Data leakage, commodification, and sale on hacking forums and the black network have skyrocketed in 2022 and the early days of 2023 amidst the massive amount of data circulated globally every day, which conflicts with both international privacy principles and the acceleration of data localization policies.
If anything, this is an indication of the proliferation and globalization of data security risks, the growing importance of preventative security procedures and measures to keep data secure, and the increased value of user data as a commodity subject to theft, extortion, and other crimes.
Notable Data Breach Cases
There have been many instances of data leakage since the beginning of 2022, including the following:
1. Social Media: In April 2022, approximately 487 million personal phone numbers of WhatsApp users from 84 different countries were leaked onto the dark web and were then put up for sale on a well-known hacking forum. 94 million of these numbers belonged to app users in Arab countries, including 34 million Egyptians. Prior to that, in April 2021 as well, a hacker website posted the phone numbers and email addresses of half a billion Facebook users along with other personal information. On January 6, 2023, in one of the biggest data breaches in Twitter history, some hackers stole the email addresses of over 200 million users, and this information was later sold on Breached for just €2 per account. In November 2022, a security flaw in the API caused Twitter to accidentally disclose the data of 5.4 million users.
2. Cloud Storage Applications: In November 2022, Apple’s iCloud application suffered a data breach in which several videos and photos belonging to a number of users were leaked, which the company blamed on a technical malfunction affecting users of the iPhone 13 Pro and 14 Pro. As a result, some videos on the app went black, rendering them unwatchable during the saving or downloading process, while others had black lines across the screen and a single image from an unknown source fixed to them, possibly belonging to accounts on the app.
3. Government Services: The British Royal Mail’s Click and Drop parcel service experienced a data breach and subsequent glitch in November 2022, exposing users’ personal information. The company temporarily suspended postal services as a preventative measure to contain this, without disclosing the reason for the flaw that affected its services. Similarly, the Indian Railway experienced a cyberattack that compromised the information of about 30 million of its customers, including their emails and phone numbers, amid concerns that user travel records—including passenger name, phone number, location, train number, arrival time, email, and nationality—had been compromised. In Morocco, the Ministry of Higher Education, Scientific Research, and Professional Training database was breached in December 2022, exposing the personal information of tens of thousands of Moroccan students enrolled at the Cadi Ayyad University in Marrakech.
4. Private Enterprises: Uber launched an investigation into a data breach that occurred in September 2022 as a result of a flaw in the Slack account used to communicate with customers, according to which the hacker had access to the company’s internal databases and systems. As a result, the service was discontinued by the company after a 5 percent decline in share price. After making it clear that he had hacked the company for amusement, the hacker threatened to leak the company’s source code. The hacker gained control of the company’s web services as well as some of its internal financial data.
5. Banking Services: On BidenCash in October 2022, information about a million and a quarter bank cards was exposed online. The leak included personal information such as email addresses, customer phone numbers, and addresses. Security experts have linked this attack to registration information discovered on purchase pages on a number of hacked e-commerce websites. In February 2022, information about the clients of the Swiss bank Credit Suisse was leaked to the German newspaper Süddeutsche Zeitung, revealing the enormous wealth of some political figures, former and current rulers, and a number of those involved in money laundering and drug trafficking crimes in Egypt, Jordan, Algeria, Oman, and elsewhere. In total, more than 18,000 bank accounts holding more than $100 billion were included in the leaked data, but with no mention of current banking activities.
6. Major International Firms: In October 2022, a breach on a Microsoft server called Azure Blob Storage resulted in the data leakage of more than 65,000 businesses from 111 countries. This data leak included customer information such as names, phone numbers, and e-mail addresses as well as some business names and information about their sales. Microsoft has reached out to customers who were affected by the breach, but the company has not revealed any hard data about how many people were affected.
7. Healthcare Companies: In November 2022, hackers demanded a ransom of $10 million to prevent the leakage of the records of Medibank, one of the largest Australian healthcare companies, after gaining access to the information of 9.7 million current and former customers, including Australian Prime Minister Anthony Albanese. This data included sensitive information about drug addicts, patients with sexually transmitted diseases, and abortions, as well as the names, addresses, and dates of birth of hundreds of customers.
Significant Implications
The following are some notable ramifications for the rise in data leaks:
1. Increased Cases of Extortion: Hackers and intruders typically target the data of some of the most powerful and wealthy people, large institutions that worry for their reputation and market value, or entities that can pay a hefty price to keep their data from being published. The likelihood of extortion increases as data becomes more sensitive. This implies that disclosing it could necessarily involve committing additional crimes, such as selling it to local media outlets or the black market. However, by paying a ransom to stop the data from being published or traded, the intruders or hackers will succeed in their objectives, which may encourage them to continue penetrating the same parties in the future, in the hopes of receiving another ransom payment. Failure to pay, on the other hand, results in the publication of user data and increases the likelihood that those impacted will demand compensation, which could be less or more than the ransom. That said, paying the ransom does not ensure that the data will be retrieved or not published.
2. Global in Scope and Nature: Any country, regardless of its level of development, and any company, regardless of its size, could be vulnerable to a data breach. For instance, in July 2022, a database belonging to the Shanghai police in China containing information about a billion citizens and more than 23 terabytes of data were sold on a hacking forum for 10 bitcoins (roughly $200,000). In December 2022, a security issue with the server of the International Table Tennis Federation resulted in the leak of the passport information and vaccination records of hundreds of professional table tennis players from the Netherlands via the Internet.
3. The Increasing Global Importance of Data: Data is vulnerable to piracy and hacking, just like software and video platforms, and as people and businesses depend more on it, it’s becoming a bigger target. The vast global scope of data leakage cases—which involved governmental agencies, major tech firms, international supply chains, etc.—indicates their extreme importance and their transformation into the oil of the twenty-first century. Data has evolved into one of the most crucial pillars of economic development and the foundation of the global economy. It also serves as the basis for digital transformation and the main entry point into the global digital economy.
4. Inadequate Protection Mechanisms: Despite the numerous privacy protection laws, they are ineffective at stopping hackers and intruders, especially given how difficult it is to determine who they are due to sophisticated multiform obfuscation techniques. However, cases where major technology companies pay monetary fines for leaking their users’ data are often cited as evidence of the efficacy of these laws. This is why a hacker contacted Elon Musk to purchase the stolen Twitter data in order to avoid paying a hefty fine. In a related context, Meta consented to pay $725 million to resolve a long-running lawsuit accusing it of violating its user data protection policies in 2018 and sharing that data with Cambridge Analytica. Amazon, too, was fined €746 million by the National Data Protection Commission in Luxembourg in 2021 for violating European Union data protection laws.
5. Increasing Significance of Data Localization: The frequency of data leakage cases, particularly those involving social media, highlights the significance of data localization, which refers to the storage and processing of data on domestic servers rather than those located overseas in order to ensure the establishment of a secure environment for information exchange in cyberspace. This, first and foremost, requires locating alternatives to social networking on a national scale. It is noteworthy that China imposed new content restrictions and required foreign technology companies to store user data within the country, despite the fact that its social networking sites accounted for more than half of the list of the most popular social networking sites worldwide.
In short, there is a need for better protection of user data, which has emerged as the greatest asset of social media platforms that offer users free services without making it clear to them that they are paying for it. Users will never be aware of the fate of their data or how many businesses, organizations, governmental bodies, and hackers are vying for it. Ergo, it is crucial to invest in cybersecurity measures and spread knowledge about the value of data protection and localization, especially given the variety of difficulties it faces.
