Hackers Know Your Data, Even if You Don’t

Editor’s Note: The author of this post works at Recommind.

By Dean Gonsowski, Global Head of Information Governance, Recommind

In the good ol’ days, cyber crimes and high-profile hacks were mostly limited to the theft of valuable content like credit card information. Nowadays, these virtual attacks have not only increased in frequency, but in variety as well. And, in some instances, hackers appear to be using a “hack first, ask questions later” type of strategy.

Recently, the Office of Personnel Management (OPM) disclosed that 5.6 million sets of fingerprints had been stolen in a previous, notable hack. This disclosure was related to the high-profile hack where hackers purloined 21 million Social Security numbers.

With this new fingerprint loss looming large, the government is still attempting to do damage control. But, it appears that people in the hacked database included current and former federal employees, in addition to people who had applied for background checks and their relatives. Interestingly, part of the government’s “spin” was to claim that the fingerprint data isn’t a threat – at least as of yet:

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. …If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”

The limited, current utility of the fingerprint data does pose some interesting questions. First, if the data doesn’t have market value, why would the hackers target it? The short answer (at least the most innocuous one) is that they might not have gone after this biometric content intentionally. Instead it might have just been caught in the net opportunistically (they call that a “bycatch” in the fishing industry).

Alternatively, the hackers may have more grandiose plans for this data, if not now, perhaps in the future. In either case, this type of broad sweeping data breach does pose questions for many organizations, not just those of the size and stature of the OPM.

This broad breach (as was similarly observed in the Sony hack) combined with the type of cyber-extortion seen in the Ashley Madison incident, forces organizations to think about their data in ways that they never have had to before. In the past, data was allowed to accumulate until storage costs became an impediment. But, for most companies, storage was never much of a constraining factor, either because of migrations to the cloud or because of the commoditization of raw storage components. In either case, this has allowed companies and agencies alike to keep data perpetually on the off chance it might have value down the road, or in more tech-centric terms because of the “big data” potential.

The imperative now is to ask: “Why am I gathering this data in the first place?” And, presumably, if the answer to the first question is sufficiently business worthy, then the next question becomes even more critical: “What am I doing to organize, retain and protect this valuable data?”

This risk/value calculation is central to the emerging notion of information governance, which has been defined by the Information Governance Initiative (IGI) as: “The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” For many organizations, a necessary first step is to establish a uniform information governance policy that addresses legal and regulatory requirements, while providing for optimal levels of employee productivity. Next, many will look at ways to categorize disparate information, which can then facilitate disposition and retention decisions. For most, it is important to leverage machine learning technologies for this critical categorization component since human input at this stage is typically inaccurate and often too time intensive.

While there are no shortages in enabling technologies to facilitate good information governance practices, too many organizations are stuck on penultimate questions about “why” the information is being kept in the first place. As seen with the latest OPM breach, hackers aren’t encumbered by this “why” question. They’ll just steal your information and figure out if it has value later.