It didn’t make the mainstream headlines in Western news, but there were two really serious incidents in the security world last week. First, there was the Turkish government which saw 50 million records (more than half Turkey’s entire population) not only hacked, but made publicly available online. This was personally identifiable, sensitive data too; names, addresses, birth dates and national IDs.
Next was the Filipino government with 55 million voter records disclosed. This time, the data included personal attributes such as passport numbers and expiry dates as well as fingerprint records – biological data! It’s not entirely clear what immediate use the prints would have, but it’s the kind of data that makes you do a double-take when it turns up floating around the web in large numbers.
There’s a number of things that really got me thinking about these incidents and the first thing is just the sheer breadth of data – over 100 million records in these two incidents alone. But more than that is the source of the data; we’ve almost become conditioned to data breaches as a simple fact of online life, but we usually think of these incidents as coming from online services, not governments (although these incidents are somewhat reminiscent of the OPM breach). Seeing tens of millions of records come out of Adobe or Ashley Madison where we’ve entered the data into a browser ourselves at some time is one thing, but it’s quite another when we’re talking about government-held records.
The other thing that struck me is the lack of cryptographic storage. Whichever way you cut it, this is sensitive data and by all accounts it had no protection at rest meaning that if (when) an incident occurred then that’s it – everything is accessible in the clear. Now granted, encryption key management isn’t a trivial thing to do either but these are governments! Bad security decisions are made at all levels of both the public and private sectors.
Any other time, I’d say to people “think very carefully about who you share your data with” and then go on to suggest not providing data attributes you didn’t absolutely, positively have to (birth date is a great example). But you don’t get that luxury with the government because they have your data whether you like it or not. You can elect to never even touch an internet connected device yet you may well still end up with your details floating around in a data breach. What precautions can you suggest these folks take? I’m at a bit of a loss short of suggesting things that minimise the damage after the data has already been lost.
If nothing else, these incidents are a reminder that data will be breached regardless of who’s looking after it (or not, as the case may be). All the assurances that are given about safeguards and taking security seriously and so on and so forth ultimately amount to very little. In an era where everyone – especially corporations and governments – are siphoning up all the data they can, we’re merely witnessing the inevitable conclusion which is that a bunch of it is going to end up floating around the web.