Modern companies have fallen into dangerous habits. Highly personal data is freely collected from users, with freemium services creating value through viewer data harvesting.
This data can be a lifeline for marketing and sales – and, on the surface, the user has a few controls over who sees what.
However, customers are facing an epidemic of poor data security. This has reached such heights that the Federal Trade Commission has begun to step in. What is data security? And how can customers be given the data protection they deserve?
Data: a Heavy Burden
Data is a conveniently vague term – in this case, it refers to personal information pertaining to your own life. This information is highly lucrative for companies, as it allows for highly-tailored advertisements, and less wasted ad spend.
On paper, this means you’re served only the most relevant ads, but the reality is that – to tailor these – this data needs to be shuttled across a number of organizations.
Social media giants such as Facebook make most of their revenue thanks to ad spend, adding serious financial incentive to the collection of your personal data.
Out of all data that a business can legally collect about you, Facebook collects not just the basics – such as name, location and contact details – but also income level; calendar information; browser history; and even the metadata of the photos you take.
They also collect this data indiscriminately, including on under-18s. Instagram collects information on your hobbies, weight, and sexual orientation; while TikTok enjoys facial recognition and voice data.
Social media don’t represent the only data-thirsty companies; they just happen to be the most voracious.
Recent rulings such as the EU’s General Data Protection Regulation (GDPR) allows users to control who has access to their personal data – on the surface.
In reality, opting out of aggressive device fingerprinting and data collection techniques is a hassle that very few users bother with.
The end result of this data frenzy is companies bursting with highly personal data.
The Price of Irresponsible Data Management
Chegg – a tech education giant – has a history of engaging in ruthless data collection: in connection with its scholarship search service, it collected information about the user’s religious views, heritage, date of birth, sexual orientation, parental income, and disabilities.
This is all incredibly attractive information for one particular group: phishing attackers and credential fraudsters.
This stolen information is bundled into files, to be sold and bandied about on underground marketplaces. From there, a criminal can simply purchase a few dozen profiles.
Each potential victim has not only their contact information exposed, but highly private info that places each victim into an incredibly vulnerable position.
Whether through finely-targeted scams, or by allowing criminals to open up lines of credit in their name, data-negligent companies harm the very customers they depend on.
Since 2017, Chegg has suffered major data breaches no less than four times. Each breach exposed swathes of hopeful students to a barrage of attacks; with scam emails now predominantly targeting young people, the illicit scam market is now worth $5.8 billion.
In a report, the FTC noted the sheer irresponsibility with which Chegg handled their collected data. For instance, Chegg managed their databases with a single access key, shared between all employees and contractors.
This key also gave full admin privileges to anyone who owned it, while the databases themselves were full of plain text personal info. Each breach changed nothing.
Chegg is only one company of many: another of note was the FTC’s recent work against Drizly, a subsidiary of Uber. Drizly offers an online marketplace selling beer, wine, and alcohol for delivery.
The data they collected includes customers’ emails, addresses, mobile numbers, unique device identifiers, geolocation information and data purchased from third parties.
In 2018 and again in 2020, this data was accidentally exposed to criminals, resulting in the leak of over 2.5 million customers’ private info.
How to Avoid an FTC Crackdown
Aggressive corporate data collection has become the norm: it is functionally impossible for customers to protect themselves. It’s taken millions of victims for the FTC to finally start cracking down, but now they’re laser-focused on securing customer rights.
In the Drizly case, they even prosecuted the CEO – a world-first for guaranteeing data responsibility.
Adequate data protection is now more important than ever. Strategic data control needs to focus on two primary fields: access control and data protection.
The first of these focuses on locking unauthorized people out, and authenticating those that want access.
Confirming a user’s identity revolves around multi-factor authentication, and adherence to squeaky-clean password hygiene protocols. Data protection, on the other hand, ensures that even if unauthorized actors get into the database, they cannot view it or cause any damage.
Encryption plays a vital role in this, while anti-theft mechanisms can prevent data being transferred outside of your organization.
All of this rests on the solid foundation of knowing what data you have, and where it is stored.
Automated data detection can identify the sensitive data swirling around your organization, while classification solutions enable the automated tagging and storage of information.
Together, these systems allow you to visualize data throughout even mature organizations. Once visibility is secured, it becomes immensely easier to manage that data, apply appropriate security policies, and protect the personal information of customers.
Though these measures represent a vital bare minimum – that must be adhered to – it presents almost no solution to the underlying issue of today’s culture of aggressive data collection.
Fundamentally, companies need to recognise the true responsibility that handling highly sensitive data should demand; and tailor their own data collection policies toward the customer’s best interests. Only then can the brutal cycle of data theft and scam practices be stemmed, and trust between companies and their customers begin to recover.