We’ve been looking at the damage that may result to individuals whose information is stolen when corporate or government databases are breached. Our previous article considered the collateral damage possibilities if your social profile information was compromised. In this article we review the possibilities when a privileged information data breach occurs.
What is Considered Privileged Information?
Privileged information is any communication between parties that is legally protected as confidential, intended to remain between the confidants. While the concept of “privilege” has undoubtedly been abused in the past by unscrupulous individuals, the law protects such communications for the protection of society as a whole. Consider how the legal defense of an innocent person could be compromised, for example, if the prosecutor had access to private client-attorney conversations.
Or think about the professional and personal reputation fallout that can befall a person if certain perfectly legal business dealings were made public so that the media could have an inference heyday just to meet a story deadline. The law protects communication between clients and attorneys, between patients and health care providers, between parishioners and clergy, and between husbands and wives for very good reason. Without protected privacy, the benefit society derives from such relationships would be irrevocably compromised.
In 2019, Gartner listed privileged account management as a top priority for security teams to explore. According to a Gartner article, “This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access. At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third-party access, such as contractors.”
Under Armor Suffered a Data Breach Impacting 150 Million My FitnessPal Accounts
In early 2018, approximately 150 million users of the nutrition and exercise tracking app, MyFitnessPal were victims of a data breach. Due to the breach, share prices dropped 3.8%. Information that was stolen from the app, which is driven by IoT device data, include:
- Email addresses
- Hashed passwords
Information that was stolen could be used to further compromise individuals’ privacy. CNBC reported that an unauthorized party gained access to user data, an example of poor privileged data risk management.
Privileged Information Data Breach May Negate Constitutional Rights
In March of 2015 an anonymous hacker posted approximately 70 million recorded phone calls made by prisoners in 37 states over a 2 ½ year span. Included in the data dump appears to be numerous calls between prisoners and their attorneys – which are supposed to be constitutionally protected privileged data. While the privileged information data breach from Securus Technologies constitutes a major event, this isn’t the first time privileged information has been compromised. In 2010 WikiLeaks posted 250,000 “secret” cables from the US Embassy. In 2013 Edward Snowden stole more than 1.7 million “classified” records. And in 2016 more than 11.5 million confidential documents from law firm Mossack Fonseca were made public. Not to mention, your smart TV collects the discussion you are having at home and sends it to an external server. Here are a few of the possible ramifications that can occur should you experience a privileged information data breach:
Breach of Constitutional Rights
The constitution protects an individual’s right to effective legal counsel and access to fair and unbiased courts. This is the basis of our legal system after the abuses the founding fathers witness under the old English system. When a counselor’s conversation with the accused is compromised and made available to the state prosecutors, not only is the individual’s freedom put at risk, but so too is the very foundation by which those freedoms are supposed to be protected.
Compromised Professional and Personal Reputation
A privileged information data breach may expose conversations you have with your doctor or your latest employee performance review. Can you imagine the damage to your professional reputation if the details of where your manager wants to see improvement were made public? How forthcoming would you be with your doctor if you believed the contents of that conversation would be made public?
Non-Admissible Evidence can be Admitted if from a Third Party
Privileged information is non-admissible in court – legal privacy is intended to prevent the state from crushing the freedom of innocent individuals. However, if that privileged information is collected from a third party or a public domain source, it may be admitted. A privileged information data breach can be used to compile a criminal case against you resulting in successful prosecution.
At the very least, it could also be used for public embarrassment or ransom depending on the type of information. When a privileged information data breach occurs, the collateral damage is difficult to quantify. Not only are the specific individuals whose information was compromised put at risk, but the very basis of our notions for personal freedoms and the value of the individual over the will of the state are put at risk.
There is no possibility that credit monitoring or identity protection mitigates the long-term collateral damage that can be done to individuals; how could such measures possibly restore public confidence in our underlying basic freedoms? Who, then, can take responsibility for the full extent of damages such a breach can cause?
Theatmodeler Now Has a Home on the AWS Marketplace
For a decade, ThreatModeler has taken the lead in automated, cloud threat modeling. In its tireless effort to help organizations to identify, prioritize and mitigate threats, ThreatModeler became an Advanced Technology Partner with AWS. By integrating with AWS cloud services, ThreatModeler enables developers and security teams to better understand threats and vulnerabilities. Visit our AWS web page for more information on our partnership and the official ThreatModeler AWS Marketplace.
Want to see how ThreatModeler can help your organization prevent data breaches?