Social media and online commerce are just some of the drivers contributing to companies collecting large amounts of consumer data. Much can be gleaned about an individual's habits, preferences, personal networks, etc. just from reading their social media posts.

Unfortunately, some organizations leverage this data for profit without appropriate consent. Regardless of whether a company sells collected data or data is obtained illegally through a breach, the weaponization of information is a clear and present threat.

Data Acquisition Through Breach

Data breaches are increasingly common. From 2016 to 2018, users experienced more than 1,000 breaches per year for an average of 3 breachers per day!

In 2018, there more than 446.52 million records were breached, which equates to each US citizen having their data stolen 1.36 times.

But not each knowledge breach is made equal.

For instance, several embody the loss of email addresses and probably hashed passwords. Depending on the website (and the strength of your password), this might be a non-event.

The impact of somebody finding out that you simply have an Amazon account is nominal. A leak of just email addresses for a website like (ah-hem) the Ashley Madison breach, on the other hand, could have a serious impact.

The extreme end of the spectrum are breaches such as the Equifax hack, the OPM leak, and the myriad of data breaches at healthcare providers. These breaches exposed a large amount of sensitive information which could be dangerous in the wrong hands.

In general, it’s best to assume hackers have access to a good quantity of data concerning you that they will use in their attacks. whereas this can be worrisome, what’s worse is that even teams with “legitimate” access to your knowledge are also victimization it for undesirable functions.

Legally Obtained knowledge

Their area unit some ways for unhealthy actors to de jure acquire knowledge. as an example, corporations that collect knowledge through mercantilism their own merchandise and services have found a further – and profitable – revenue stream within the mercantilism of this knowledge.

There also are tough however legal ways to induce users to comply with giving access to their knowledge, like through surveys and online quizzes. Let’s explore one standard example:

Inside an information Weaponization Project

Virtually everybody has detected the Cambridge Analytica scandal. Cambridge Analytica was a citizen analysis firm employed by the Trump team for the 2016 elections. the corporate created a Facebook app that asked users to require a temperament survey. a part of this method was to be used to voluntarily provide Cambridge Analytica access to their Facebook profile…and all the info contained inside additionally like that of their friends for use in “academic research”. de jure collected knowledge enclosed the users’ identities, Facebook friends, and likes.

Based upon this knowledge, Cambridge Analytica was ready to build profiles on fifty million Facebook users. This knowledge was wont to target political ads to the particular temperament of every user so as to maximize their impact.

Facebook claims they were captive to dam the misuse of the app and ordered the destruction of the info as shortly as they learned of it (December 2015); but, recent data shows they knew of it 3 months earlier (October 2015) and didn't act on that.

Scope of the Threat

Data weaponization may be a vital threat to everyone’s privacy and security. several organizations have collected huge amounts of users’ personal knowledge as a part of their daily operations. If used just for the meant purpose, this knowledge will be priceless in up and providing the services they provide.

However, several recent events have incontestible that organizations frequently use collected knowledge for functions that weren't approved or expected by the shoppers. a standard example is free social media platforms. they're expected to fund themselves by advertising, however typically sell user knowledge to supplement this financial gain.

Targeted advertising will be (and is) used for a range of functions. Social engineers with access to {the knowledge|the info|the information} will use it because the basis for attacks to realize access to networks or alternative sensitive data.

GDPR and shopper Privacy Laws

The European Union’s (EU) General knowledge Protection Regulation (GDPR) went into impact on might twenty-five, 2018, exchange the info Protection Directive. GDPR distended and a lot of specifically outlined the wants that a company had to satisfy to be allowable to store, transmit, or method the private data of EU voters. It additionally facilitates citizen’s right to be forgotten. This framework represents the foremost sweeping modification in knowledge privacy regulation in decades

As we tend to explore in our article, “The dynamical State of shopper Privacy”, GDPR set a robust precedent and unleashed confined up demand for USA rules protective shopper knowledge.

At the federal level, privacy protection is industry-dependent. rules like HIPAA and PCI DSS defend sure sorts of personal knowledge underneath sure circumstances.

In the absence of a federal comprehensive framework, many nations have severally set to follow the lead of the EU and pass shopper privacy laws.

Protecting Yourself

The simple answer to a way to defend yourself from knowledge weaponization is to not place any of your sensitive knowledge wherever it will be collected. This includes any device connected to the net.

However, this can be nearly impracticable within the contemporary world. although you retain your personal knowledge offline, others don't.

Legitimate suppliers like credit observation corporations (like Equifax) and tending suppliers are broken, unseaworthy their keep knowledge on the black market.

The best answer is to reduce the quantity of information that's placed on untrusted platforms:

If social media doesn’t would like data like your home address (and it doesn’t), then don’t offer it.

Consider using a separate email address than the one used for banking, etc. once sign language up for social media sites and alternative untrusted websites.

Always use distinctive watchwords (and a password manager) for every website.

Unfortunately, most of our personal knowledge is maybe already “out there” and it can’t be modified once it’s been broken. Take a second before clicking or downloading, verify what you see with a skeptical eye, and verify any facts before you trust them on the net.

Getting Started

If your company is simply obtaining started with data security, a cyber-risk posture assessment may be a great way to ascertain a benchmark. this can be a comprehensive security-focused analysis of each side of your business, from hiring practices to physical setup and network infrastructure.