This story is another espionage showcase outlining the risk of identity theft for the individual and the society at large. The Cambridge Analytica incident was from the technical perspective a well-executed campaign, based on the given access to data sources. That doesn´t say anything about the moral instinct behind this scoop.
What is information Warfare?
An Advertising Campaign going mad
While Steps 1 to 3 are standard processes in digital advertising, the intention and execution are against any code of conduct. Step 4 means that bot armies (or sock puppets) strategically pump deceptive content into online information systems on a large scale. The dark art of machine learning enables bots to feed material to people most likely to share faked media. Fake news is going wild, and people vote for strange politicians.
The information Warfare Attack Chain
Who is Cambridge Analytica?
Data analytics firm Cambridge Analytica worked with the winning Brexit campaign, harvested millions of social media profiles, and used them to build a powerful software program to predict and influence choices at the ballot box.
While their political campaigns demonstrate the power of Information Warfare, their methodology itself is a common way to gather data from available sources and use it for their operations
What did Cambridge Analytica do?
Cambridge Analytica used scraping techniques to collect and compute profiles from social networks. Scraping networks stand for automatically collecting data from publicly available social profiles and is an established practice. Cambridge Analytica worked with Donald Trump’s election team and the winning Brexit campaign harvested millions of social media profiles of US voters and used them to build a powerful software program to predict and influence choices at the ballot box.
The Cambridge Analytica Methodology
Cambridge Analytica buys personal data from a range of different sources, like land registries, automotive data, shopping data, bonus cards, club memberships, what magazines you read, what churches you attend. Then Cambridge Analytica aggregates this data with the electoral rolls of the Republican party and online data and calculates a personality profile. Digital footprints suddenly become real people with fears, needs, interests, and residential addresses.
Before Cambridge Analytica & Facebook, there was Yahoo losing more than 3 Bn emails. – that´s more than 3.000.000.000.
The Yahoo scandal
Yahoo! affirmed the largest data breaches in the history of the Internet in 2017
Yahoo! affirmed in October 2017 that all 3 billion of its user accounts were impacted, considered the largest discovered data breach in the history of the Internet. McMillan, Robert; Knutson, Ryan (October 3, 2017). “Yahoo Triples Estimate of Breached Accounts to 3 Billion”. The Wall Street Journal. Retrieved October 3, 2017.
Yahoo Milestones and Settlement in 2019
A Class Action Settlement has been proposed in litigation against Yahoo! Inc. (“Yahoo”) and Aabaco Small Business, LLC (together, called “Defendants” in this notice), relating to data breaches (malicious actors got into system and personal data was taken) occurring in 2013 through 2016, as well as to data security intrusions (malicious actors got into system but no data appears to have been taken) occurring in early 2012 (collectively, the “Data Breaches”)
2012 Data Security Intrusions:
From at least January through April 2012, at least two different malicious actors accessed Yahoo’s internal systems. The available evidence, however, does not reveal that user credentials, email accounts, or the contents of emails were taken out of Yahoo’s systems.
2013 Data Breach: In August 2013, malicious actors were able to gain access to Yahoo’s user database and took records for all existing Yahoo accounts—approximately three billion accounts worldwide. The records taken included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders. As a result, the actors may have also gained access to the contents of breached Yahoo accounts and, thus, any private information contained within users’ emails, calendars, and contacts.
2014 Data Breach: In November 2014, malicious actors were able to gain access to Yahoo’s user database and take records of approximately 500 million user accounts worldwide. The records taken included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders, and, as a result, the actors may have also gained access to the contents of breached Yahoo accounts, and thus, any private information contained within users’ emails, calendars, and contacts.
The LinkedIn scandal
LinkedIn allows users to create profiles and then establish connections with other users. Users create a profile on the site, they can choose from a variety of different levels of privacy protection. They can choose to keep their profiles entirely private or to make them viewable by their direct connections to a broader network of connections all other LinkedIn members or the entire public When users choose the last option, their profiles are viewable by anyone online regardless of whether that person is a member. LinkedIn also allows public profiles to be accessed via search engines such as Google. This comes with consequences!
LinkedIn can be scraped
Data analyst hiQ gathers the workforce data that forms the foundation of its analytics by automatically collecting it, or “scraping” it, from publicly available LinkedIn profiles.
Data analyst hiQ then sells to its client businesses information about their workforces that hiQ generates through analysis of data on LinkedIn users‟ publicly available profiles. hiQ offers two products: “Keeper,” which tells employers which of their employees are at the greatest risk of being recruited away; and “Skill Mapper,” which provides a summary of the skills possessed by individual workers.LinkedIn argues that it faces significant harm because hiQ‟s data collection threatens the privacy of LinkedIn users because even members who opt to make their profiles publicly viewable retain a significant interest in controlling the use and visibility of their data.
