Lots librarians (and others) can learn from Soulmates data breach

The story about Guardian Soulmates experiencing a data breach could be used as a classic case-study of what to think about regarding data breaches.

I read the story on the tube this morning in The Metro 9/5/2017 “Hackers send explicit spam as soulmates site breached”, but another publication has the story at: http://www.cbronline.com/news/cybersecurity/data/guardian-soulmates-users-sent-explicit-spam-wake-data-breach/

Almost every line I read of the story in The Metro could be unpacked with lessons we all need to take on board:

  • It was down to human error (a significant proportion of data breaches are down to human error)
  • The error was made by a third party (data breaches are often down to third parties, so its no use just making sure you have your own house in order, you have to do everything you can to make sure that your vendors and third parties do too)
  • The story said that no banking details and other sensitive data was lost. But a dating site will surely tell people your sexuality, and that is sensitive personal data
  • They cited someone telling BBC News that “it’s all information that I was happy to put online at one point but, when it is used outside of context like that, it does feel a lot more creepy”. And that goes back to Helen Nissenbaum’s theory of contextual integrity. Its not just a question of what data you hand over, it’s the context in which it is then  used that makes all the difference.
  • It also reminds me of Viktor Mayer-Schonberger’s view that regulation shouldn’t just focus on consent. He argues the case for use-based regulation.
  • Another thing that struck me about the Metro’s story was that someone who left the service a long time ago spoke out having been affected. How many companies that have your data delete it after a reasonable period. There’s a mentality in an era of massive computer power, and big data, that data is valuable, and even if I can’t think what uses I might put it to later (overlooking the question of permission), I’ll hang on to it just in case. Many American librarians get rid of personally identifiable information as soon as they possibly can, so that it isn’t available to anyone – including hackers etc (so, for example, having a library management system that routinely un-links the user information from the detail of the item borrowed as soon as the book has been returned).
  • That idea of someone leaving a service and their data is still held by that company is a useful reminder that we are all leaving a digital trail, or footprint. And we need to be careful about who we give our data to, and whether we can get it deleted afterwards.
  • Another point worth making is that simply because you are paying a company for something, and that they need your data to deliver the product or service to you, it is no guarantee that your data is safe. Whether free or priced, there are still real dangers.