Gigantic data breach! What to do?

The internet is awash with reports of a massive trove of personal data recently discovered online. The headline figures are impressive: 400 million phone numbers, 622 million email addresses. 1.2 billion records. Four terabytes of data.

(Geeky side note: A terabyte is 1,000,000,000,000 or 1,099,511,627,776 bytes, depending on how you measure it. Every one or two bytes represent a single character/letter. The technical term for four terabytes is a 'shedload'.)

If you only read one report about this find, I'd suggest this article from Troy Hunt. Troy is the brains behind HaveIBeenPwned, the free service that lets you know if your email account has been discovered in a data breach.

What's in the trove?

The data set contained, amongst other things:

• Names
• Email addresses
• Phone numbers
• Employers
• Job title
• Dates of employment
• Years of work experience
• Biographical information
• Educational history

Much of this information has been scraped from LinkedIn. So it was publicly available prior to exposure of this collection - it just wasn't in one big open vat of information.

Where did it come from?

To answer this, it helps to know a little about the companies involved in collecting this cache of data. People Data Labs (PDL) and OxyData style themselves as data enrichers. They gather together data from a range of sources, fettle it and monetise the results.

We can be reasonably certain that much of the data in the collection came originally from LinkedIn. But on close inspection, it appears that the data originates from multiple different original locations - various companies that have shared personal data with the likes of PDL and OxyData.

Bob Diachenko and Vinny Troi are the researchers who discovered the publicly-accessible data. Amongst other security activities, both gentlemen engage in OSInt (open source intelligence) - the investigation of information available in open or public sources. Last month (October 2019), Bob and Vinny discovered an Elasticsearch database server happily serving up this information to anyone who asked.

Am I affected?

Yes.

Or for a slightly longer answer, enter your email addresses into the HaveIBeenPwned search (this is perfectly safe - you give away your email address every time you send an email, after all). You will almost certainly discover that the answer is 'yes'.

Okay, how am I affected?

That depends. How do you feel about companies processing your data, without your knowledge or consent? And then selling your data to other companies? Does it bother you that there's almost no way to stop this from happening?

These are serious questions. In my case, I'm honestly not that troubled by this news. Maybe I've seen too many breach reports. Maybe I'm numb. Maybe I've given up, in the knowledge that Google already probably knows more about me than I do.

If you'd like to know exactly what data PDL and OxyData have collected, you can contact PDL here and OxyData here. Under the data protection legislation common in many countries, they are obliged to reveal to you the data they are holding about you - and to delete it at your request. But don't expect a rapid response. Since the news broke, so did PDL's website. Their 'contact us' form apparently couldn't keep up with demand.

But what can I do?

You can ask these data aggregators to cut it out. Take steps to reduce your digital footprint. Complain to the ICO (or your local data protection authority if you'e not in the UK). Sign up for HaveIBeenPwned's notification service. Or you can accept that sort of thing is a hazard of having a presence on the internet.

Personally I would suggest a multi-pronged approach. Remove the information that you wouldn't want to share with strangers (even information that's marked 'private' on social network sites). Take an anti-tracking approach to web browsing.

But perhaps most helpfully, consider the viewpoint espoused in Reinhold Niebuhr's famous prayer:

God, grant me the serenity to accept the things I cannot change,

Courage to change the things I can,

And wisdom to know the difference.

Note: my posts on websites and social media are reflective of my views rather than my employer's or any third party's. Nothing in this article should be taken as constituting legal advice.