Scraping data from LinkedIn and an oil company’s breach
What does or does not constitute a data breach can sometimes be a little ambiguous. Data scraping qualifies as such to some, as it utilizes applications to gather, or ‘scrape’, publicly available data from websites. Is this a legitimate activity, or does it allow for more data than is publicly accessible to be taken?
No example better illustrates this controversy than the recent news of an individual scraping data from LinkedIn, for a total of around 700 million accounts. The motive? Seemingly for fun and profit. According to BBC News, one “Tom Liner” wrote on a hacking forum, “Hi, I have 700 million 2021 LinkedIn records,” and indicated he was fielding offers for his database.
Even if this is not technically an instance of data breach (and security expert Troy Hunt is among those who don’t believe it is), the ease with which the data is accumulated is concerning. The value of data these days is such that even if a firm isn’t illicitly “breached,” they should treat any compromise of user data just as seriously. After all, it was never meant to be accumulated as such, let alone sold to cyber criminals. Compromised data doesn’t differ depending on the method of acquisition, nor does the potential risk to users. This incident wasn’t even Liner’s first one: he also claims responsibility for a data scrape of 533 million Facebook profiles in almost the same manner.
What is unequivocally a breach is what we now hear from the oil company Saudi Aramco, that 1 TB of data has been stolen and offered for sale on the dark web, for an asking price of $5 million ($50 for sole ownership upon purchase). The hacking group, known as ZeroX, claims to have used a zero-day vulnerability to access the company’s network, and thereby steal data and blueprints that spans a time period of 1993-2020. Saudi Aramco states that third-party contractors were the weak point, but that, regardless, their own operations have not been disrupted. In total, the personal information of over 14,000 employees, various system project details, maps, reports and much more were included in the stolen bundle.
Whether something qualifies technically as a breach or not, if the result is effectively the same in exposing valuable data, should organizations treat it just as seriously?