Weekly Video: July 11, 2022

Written By Shay Colson

Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for private equity firms, deal teams, investment committees, and management teams.

I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io

This week we’re going to cover three very different stories on the theme of Data, and how data and risk might intersect within your companies.

And we’re going to do it in 5 minutes or less:

  1. ChinaDan’s 1B+ Data Breach

  2. Dutch Intelligence Data Removal

  3. Data (and its Brokers) in a Post-Roe World

ChinaDan’s 1B+ Data Breach

News broke this week of set of stolen data out of China being for sale on a forum.

A couple of things that make this data set unique.

  1. It’s size. Over 1 billion people, and over 23 terabytes - making it likely the biggest data breach in human history. You may remember the when Office of Personnel Management got hacked a few years back, that only included a measly 21 million or so users.

  2. The source. Both the fact that it’s claimed to be from a police data base and that it was swiped from an ElasticSearch database in the Alibaba cloud. The level of detail is supposedly quite astonishing, included police reports, food delivery app notes, and medical records on top of the normal name, birthday, national ID numbers, etc.

  3. The sale price. At the equivalent of about $200K in bitcoin, that puts the price per person’s record at a measly .0002 cents. Or - 5000 records for a penny.

What can we learn from this?

A couple of things:

  1. A reminder that any time you’ve got sensitive data sitting anywhere, you want to ensure the database is properly configured - including the underlying environment and access controls.

  2. From a monitoring perspective, make sure you’re able to detect activity that’s out of the norm - even for authorized users. Having 23 terabytes of data moving out isn’t a normal activity, even for admins - these sort of things should definitely trigger alarms.

Dutch Intelligence Data Removal

Another story about national police and intelligence services and their data - this time out of the Netherlands.

Dutch secret service agencies, the MIVD and the AIVD, have been told to destroy a database they created to store the personal details of millions of Dutch citizens.

Following a complaint from a European civil and digital rights group, the country's data protection supervisor found that the database had been created through an unlawful process and ordered the Dutch Ministries of Defense and the Interior to delete it.

The ministry noted that access would be terminated immediately and the data destroyed within 3 months.

This story is an interesting contrast into how sensitive citizen data is being handled and regulated in various jurisdictions.

Speaking of jurisdictional data implications, our final story looks at how some data brokers are now struggling in a world where Roe v. Wade has been overturned.

Data (and its Brokers) in a Post-Roe World

A couple of news stories this week about companies that have or collected data related to abortions - including fertility tracking phone apps and location data aggregators.

This story highlights an idea that I think we take for granted - that the implications of the data we collect and store is static. In reality, it’s not - the landscape is ever shifting, both from a regulatory perspective, and also from a threat perspective.

So what can you do? Help your companies understand why I call the “R Value” of their data.

Look at your data along these two axes:

How does our data create Revenue?

How does our data create Risk?

When the R value of data tips to the point where the risk implications exceeds the revenue implications, it’s time to re-evaluate.

You can think about simply getting rid of the data - one time or on a regular basis.

Tools like data retention policies - define data types or categories and how your organizations handle those by default - including deletion or expungement.

This is also a great time to get other stakeholders involved like legal, etc.

Data Anonymization - are there ways you can get the benefit of the data in aggregate and analysis without having to keep it in such discrete forms as to be “personally identifiable.”

Encryption and other tools we mentioned before (configuration management, access control).

It’s always a good thought experiment to work through what would happen if the data you’re thinking about were leaked - and work backwards from there.

On a lighter note:

Fundraising for the Week: \Congratulations to the more than $7 B in new capital raised by investment funds over the last week.

You can find all the links to the stories we covered below, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.

LINKS:

https://edri.org/our-work/good-news-dutch-secret-services-destroy-unlawfully-stored-information-on-millions-of-innocent-citizens/

https://www.vice.com/en/article/g5qaq3/location-data-firm-heat-maps-planned-parenthood-abortion-clinics-placer-ai

https://www.wired.com/story/fertility-data-weaponized/

https://www.theregister.com/2022/07/05/shanghai_police_database_for_sell/

Shay Colson
Previous

Weekly Video: July 18, 2022