What do Apple, EBay, Snapchat, Target and Linked-in have in common?
All of you with accounts at any of the aforementioned companies should know the answer to the question posed, as you will have likely been asked to change your password in the recent past or at least read about it in the news. Yes, with varying degrees of exposure (in some cases quite literally) their users have all suffered some form of data breach in recent history. In a single attack on the US retailing giant Target, the credit and debit card details of an estimated 40 million people were stolen and made available on the black market to cyber-criminals able to exploit stolen data for financial gain.
You cannot see these stories happening without wondering “what information am I leaving online that people may access?”
The truth is we all leave a huge amount of personal data online. We “trust” a corporate giant like Facebook with personal information that is so sensitive - every private message you've written, every photo you've liked and every video you've watched. In fact, we go further, we tell them our relationship history, our thoughts, feelings, aspirations, worries and of course every disparaging message you may have written about your boss and all of this information is logged, stored and made available to others for a price.
And as we can see from the above list, just because a company is big and conceivably has infinite resources available, it certainly doesn't mean your data is safe with it.
Of course, we haven't even mentioned yet the risks attached to accounts that you no longer access (hand's up who doesn't even know if they still have a MySpace or Bebo account and wouldn't know how to login to it if they did).
But our personal digital footprint can also be found at a much more user-centric level. There are the cookies we download, the internet cache that we create with each website visited and the cloud backup of every transaction on a mobile device. It has become a bit of a voyeuristic cliché in forensic circles to buy a used Hard Drive at random and shock seminar attendees at the depth of information that can be gleaned about the user from their discarded hardware. What we should be doing now is pointing out what is available everywhere else and although less visible is still accessible.
However, there are times when the digital breadcrumbs that a user leaves are more than useful. Take the example of an employer suspecting an employee of intellectual property theft when joining a competitor. The evidence of malfeasance often resides in the information a user didn't create (such as a copy of a target account list), but has left behind. Real life examples include a whole deleted OST (locally stored version of an Outlook mailbox) recovered from System Volume Information, a deleted Word document recovered from the shadow copy created by the Windows file restoration service and a recovered Google search term of “how to uninstall DropBox” a matter of seconds after an employee had used the service to transfer 30,000 company documents outside the company firewall.
So what can we as individuals do to protect ourselves better online and what can companies do to ensure that the helpful breadcrumbs are available to be found?
The number one tip is to use a strong password and do not share it with anyone. Remembering how much personal information is available, any password which can be connected back to you is weak and liable to be cracked. A memorable phrase, a combination of unconnected words or a completely random combination of numbers, letters and punctuation over eight characters long is recommended.
Don't just blindly tick the “I accept the Terms and Conditions” box or hit the “accept” button on a pop up. Question what you are accepting and always ask how much information you need to enter into any site.
Get yourself good Mobile Device Management (MDM) software. Data is never more at risk than when it is outside your network. Ensure that potentially invaluable logs and records of user activity when accessing company networks are not being lost by not having the right security procedures in place.
Ensure that the hard drives of departing employees, particularly those with access to sensitive data, are removed and stored or forensically imaged. It's very hard to revisit the hard drive six months after the event when it's been handed directly to their replacement.
In the digital world everything you do leaves behind shards of information and evidence that can be collected, integrated and either exploited or used to tell an accurate story about you and your behaviour. It's not easy to call back or erase what you have done, even though the right to be forgotten is now recognised in Europe under data privacy laws. It's best to control what you do at the outset – you wouldn't be reckless with your passport or birth certificate, so use the same level of vigilance when you post sensitive data online.
Contributed by Luke Aaron, Legal consultant, Kroll Ontrack.