UCLA and Ashley Madison: This Year of the Data Breach

And people thought we were witnessing a deluge of superhero movies.

Even next year, when there will be no fewer than six mask-and-cape epics, from three different studios, won’t be any comparison to the torrent of data breaches that already makes last year’s label as “Year of the Data Breach” seem like a joke.

Health care is always a particularly vulnerable industry, as the migration to electronic medical records from paper has not seen a commensurate raise in security spending, and many in the industry still aren’t up to scratch when it comes to fundamentals like incident detection and response.  In fact, at this point, according to Gavin Reid, vice president of threat intelligence for Lancope, “we probably have more breached medical databases than ones that haven’t been compromised.”  Well, time to add another institution to the list.

From unstoppable basketball force in the ‘60s and ‘70s to latest victim, UCLA made the news when it announced last week a breach where the intruders accessed a network that contained the personal and medical information of about 4.5 million people.  As the university’s health offices and hospitals throughout California don’t see that number in a given year, some are surmising that the data may go back multiple years.  Should’ve played better defense.  UCLA is currently claiming that none of the records have actually been stolen, citing a complete lack of evidence, but let’s just see what happens.

Of course, that wasn’t the only major hacking story in the news.  I don’t want to spill too much digital ink on Ashley Madison, a site I’m pretty no one had ever heard of before this (well, except for 30 million people, I guess).  But despite the scandal and salacious nature of the headlines, it’s significant.  By now, the first of the site’s formerly anonymous users have been exposed, with more presumably to come as Impact Team fulfills its promise.  And, while it will be interesting to follow where things go from here, and while it may be tempting to shrug this particular incident off as happening to people who “deserve it,” it misses the forest for the trees.

I’m not here to judge, or moralize about marital issues.  I’m not an after school program, or a sitcom’s Very Special Episode.  I will say, however, that hacks like these, where people (and not just those who may “deserve it”) get hurt in real ways that go beyond credit card or identity issues, might just be the most troubling harbingers of what’s to come as society takes up an ever more substantial residence on the Internet.  Also, just because the affected users in this case might not be the type we find much sympathy for, doesn’t mean the hack itself should get a pass.  If I were a hacker, I know I’d be excited and encouraged by the success that other cyber criminals have in these massive endeavors, and would take it as a declaration of open season on any organization, any network out there.

The next “Year of the Data Breach” is already well underway, after all.

It may be too late for Ashley Madison members, but fortunately, small steps are constantly being taken on different security fronts.  Cars, for example, with Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introducing the Security and Privacy in Your Car (SPY Car) Act in an attempt to create federal standards to secure our vehicles, as well as a rating system to inform drivers how well a vehicle protects their security and privacy beyond those standards.

And really, when this can already happen, hurry it up, I say.

By: Jonathan Weicher