What is Data Abuse?
Data Abuse or Data misuse is an inappropriate use of the data. The inappropriate use might directly or indirectly affect the user; the abuse is intended towards financial gains or trashing the image of data holder or third party data storage. Data abuse has seen a steady rise, especially data associated with enterprises despite stringent laws and an increase in cybersecurity solutions.
The most common perpetrators of data abuse are your employees and third-party contractors or to put in cybersecurity term insider threats. The insider threat is not a new concept, but due to some high profile incidents at enterprises, the term has effectively put the ounce on detection and mitigation of insider threat. However, detecting any of the insider threat is challenging for the organization due to personal digital activities which has been rising and exposure & access to enterprise data. The internal user has legitimate access to the data and keeping the tap over the use is difficult.
Organizations are increasingly finding it difficult to discern between a good insider and bad insider depending on the data access. It’s important that organizations trust their employees, for the scalability, data operation and even to maintain the company culture. It’s also imperative for the leaders that the trust is well-placed and involves monitoring access to sensitive data and valuable information. Putting the guardrail system around the data will protect data and also your employees from accidental data leakage. Organizations are heavily investing in cybersecurity solutions, but it only detects the external attacks here is a whitepaper that will help in understanding data abuse. The first step towards the improvement of the system can be that to focus on data to isolate the malicious insider or compromised insider or careless insider.
How data abuse has affected organizations? Here are some examples:
1. Uber “God View”: Uber God View was one of the most high profile cases dating back to 2014 when it was first exposed. Uber had a tool God View which allowed company staff to track both Uber drivers and customers. The tool was unavailable for the drivers but only available for the Uber executive. The tool came into public light when an Uber executive had used God View tool to track a journalist who was late for an interview. A federal inquiry was later launched after a complaint from the Federal Trade Commission accusing Uber of exposing sensitive customer and driver data. Tracking of any customer is obviously against Uber’s privacy policy which states that employees are prohibited from looking into customer history except any “legitimate business purpose”.
2. AT&T data leak customers: The AT&T data breach had exposed more than 280,000 U.S. customers’ data which included their names and social security numbers. The company had to pay $25 million as a civil penalty to settle the claim into consumer privacy violations. The data breach occurred from the internal sources from AT&T call centers situated at Mexico, Colombia, and the Philippines. The employee from these call centers had access to sensitive data information which included customer name and social security number. The information had helped to unlock stolen cell phones which were illegal in America during that time.
3. Data analytics firm misusing the voter data: Cambridge Analytica is an analytics company owned by hedge fund billionaire Robert Mercer and in 2014 was headed by Steve Bannon. The firm had unauthorized used to mine Facebook user data to build a system that could profile the individual US voters. This gave the firm a model which helped them to target voters with personalized political ads. Facebook came to know about the data being harvested at an unprecedented level during 2015 but failed to take any steps. In 2018, Founder of Facebook Mark Zuckerberg had to testify before the Congress on the issue. Cambridge Analytica was also accused of misusing the voter data during the Brexit campaign in the UK. The information commission had accused the company that the data is misused to target voter with highly effective social media campaigns. GDPR rules are implemented around Europe to effectively solve the data regulation and protection issues.
4. Law enforcement agency: State auditors from the state of Minnesota found that between 2013 and 2015 over 88 police officers in the department had misused the access to personal data. The officers have used to access personal data in state driver license database to look up for information on girlfriend, family, and others without authorization or relevance to the official investigation. The data was used for stalking, harassment, or even identity theft.
5. Morgan Stanley Client: Morgan Stanley discovered in 2015 that a financial advisor downloaded account data of about 10 percent of their wealth management data. The data was calculated to be of 350,000 people about 900 of those people later showed anonymous text from Pastebin.
How to Prevent Data Abuse?
1. Categorize and prioritize the data:
The majority of the organization fails to identify the information critical for them and how to protect it? By categorizing the information by value and confidentiality companies can prioritize the data needed to secure first. Employee record and customer information can be one of your top priorities- Social security number, bank account numbers, Email id, credit card numbers, personal information are types of data that need to be protected with regards to their sensitivity this is mostly structured data that needs to be protected. Unstructured data like contracts, customer messages, call recordings; financial contracts should be included in the unstructured data and also need to be protected.
2. How the current information flows? And perform the risk assessment
Understand the data flow both procedurally and practically to see how the confidential information flows in the organization. Understanding the flow of information procedure can be a straightforward task, practically understanding different touch points of the data and where the leakages might happen is important which can be done with in-depth analysis.
You can even do a security analysis of your data with following simple questions:
i. Which employees can access the data? (Creating a set of people using the data.)
ii. Which employees can create, modifies or share this data? – This will help in creating a hierarchy of data access.
iii. Is their gap between the procedures followed and policies laid down? This will help in identifying whether you need any procedural change which can prevent data leakage.
3. Access, usage and information distribution policies
After a deep risk assessment, an organization can quickly craft a distribution policy for various confidential information. The policies can govern who can access the data, use or receive which type of data in what context. Having enforcers in place to prevent data abuse and policy enforcement is important.
Four types of distribution policies
i. User information
ii. Communication data
iii. Patent or intellectual property
iv. Employee records
4. Review
Organizations need to regularly review their systems, policies, and training. A monitoring system can help the organization to implement employee training, expanding deployment, and eliminate vulnerabilities. The monitoring system can be reviewed extensively in an event of a breach to analyze the system failures. External audits can also prove useful in checking vulnerabilities and threats. Repeated and regular system benchmarking in the organizations can protect the confidential information at much-expanded level. To know more about the review process for your data, download our whitepapers.
Conclusion
Protection of data is a continuous process and needs to be improved as threats become intelligent and data grows. Crafting out a policy for access, process, and flow of data will help to have a better growth plan in place, and also increased customer reliability.