When it comes to protecting personal data, there are three types of people in the world:
- Those who go to great lengths to protect their personal information, using unique passwords and trying to remain un-breached.
- Those who are ignorant or ambivalent to the impact of breaches and the personal security risk they entail.
- Those who assume they are breached and everything online is public information.
I fall into the last camp. I assume anything I enter into a computer is public information. This includes my credit card, social security number, address, date of birth, and anything else you would like to know about me. While this viewpoint is pessimistic, given recent trends, I'm beginning to think more and more that it is realistic.
The reason for my pessimism is the nearly continuous reporting of massive breaches. It seems not a week goes by that there isn't a new breach impacting millions of people. Cybersecurity has become front-page news in a way I couldn't have imagined just a few years ago. My pessimistic viewpoint not only ensures that I won't be surprised or disappointed, but it also causes me to behave in particular ways that I find advantageous. I look at every online account as an attack vector, and the information stored in that account as the cost of having that account. I can then weigh the cost of an account against the benefit I receive from that account. Maybe the convenience of faster checkout outweighs the risk of storing my name, address, and credit card information with a merchant. Depending on how much faith I put in the merchant to follow best practices, secure their information, and train their employees to prevent avoidable breaches, combined with my personal risk appetite, it may not be worth creating an account and making that data more readily available to attackers.
Is my pessimism well founded, or am I just a paranoid security researcher? If we look at the number of accounts breached over the last several years, I would argue that what started as paranoia may now be prudent. Based on analysis of data collected by the Privacy Rights Clearinghouse (CC BY-NC-SA 4.0 License), the number of new accounts breached doubles every 15 month. Attackers are continuously improving and as more and more of our information is stored online across a host of different sites and services, it becomes more and more vulnerable to being breached. The attackers don't need to break into all of your accounts, they just need to find one weakness in one company to get access. And if you share passwords between accounts, that one breach can easily turn into dozens or more.
Further compounding the issue is the length of time breaches go undetected and unreported. Again, leveraging the data from the Privacy Rights Clearinghouse, we looked at the breaches that affected more than a million accounts and tried to trace back when the breach was determined to have begun, and when the breach was eventually made public. This dwell time, or the time when a breach was in effect but unknown to the public (and typically unknown to the company as well), averaged 250 days. Spinning this forward, there are potentially breaches occurring right now that won't be detected for another 8 months.
Adding all of this up - assuming the number of breached accounts doubles every 15th months and that breaches can remain hidden for months - results in estimates that as many as 1 billion more accounts are already breached yet unknown to the public. To put that in perspective, that is nearly 1 in 3 internet users worldwide. Maybe I'm not so paranoid after all.