In particular, LinkedIn points to the interest that some users may have in preventing employers or other parties from tracking changes they have made to their profiles. LinkedIn posts that when a user updates his profile, that action may signal to his employer that he is looking for a new position.
LinkedIn states that over 50 million LinkedIn members have used a “Do Not Broadcast” feature that prevents the site from notifying other users when a member makes profile changes. This feature is available even when a profile is set to public.
LinkedIn also points to specific user complaints it has received objecting to the use of data by third parties. In particular, two users complained that information that they had previously featured on their profile but subsequently removed, remained viewable via third parties.
LinkedIn maintains that all of these concerns are potentially undermined by hiQ‟s data collection practices: while the information that hiQ seeks to collect is publicly viewable, the posting of changes to a profile may raise the risk that a current employee may be rated as having a higher risk of flight under Keeper even though the employee chose the Do Not Broadcast setting.
HiQ could also make data from users available even after those users have removed it from their profiles or deleted their profiles altogether. LinkedIn argues that both it and its users, therefore, face substantial harm absent an injunction; if hiQ is able to continue its data collection unabated, LinkedIn members‟ privacy may be compromised, and the company will suffer a corresponding loss of consumer trust and confidence.
Starwood Security Incident
Starwood Guest Reservation Database Security Incident
On September 2018, Marriott received an alert regarding an attempt to access the Starwood guest reservation database and engaged leading security experts to help determine what occurred, who identified that there had been unauthorized access to the Starwood network since 2014. This is called the Starwood Guest Reservation Database Security Incident.
To protect customers Marriott is now offering guests affected by the Starwood Guest Reservation Database Security Incident an information identity monitoring service.
The information monitoring service monitors whether your personal data is available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised, such as “dark web” sites, and generates an alert to you if evidence of your personal information is found.
Despite the fact, that “first-year free” may sound like a marketing teaser for a subscription service, I think one should take the opportunity and find out if there´s a reason for you to worry.
IdentityWorks℠ Global Internet Surveillance is available to residents of Australia, Brazil, Germany, Hong Kong, India, Ireland, Italy, Mexico, New Zealand, Poland, Singapore, Spain, and the Netherlands.
IdentityWorks℠ is a serious player in the identity monitoring space and provides a full-stack technology and easy to follow advice on how to protect yourself.
Protecting your identity online should be a top priority in case you become a victim of a data breach identity theft.
A plethora of secrets, unprotected
- / 81% believe that everyone has a secret they don’t want to reveal to others
- / 75% think that in today’s connected world, keeping secrets private is more important than ever
- / Despite numerous high-profile data breaches of world-renowned companies, less than a third (31%) of respondents have strengthened their passwords
- / Only 37% have up-to-date security protection on all their devices
How to fight against Information Warfare
The good news is that there are blueprints for fighting against fraudulent traffic through a combination of technology, policy, and operations teams. It takes time and effort to identify and fight ad fraud – but needs to be done to protect advertisers and publishers and increase transparency throughout the advertising industry.
CEOs must be held accountable - without any excuse.
“Uhps, I did it again” maybe works in Lyrics” but doesn´t work if you are responsible for jobs and budgets. CEOs must be held accountable – without any excuse.
Users must take action too
With big data breaches, it might feel like there’s nothing you can do. But there are easy strategies to make yourself less vulnerable. Do not share your personal information with strangers over the phone, email or even text messages. These types of requests could very well be scams.
A breached company should send you a data breach notification. However, if unusual notices via email or in the mail arrive under a different name, that can be a sign that you are a victim of identity theft.
Lock your credit to prevent illegal activity or if you see any odd charges being made on your existing accounts.
Unique account, unique password: Creating strong and unique passwords for every account is the best first step to protecting yourself against a breach. Use a password generator to create passwords for you. Unique passwords ensure that a breach at one website doesn’t result in a stolen account at another.
Protect your email: If a hacker has access to your email account, they can use password resets at most sites to get into other accounts. Consider creating an alternate email address for online signups. And be sure to turn on multi-factor authentication for your email account. That way someone will need to get your email credentials and have access to your phone in order to truly get into your email account.
Give fake answers to security questions: You know those silly security questions companies ask you so you can “prove” who you are? Don’t give real answers. Use the password generator to create random answers that you can then store in LastPass or similar tools.