People do not realize how valuable their personal data is. Only when data is used by unauthorized persons/organizations do people realize that it was worth taking care of proper security. What if, despite the high level of protection, personal data is illegally acquired and used? There are many questions about how this can happen, who is responsible for it, and what the negative consequences of the situation will be.
Personal data theft and loss
According to a survey conducted by Dynamics Markets Limited UK among European countries, including Poland, the identity of 17% of adult Poles (aged 35-44) has been stolen. In addition, 46% of Poles have been unlawfully deprived of funds that were stored in their bank accounts. The average loss due to the theft of personal data in Poland amounts to PLN 35 000! People whose identity has been stolen (27%), have "taken" loans or are in possession of unwanted credit cards. In addition, another 27% of the victims had to make payments for goods/services they would never have a chance to use. Data thieves are unscrupulous and use victims’ documents to buy real estate or cars. Approximately 40% of people after some time find out that someone lives at their expense and uses their identity in transactions. What is the cause of such a situation? A great deal of negligence on the part of document owners (e.g. not using shredders, tearing paper sheets in a way that allows their reconstruction, holding important materials in publicly accessible drawers at home/work), or negligence of the protection systems of the entities that process data. It is often too late to become aware of the incident (in Poland it takes about a year to find out that the data has been illegally intercepted). Finally, helplessness sets in and numerous material/non material losses occur.
Degree of trust in data collectors
In a study conducted by Dynamics Markets Limited UK, 98% of the interviewed respondents from Poland were not able to fully believe in organizations which transfer personal data. People are not sure that personal information will be stored securely and remain inaccessible to unauthorized persons. This applies in particular to data protection systems of entities focused on offering services or goods. Bankers/financial institutions (44%), health centers (27%) and education centers (13%) enjoy a high trust level regarding data protection. Perhaps this is due to the functions they perform on the market and the way they communicate with the society (they represent themselves as professionals; as institutions that improve and organize the lives of members of society). This amount of trust is probably related to the belief that these organizations are investing heavily in technologies that allow for a comprehensive approach to database management.
Theft of personal data is not always the result of improper behavior of the owner.
It is worth asking how public or nonpublic organizations can allow data breaches. First and foremost, these disruptions are caused by the lack of education and awareness in business entities about internal or external procedures. People do not know that, for example, banks cannot update personal information and passwords, or check PIN compliance by email or telephone. The same applies to state offices or hospitals which are generally not entitled to obtain personal information in a way other than through direct contact. Currently, appropriate warning messages are posted on this subject, and then placed in brochures, in prominent places in institutions or on their websites.
Another reason for data breaches is the negligence of information management systems and their low (and sometimes zero) security levels. Without security audits and testing firewalls, data can be easily intercepted. Large institutions such as banks, hospitals or offices invest in the formation of professional security departments; they form strategies to protect their stakeholders and take preventive action. This is because they are the most common targets for criminals/cybercriminals, considering the quality and number of personal data they have. Despite their hard work, they are not always able to fully guarantee that the entrusted information will not be illegally appropriated. The following situations can serve as examples of such incidents:
- the smuggling of several hundred thousand records from the PESEL database carried out by five execution offices from Warsaw and Lodz in 2016;
- the leak of sensitive data of 50,000 Polish hospital patients in 2017;
- the leak of account numbers, balances, PESEL numbers, addresses and phone numbers from four Polish banks (143 customer records of Credit Agricole, 1990 records of Idea Bank customers, 438 customer records of ING Bank Śląski and 964 customer records of mBank) in 2017;
- the infiltration of information of 200 million US citizens by transferring them to the Amazon public server in 2017;
- the mistake made by an employee of Australian Immigration Department who caused a leak of personal data of 31 politicians, including Barack Obama, Vladimir Putin, Angela Merkel and David Cameron, which then fell into the hands of the organizers of the AFC Asian Cup.
How to avoid unwanted interference in information management systems?
Nowadays, when criminals are constantly looking for gaps and vulnerabilities in business databases, not only the speed of preventive actions counts, but above all, the support of a partner who specializes in maintaining a high level of security. Small, medium or large players in the market should take seriously the threats in cyber- and urban spaces, and perceive data entrusted by their stakeholders as the top priority.