At OneLogin, we are always on the lookout for what is happening in the cybersecurity world and are often asked to predict what we see coming down the pike. And, quite often we get it right. At the end of last year we asked a few cybersecurity experts, both our own and others that we trust, what they predicted for 2021. Our own Global Data Protection Officer, Niamh Muldoon stated:
[In 2020, all] conference events moved online increasing the demand for technology platforms to support large volumes attending conferences. We saw a number of new platforms being developed and offered, capitalizing on business requirements for them. These platforms were designed with reliability and availability in mind. The other security principles tended to be forgotten such as confidentiality and integrity. Privacy was not even considered.
Given the nature of these events the registration details were in the public domain and easy targets for malicious attackers and/or hackers. I am predicting in 2021 we will hear about breach disclosures from these platform providers and privacy related fines being imposed on companies contracting these marketing platform providers as a result.
And her prediction is coming true. Emails like these are showing up in Marketing folks’ mailboxes:
This email is from an unknown company with a signature that says the sender is a Marketing Coordinator. The offer is for the recipient to purchase the contact information for over seventeen thousand conference attendees. There is no way to know how this contact information was obtained. There is no way to know that these conference attendees have any idea that their information is being sold on the open market.
Everyone needs to be aware!
The developers of these types of virtual event platforms need to make sure that security is as high a priority as reliability and functionality. Online services that have been around for years are only now learning that they need to make security a higher priority. It is time for everyone to realize that security needs should be addressed from the start - security by design. The bad actors out there have fine tuned their methods and, in many cases, can breach systems that aren’t protected in the blink of an eye. No one should be designing a system that collects any sort of personal information without considering how they will protect that data.
Privacy should be protected by everyone. Data privacy laws are being written and adopted worldwide. These laws such as the European Union’s Global Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) define how personal data can be obtained, used and stored. The laws hold both the platforms that don’t sufficiently protect user data liable for that data being breached and hold those who purchase this data liable for not obtaining the data through an approved process. Users trust we are keeping their data safe and whether we are forced to or not we should honor that trust.
Developers need to design systems such that user data is at entry secured both in transit and while at rest. This means controlling access and encrypting data every point along the way from the database through the network connections. They need to ensure that data is only accessible by those who need access to it. This also means ensuring that those accessing the systems and the data are only those who are supposed to. CIAM solutions like OneLogin can be part of this type of solution.
Now let’s look at other industry and market events. Data scraping breaches are on the increase and a reminder to all about how your data is ‘liquid gold.’ What appears not to be particularly dangerous from a cybersecurity perspective has a huge impact from a privacy breach perspective as the data stolen can be harvested and mined to understand user behaviors and preferences.
Those who wish to use personal data for legitimate purposes such as research, marketing or sales need to make sure that they are only using data that has been willingly provided via consent, not data that was illegitimately obtained. Emails like the one we have shared here are going to be showing up more and more. The responsibility lies with all of us to not respond to these types of offers. We are all responsible and must respect the privacy of all.