Despite tougher obligations, “mismanaged” corporate security has left billions of identity records exposed

More than 3 billion identity records were found spread across visible and underground online sources during 2017, according to new research that lends further weight to suspicions that protection of personally identifiable information (PII) is proving tremendously ineffective in the face of thriving demand from online cybercriminals.

The records – which were located by security firm 4iQ during a search by automated crawlers across openly available online web, social-media, underground, black markets and dark-web destinations – were plucked from more than 8.7 billion raw data records and represent a more than 64 percent increase compared with the same exercise in 2016.

Those records were sourced from 2940 breaches curated from the spoils of 3525 raw breaches – including 188,916 unsecured FTP servers containing 2.1 billion documents – and 56 percent of these breaches were classified as “accidental”.

Fully 72 percent of the discovered records contained emails and passwords, while 40 percent included PII attributes. Some 1.9 percent of the discovered breaches were found in Oceania, of which Australia comprised 70 percent of the discovered data.

The volume of raw data records discovered by the team increased by 182 percent compared with the previous year, with the firm’s analysis warning that the surge was created due to the growing size and number of breaches – as well as accidental lapses “that result in data being openly accessible to third parties.”

“Organizations trusted with private information have mismanaged their security”, the authors of the 2018 4iQ Identity Breach Report warned, with poor practices seeing businesses failing to patch known vulnerabilities, trusting information to third-party vendors, inadvertently publishing files, or just storing information on unsecured public databases.

“The latter problem has become so widespread that 2017 may become known as the year of accidental exposures,” the authors said. “Anonymously accessible servers provided criminals with unfettered access to billions of files, including health records, corporate documents and even security camera streams. Many of the databases remain unsecured today.”

Coming on the eve of the annual privacy regulator-sponsored Privacy Awareness Week (PAW), the figures paint a bleak picture of the effectiveness of privacy controls whose improvement has been a continual refrain since the Privacy Act was toughened more than five years ago.

The nascent National Data Breach scheme has already provided more worrying evidence that Australians’ PII is not being adequately protected, while the European Union’s general data protection regulation (GDPR) has exposed poor data-management practices and is causing a seismic shift in online privacy in the lead-up to its taking effect on May 25.

Concerns over inadequate privacy protections led the Senate to pass an Australian Greens motion for Australia to adopt even stronger online privacy protections, in line with GDPR. Without such controls – which would address Australia’s “insufficient and out-dated privacy laws” with new policies more closely aligned with the GDPR’s consent-based requirements – “young Australians might never be able to exercise their right to privacy”, the motion warned.

Awareness of new opportunities in the market have seen security vendors redoubling their efforts to help businesses implement more-effective identity management tools. Ping Identity, for one, this month appointed former Fortinet sales manager Geoffrey Andrews to head its ANZ business – two years after the company opened an Australian data centre to stimulate adoption of cloud-based identity tools.

Such tools will form an increasingly crucial part of meeting growing consumer expectations that their PII will be adequately protected. And with each new study showing reinforcing the current exposure of that data, acting Australian information commissioner and privacy commissioner Angelene Falk encouraged businesses to take stock of their identity controls during PAW – and to move to improve them.

“Throughout this week, we encourage Australian organisations to review and improve how they handle personal information to ensure they are transparent and accountable, in line with community expectations and legislative requirements,” she wrote. “Building these principles into your internal practices supports greater public and consumer trust, and can ensure you are well positioned to navigate an increasingly data-rich environment.”

Copyright © 2018 IDG Communications, Inc.

The 10 most powerful cybersecurity companies