Human Toll of Data Breaches
Social engineering has become such a prominent factor in data breaches – around two-thirds of them according to the latest Verizon Data Breach Investigations Report – that the Office for Civil Rights (OCR) has made it the focus of their October 2024 newsletter.
Between phishing, smishing and new AI-powered methods like deepfake impersonation of authorized individuals, “these threats have a common theme; they all attempt to convince an individual to do something they would not otherwise do normally, or to provide details such as credentials someplace other than where they should be used.” When a person falls for it, they voluntarily surrender their credentials to the party they think is legitimate, rather than the cyber crooks they really are.
In falling prey to these schemes, what usually goes overlooked is the human toll of a data breach. A new message from the UK’s Information Commissioner’s Office (ICO) stresses the “critical importance of data protection in safeguarding people’s lives,” and the…well, stresses that result from failure to do so. Figures from the agency show how 55% of adults in the country have had their data stolen, 30% of whom report emotional distress in the subsequent confusion. Frequently people aren’t even notified in a timely manner by the breached firm, but discover the incident through the news.
A quarter of people affected receive no support from the breached organization, upon whom responsibility ultimately falls. In several cases, people’s addresses were disclosed to abusers due to breaches at law firms, housing associations or even police services. In fact, Northern Ireland’s Police Service accidentally exposed its own officers’ personal data last year.
“I want to issue a stark warning to organizations across the country: you must do better,” says Britain’s information commissioner. It remains to be seen whether these warnings will have teeth. Reprimands and mild fines seem too often to be the order of the day, letting negligence slide with a slap on the wrist.
Of course, the pendulum always swings the other way when enough people get fed up. In the past, GDPR was instituted to deal with the unprecedented trend of data collection and global cybersecurity incidents. Perhaps we’ve grown too accustomed to this new normal as a society, but sooner or later harsher repercussions may very well become the norm. The ICO may be telling companies to act humanely, but organizations should also practice strict security hygiene to protect their bottom line. We are, after all, only two years removed from Epic Games’ $520 million fine from the FTC for violating regulations. “Be human” is important to consider, but also “be smart.”