Back to News & Commentary

The Hazards of Uncontrolled Data Collection

Joe Silver,
Washington Legislative Office,
ACLU
Share This Page
November 14, 2013

Leaks of classified and highly secretive information from U.S. government databases by the likes of Edward Snowden and Chelsea Manning have naturally garnered massive press attention, exposing some deeply problematic U.S. military and national security programs and activities. Meanwhile, however, a lesser-publicized phenomenon has also been occuring with some frequency recently: breaches of corporate databases holding highly sensitive information on millions of Americans.

In just the past few months, the databases of enormous digital service providers like Experian, LexisNexis, and Adobe have been hit with cyber attacks by criminals who have seized sensitive personal data related to millions of Americans and countless others around the globe. Unlike the disclosures of government databases by whistleblowers, these breaches are likely to inflict considerable pain upon untold millions.

Let’s take just a few recent corporate data breaches as case studies:

  • Three weeks ago, Vietnamese criminals posing as a U.S.-based private investigator successfully conned a subsidiary of the massive U.S. credit bureau Experian into selling them social security and driver’s license numbers, bank account information, credit card data, and birthdays of hundreds of thousands if not millions of Americans (which the criminals paid for via a series of wire transfers from Singapore!). According to security expert Brian Krebs of KrebsonSecurity, these criminals then resold this data through underground cybercrime sites like Superget.info, subjecting countless Americans to fraud, identity theft and other crimes.
  • In September, the databases of legal research giant LexisNexis were breached after malicious software was placed on the company’s servers by a cybercrime ring that sold stolen data through the ominously-named service SSNDOB. SSNDOB appears to have had access to LexisNexis’s internal network for over five months before being discovered in late September.
  • A few months ago, Adobe Systems (maker of Photoshop and Acrobat) disclosed that cyber criminals had compromised the accounts and passwords of 38 million active users. The company has since had to recommend that its users change not only their Adobe passwords but all other accounts with similar passwords. In the wake of this revelation, Facebook’s security team has been mining the data leaked from the Adobe breach to warn those who used the same password on Adobe and Facebook to change their login credentials.

While the negative fallout of these data breaches has yet to be fully realized, these incidents show how unregulated data collection and retention practices by large brokerages and corporations have the potential to hurt millions of people across the globe.

Swift action needs to be taken to protect consumer data online. An update to the Fair Credit Reporting Act, the law that regulates the collection, dissemination, and use of consumer information by credit reporting agencies, is overdue. The amended act should, at a minimum:

  • Require regulation of digital data brokers.
  • Enable consumers to discover, update, correct or delete the information that digital service providers are keeping on them.
  • Ensure that steps are taken to de-identify consumer profiles whenever possible.

Companies should limit data retention wherever possible and make sure they comply with state data breach disclosure laws in the event that their databases are breached. Consumers should also take steps to protect their digital identities by not recycling the same password across services, avoiding obvious or short (but surprisingly common) passwords like “123456,” and steering clear of password reminder hints like “same as my bank password.”

Although these relatively straightforward steps probably won’t stop criminals in their tracks, they might make identity theft and other cyber-crimes more difficult and costly, and help mitigate the damage done by the next corporate data breach.

Learn More About the Issues on This Page