16 million users across the US and Asia experienced a rude awakening last week, when a recent data breach at Internet giant Goozon (Stock: GOOZ) became public knowledge.
Goozon representatives stressed that no passwords or credentials were leaked to the public, but that highly personal data, such as medical history, location data, and dating history, Goozon imported through their recent merger with couplefinder.io, may have been. We spoke to Scott and Lana Smith from Austin, TX. The pair met on couplefinder.io, and moved into a shared apartment half a year ago. They are deeply worried about the implications this data breach has, as the combined data set post-merger might include their entire dating history, as well as a lot of other private and sensitive information. “Part of my worry is that I deliberately tried to keep some parts of my online life separate, and with the couplefinder acquisition by Goozon, who knows what data they consolidated without my knowledge,” said Scott.
Louis and Stephon are in a similar pickle. “Of course, being out and gay is much less of an issue these days than it used to be, but still, the knowledge that this information is now permanently being spread around the internet is worrying.” Stephon sighs. “We had planned some international travel, where we could have always fallen back on claiming that we are just business partners. That option might not be on the table anymore.”
Sadly, data breaches are still a common thing
The danger of data breaches like this one are usually hard for the general public to grasp, especially as the impact often happens immediately. The data often gets compiled with previously leaked data, and the end result is a set of detailed ‘personal files’. The most commonly breached data sets generally contain browsing habits, and information needed to commit identity theft, but can also include pictures, credit scores or credit card information, to detailed biometrics.
Very few people realise that criminals can use this information to impersonate them, answer security questions to verify identity, and since the rise of realtime deepfake videos, even fool live verifications via video chat. On top of that, a lot of that data finds its way back into the legal data market, as unscrupulous call centre operators beef up their call lists by combining them with illegally obtained customer lists, then selling these off. It is very hard for regular people to find out where a robocaller or call centre operator got their number and information from, and whether it was obtained in an ethical way.
Uncovering the crime scene
We spoke to Jennifer Taylor, security expert and data forensics analyst for several Fortune 500 companies. “Of course, we don’t know all the details, as Goozon hasn’t disclosed everything yet,” she explains. “But based on publicly available police reports and anonymous sources, we can compile a good picture on how the data breach was accomplished.”
It turns out this wasn’t a simple case of a hacker finding an unexpected backdoor. Jennifer Taylor walks us through what turns out to be a coordinated heist, probably involving half a dozen parties. It probably all started when USB sticks labelled as Goozoon giveaways were placed on a table at a Meetup that was also attended by Goozon employees. What the employees didn’t know was that these giveaways weren’t actually from their employer, but from an unknown source who had hidden malware on the USB sticks.
This malicious software was then used to steal several sets of credentials. Among those were the login details for one of the contractors working on the Goozon datacenter HVAC system. That is, at least, the most likely explanation for why someone entered the Goozon datacenter storage room using the credentials of a contractor four weeks ago, who was on vacation wandering around Yosemite National Park, at the same time.
Ordinarily, this storage room was only used to store spare parts and encrypted drives containing non-personal data backups. This time however, one of the steel cabinets included one hard drive that contained an unencrypted data dump of 16 million user accounts, including pictures, derived biometric data, message and browsing histories, as well as the recently merged data from couplefinder.io. A lot of that is fairly innocuous on the surface, but a large percentage of users relied on the perceived anonymity of the platform to upload and share very personal pictures, as well as their sexual preferences.
How and why this data ended up on an unencrypted backup disc in a locker accessible to low-security personnel is still unclear. Jennifer Taylor suspects that someone either managed to solicit the backup processes, as gaining access to a secondary system can often be easier than obtaining access to the actual databases. What is clear however, is that this was a targeted and coordinated attack. The resources and preparation involved show that whoever is behind this, sees quite a bit of value in the data. Of course, this could also be a roundabout attack on the Goozon stock, which fell rapidly when the news about the data breach became public.
No Europeans affected
In a surprising side note, despite the magnitude of this data breach, and the global reach of Goozon, nearly no European Goozon customers are affected. This is because polypoly successfully lobbied for the deletion of data with Goozon for its European customers.
Polypoly is the decentralised data infrastructure that has seen widespread adoption in the EU over the past three years. Nearly every European citizen now uses a personal data storage, the polyPod, to retain sovereignty over their personal data. Companies in Europe have been rather quick at adapting this technology platform. The upside for them is that they can skip most of the costs of acquiring, handling, and storing personal data, along with the legal liabilities that usually come with this. Instead, European companies have managed to turn the strictest GDPR compliance regulations into a competitive advantage.
The upsides for polypoly end users are not only the minimised worry over data privacy, but also the monetary incentives: All of them are co-owners of polypoly SCE, the cooperative that controls the infrastructure and on average pays out a yearly 1000% dividend on the symbolic Euro that each co-owner paid upon signing up. This digital dividend is made possible by giving companies who, for example, do market research or advertising, perfectly anonymised and de-centralised access to big data queries on the polypoly data ecosystem.
Online data doesn’t vanish without a trace
Sadly, this won’t be comforting to Louis and Stephon, as they still struggle with the fallout from the Goozon data breach. Their credit card data has been used in 4 cases of cyberfraud already. Scott has had more luck though: He recently moved and changed his bank, so the breached data contained a lot of outdated information. Nonetheless, he is worried about the implications of the biometric information. “We already see criminals placing fake biometric data at crime scenes to throw the police off. If they do that with data from this breach, I could temporarily lose the security clearance I need for my contractor job.” And so they, and 16 million other Americans, will have to live with the fallout of this data breach, probably for quite some time, as one cannot simply change ones life history or biometric data.