Hacking and the end of privacy: What you should do to protect your data

Let’s face it, the only place we can keep secrets is in the actual physical closet as hacking continues to expose, shame and give away all our skeletons as well as our credit card details.

Last week in the wake of the Ashley Madison scandal, I found out my husband’s email had been compromised, not on Ashley Madison (phew!) but via an Adobe hack that hit 152 million people globally. He along with two of our board directors – all three had been Adobed! Did they know? No.

 It was one of the biggest hacks ever, if not the biggest, when in 2013, 152 million Adobe accounts were compromised including email, encrypted password, internal ID, username, and so on. You would think Adobe of all companies would have great password cryptography, not so, the unencrypted password hints were also exposed.

 Hacking is a sport for hackers, the bigger the target with the juiciest information the better, the bigger the government agency, the bigger the thrill. It is pretty frightening that absolutely everything about you can be found out and published to billions of people worldwide.

The problem is that that this is not the stuff of spy movies, every one of us can have our TFN, our financial information, our address, let alone every piece of information you type into a computer published to the world. Twenty million Visa and 13.9 million MasterCard accounts were exposed in June last year, 1.3m resumes were stolen from Monster.com, even infamous Sarah Palin, ex-Alaska governor had all her contact lists, messages and in-box published to the world.

Ashley Madison’s hack is of the most cringeworthy. At least Visa card and Mastercard could cancel cards and replace them, even all 33.9 million of them, but it’s not a real skeleton is it?

The Ashley Madison hack is the skeleton in your relationship cupboard. Exposing registered users shocked and hurt the people who weren’t on the site. Partners and families were compromised by the secrets of their loved ones.

I have no idea how we can reverse time and the internet to protect privacy, to stop more hacks and more compromises happening.

No matter how many dollars the government, defence force or big business plough into digital security, there is a better geek. It is true what Mark Zuckenberg said, there is no privacy anymore. The difference is, it’s not your Facebook photos or random update status posts or your Google beer glasses posts, its every single thing about you.

Most SMEs do not know their obligations under Australian data protection laws, let alone are able to afford systems to defend the data they hold on their customers. It’s not that easy to find out to be honest with you.

The laws are laid out from the Office of the Australian Information Commissioner (OAIC) found here.

Following some inquiries, I did get a useful call from the media team that gave me some clarity and extra tips for SMEs:

• Unfortunately there is a note at the end of the top 13 apps / compliances in plain English page that says these may not be all correct due to the Privacy Reform Act. When you follow that link you get back to where you started. The OAIC told me this can be ignored; apologised as it is a current glitch on all their pages due to reform review.
• Each state has an Office of Information Government Department but these only cover the public sector. Still, it would be wise if your business checks out what state rules apply to your business as well as federal.
• The OAIC focus on government and businesses who are turning over $3m plus, with smaller businesses widely exempt
• They offer a guide to protecting your data here
• They also offer a guide for SMEs here  

In terms of systems protection the key mandatory things you need to implement in your business no matter how big or small are:

• Back up, back up, back up!!!
• Have a data recovery plan
• Have a disaster plan, although I’m not sure whatever the disaster plan Ashley Madison had in place would have really being able to save the situation that has left many unhappy people but many happy lawyers.
• Educate your employees
• Encrypt your data
• Install virus software
• Lock your network and if on wireless make sure you update your encryption service regularly
• Secure your hardware and keep sensitive data separate, e.g; at Bendalls we have a stand-alone server and dedicated laptops for highly sensitive client information for example.

You’ve Been Hacked. Now What?

• Warning alerts:
  • Small amounts of regular sums of money going to an unknown payee. Recently, I know of a number of people and businesses in Australia that have been hit by a San Francisco company called Zoom
  • Huge amounts of money being paid to countries you don’t do business with. Eastern European countries are notorious
  • The sooner you identify the theft, the faster you can do something about it and more likely you are to get your money back
  • If you have any doubt, immediately change your passwords. Change your passwords anyway monthly.
  • If your computers are stolen or tampered with or lost, call the police in case there are similar instances and they can/will investigate.
  • Also keep a watch on this site, the Cyber Crime Commission in Australia, for organised crime information and updates and DO report any instances to them.
  • Want to fight back? Research is really starting to get serious over the hacking issue and a key thought leader in this is Jacob Torrey, a paper on this is here
  • Going around the web as a referred option is Mykonos web security software. It aims to confuse the hackers by reverse hacking. Basically it sends hackers on wild goose chases, giving them false information that seems attractive to them but is ultimately useless to them. Check them and others out, as there are a number of options. ( I haven’t used Mykonos – but would give the parent company a call)

Remember SMEs are seen as soft targets by hackers, so they are not just a concern for the big boys.

Lastly as wildly published by the press last week in the wake of the Ashley Madison scandal, do check yourself on haveibeenpwned, these are the top ten breaches as noted by them and they are mainly companies we all use.

152,445,165 Adobe accounts

30,636,380 Ashley Madison accounts

4,821,262 mail.ru Dump accounts

4,789,599 Bitcoin Security Forum Gmail Dump accounts

4,609,615 Snapchat accounts

3,867,997 Adult Friend Finder accounts

3,474,763 Спрашивай.ру accounts

2,983,472 XSplit accounts

1,327,567 YouPorn accounts

1,247,574 Gawker accounts

We won’t beat all the hackers on the internet, we can only learn to live with them and put the protections in place we can. However, it is going to be a long process and with a wider impact than Ashley Madison’s members, there will be bigger issues and organisations, even governments that are going to get challenged and hurt on the way.

Do what you can to be realistic about protecting your data, your company and yourself, but don’t put blind belief in to it either.

Fi Bendall is the managing director of Bendalls Group, a team of highly trained digital specialists, i-media subject matter experts and developers.