Azul made a series of predictions for Java and technology in 2023. One of the predictions is “Black market data will be more accurate than consumer profiles.” Azul Senior Director of Product Management Erik Costlow expands on this dire prediction and explains why mishandled PII, or personally identifiable information, is so dangerous.
It’s only February, and already this year I’ve received notice that my data was included in several breaches. A friend of mine similarly reflected, “This is probably the 20th year in a row one of my merchants has provided me free identity theft insurance and monitoring because of their data breach.” This is only the companies that notice their breaches and bother to tell us – the conviction of a former Uber CISO’s breach cover-up proves that we aren’t always told when our personally identifiable information (PII) is stolen.
Personally identifiable information (PII), data that could reveal the identity of a specific individual, becomes more valuable every year. Marketing firms aggregate data about consumers from many sources because they make big money from it. Unfortunately, criminals are buying and selling that same data on the black market. Examples of lost data include 198 million voter records in 2017, 24 million social security numbers with validating information in 2022, and a regular cadence of about 50 healthcare firms breached every month.
|HOW MARKETING FIRMS USE DATA||HOW CRIMINALS USE DATA|
|1. Aggregate data about consumers||1. Steal data from various sources and combine|
|2. Market to consumers||2. Sell data to other criminals|
|3. Sell data to other companies||3. Open accounts in victims’ names|
While both marketing firms and criminals have financial constraints and can only buy so much, only marketing firms are limited by legal and ethical concerns. Criminals are free to combine any PII data they can get their hands on. For scams and targeted fraud, my unfortunate prediction is that the profile criminals can get of you will soon be more complete and more accurate than what legitimate advertising firms have at their disposal. This is already evident with common knowledge questions where much of the data is available from standard sources, often the same ones used to validate the answers.
- Mother’s maiden name – available from ancestry services
- Early childhood address – available from many residential mailing services
- Childhood best friend – available from social media aggregators for younger adults via social network analysis
- City of birth – in some ancestry services by combining parent/guardian mailing address
Where is data located?
Common marketing firms purchase consumer data from aggregators to build consumer profiles. Firms retain ownership of some parts of these consumer profiles. For example, if a firm owns a forum, it can associate knowledge about the consumer to the profile associated with that forum. When marketing firms purchase aggregate information about the consumer, they need to abide by any licenses during the purchase. This can include things like retention time, where the information needs to be deleted after a certain number of days or for a specific campaign.
For criminals there’s no need to delete the data. After earning $19 million selling stolen social security numbers, the site SSNDOB only “deleted” the PII when the operators were arrested by the FBI and forcibly shut down. The FBI seizure took “about a decade.” The same goes for most operators on the dark web. Unfortunately these stolen data brokers sell to other criminals so the shutdown of one creates an opportunity for someone who bought the data set to become the new seller.
What do criminals do with data
The most common use for stolen data is identity theft. Information about someone is gathered or stolen from aggregators, and the thief creates a fraudulent loan using the documents. Although nothing is stolen from the “owner” of the identity, he is considered responsible for cleaning up any resulting mess. A major problem with the coming parity between a marketer’s consumer profile and the criminal’s consumer profile is that the goals are different: the marketer wants to promote an item or service for the consumer to buy, the criminal can do that or use the profile to convince others that they are the consumer.
Marketing firms that buy data are generally constrained in terms of what they can use. While privacy advocates often lament that phones track a user’s location and can build a profile, this is really the intended result of much modern technology. Whether people agree or not, marketing firms are free to use data like a user’s location to promote businesses that are relevant, criminals can use this information to build a similar profile but can use it for whatever purpose they want. The FBI tracks a common “grandparent scam” where a grandparent is called about a family emergency – typically the injury or kidnapping of a grandchild. These scams can be more convincing when it’s combined with near-time information of the child’s actual location and medical history.
When medical information is stolen, consumers can be targeted for fake medical bills that leverage their medical history. Combining fraudulent bills with accurate medical information makes the charges effectively indistinguishable from “surprise bills” that many patients still receive from third-party medical providers. In spite of federal legislation to rein in these surprise bills, they remain common and many practices bill separately for what a patient considers to be a single service. Transunion reported that half of consumers don’t understand medical bills already and now they are left to determine which bills are legitimate and which are fake.
Consumers can take precautions by limiting risky behavior online, using discretion before opening email attachments, and being judicious with links in text messages. But even the most cautious consumers are vulnerable.
Java can play a role in cybersecurity
For identity management and authentication, the best approaches leverage open standards in languages that are secure, stable, and scalable, like Java. “Real-time” fraud detection, where transactions are declined before any exposure takes place, must be done accurately thousands of times per second.
With Azul Vulnerability Detection, your data is stored in a single tenant, protected environment called an instance, isolated from other customers, in our Intelligence Cloud Service. Your instance is constantly processing new data and comparing with new and existing data to detect vulnerabilities.