In our last article in this series about collateral damage of various types of data breaches, we examined the potential damage that could occur if hackers made off with your online activities information. Now, we will explore what could happen to an individual if attackers mounted a geolocation data breach.
Anyone who has ever used a GPS device, a smartphone, or accessed the Internet has been exposed to the ubiquitous nature of location-tracking capabilities. What you may not know, however, is that many services and organizations maintain massive databases of where their customers have been for at least the last 12 months. Geolocation data is collected – often without customer knowledge – for a variety of uses.
A popular commercial use is “smart marketing,” which seeks to provide specific ads when you’re near a participating store or when the system records that you frequently pass by a particular business. Law enforcement, from local police to Homeland Security and the FBI, has used geolocation data to find and prosecute suspects. It has proven to be a powerful data-tool for everything from building detailed personal profiles to locating individuals in real time.
Massive mSpy Hack Results in Geolocation Data Breach
Last May a story broke about a successful hack against mSpy. The company creates software that allows its customers to “spy” on specific people through their mobile technology. The attack – which may have been going on for more than a year – resulted in a massive geolocation data breach along with other personal identifying information. The exposed data included details on more than 400,000 customers and an undisclosed number of “surveillance” targets.
Most of the customers surveyed used the software for legitimate security concerns. For example, about 40% of the customer base were parents seeking to keep a watchful eye on their kids. The software is capable of tracking Android and iPhone locations to a high degree of precision. Legitimate uses notwithstanding, with a geolocation data breach the possible collateral damage can be staggering:
- Prosecution of Criminal Activity: Law enforcement have built and prosecuted cases around geolocation data locating the suspect near the crime scene. If you and your cell phone happen to be near a crime and you are a reasonably close fit to the description, this would be sufficient cause to make you a suspect and possibly lead to your prosecution – whether or not you were the perpetrator.
- In-Person Stalking & Physical Attack: A geolocation data breach allows or could allow an attacker to infer where an individual is or is likely to be at a certain time. When the stolen data is made public, those with nefarious or violent intentions can easily find their intended targets.
- Blackmail and Extortion: Geolocation data that puts you near illicit businesses for an extended time period can be used to imply or infer your participation in those businesses. Such data can be used to make you a target of blackmail or extortion attempts, cause an employer to terminate your employment, or make you a target of a shame campaign.
The possibilities for collateral damage resulting from a geolocation data breach are endless based on what can be inferred or implied by a person’s location or travel patterns, the attacker’s purpose in physical proximity to the individual or in making actual contact, and the attacker’s ability to plan additional attacks based on knowing where the individual’s commuting patterns. None of the listed collateral damage possibilities would be prevented or detected through credit and identity monitoring, leaving the end-victim to deal with the damages out of his or her own resources. Is it right that the individuals – who may not have even known that the information about them existed – be responsible for the potential collateral damage from a data breach?
Next up in this series: what are the potential damages when your biometric information is made public.
Want to keep your confidential data safe?