys, enterprise employees are a relatively weak link in the data security chain. It is difficult for ordinary employees to be alert to open suspicious emails that may contain viruses. However, for training, companies should not be limited to mandatory methods to require employees to complete tasks, but take effective guidance to make employees deeply aware of the seriousness of data leakage.
Conclusion
Living in the digital age, besides the convenience and intelligence it brings, the most important of the many concerns and risks that accompany it for us is the protection of privacy. The disregard and violation of private data are evolving into a huge potential risk, and although there are many existing security procedures and measures created to protect us, they are far from adequate and need to be improved. While the Internet provides us with a social platform, it also creates a vacuum of gray areas for attackers, and the impact of personal information and data being exposed can be irreparable in many cases. Because of the importance of privacy in the context of the digital age, it is all the more necessary for us to be prepared to prevent and respond, and these are not limited to business, but when it comes to individuals the damage caused by privacy breaches is equally serious.
References:
Alharbi, F. S. (2020). Dealing with Data Breaches Amidst Changes In Technology. Citation metadata Author: Fuad S. Alharbi Date: Aug. 2020 From: International Journal of Computer Science and Security (IJCSS)(Vol. 14, Issue 3) Publisher: Computer Science Journals. International Journal of Computer Science and Security (IJCSS), 14(3).
Altshuler, T. S. (2019, September 27). Privacy in a digital world. TechCrunch. https://techcrunch.com/2019/09/26/privacy-queen-of-human-rights-in-a-digital-world/
Crawford, R. (2018, January 31). 6 ways to Prevent Cybersecurity Breaches. Tech Support of Minnesota; Tech Support of Minnesota. https://www.techsupportofmn.com/6-ways-to-prevent-cybersecurity-breaches
McAndrew, E. (2018). The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far). The National Law Review. https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far
P. Romansky, R., & S. Noninska, I. (2020). Challenges of the digital age for privacy and personal data protection. Mathematical Biosciences and Engineering, 17(5), 5288–5303. https://doi.org/10.3934/mbe.2020286
Schreiner, P. (2019). Is Privacy at Risk in a Digital World? Default. https://isg-one.com/articles/is-privacy-at-risk-in-a-digital-world
Suzor, N. P. (2019). Lawless : the secret rules that govern our digital lives. Cambridge University Press.
Thielman, S. (2016). Yahoo hack: 1bn accounts compromised by biggest data breach in history. The Guardian, 15(3).
Weiss, N. E. (2016). The Yahoo! Data Breach—Issues for Congress. CRS INSIGHT.