As the volume of data exchanged globally increases daily, there is a counter trend against international recognition of privacy principles on one hand, and the accelerating pace of data localization policies on the other. This has in turn seen a surge in data breaches, commodification, and sales on hacking forums and the dark web throughout 2022 and the early days of 2023. This highlights the escalating and diverse risks to data security globally and the transformation of user data into a valuable target paired with a raft of associated crimes, including theft and extortion. Consequently, the importance of precautionary security measures to safeguard data integrity has intensified.
Key Indicators Throughout last year and in the early days of this year, instances of data breaches have increased, with several prominent examples elaborated as follows:
Social Media: In April 2022, approximately 487 million personal phone numbers of WhatsApp users across 84 countries were leaked and offered for sale on a notorious hacking forum. Among these were 94 million numbers from users in Arab countries, including 34 million Egyptian users. Previously, in April 2021, personal data of half a billion Facebook users, including their phone numbers and email addresses, surfaced on one hacker site. Additionally, on January 6, 2023, hackers stole email addresses of over 200 million Twitter users in one of the largest data breaches in the platform’s history, followed by the sale of that data on a leak forum known as (Breached) for a low price (2 euros per account). In November 2022, Twitter had already suffered a breach affecting data from 5.4 million users due to a vulnerability in its API.
Cloud Storage Applications: Apple’s iCloud faced a leak in November 2022 when multiple videos and images of numerous users were exposed, attributing the incident to a technical malfunction affecting iPhone 13 Pro and 14 Pro users. As a result, the videos turned black, rendering them unviewable upon saving or downloading, while others displayed black lines with images coming from unknown sources that might belong to other accounts on the app.
Government Services: The UK’s Royal Mail experienced a data breach in November 2022, leading to a malfunction in its Click & Drop parcel dispatch service, which allowed customers to view information, requests, and details of other users. To contain the issue, the company halted its mailing services without disclosing the reason for the malfunction. Additionally, the Indian Railways endured a cyberattack affecting approximately 30 million customers’ data, including emails and phone numbers, amidst concerns about the potential exposure of user travel records containing names, phone numbers, locations, train numbers, arrival times, emails, and nationalities. In December 2022, Morocco’s Ministry of Higher Education, Scientific Research, and Innovation was hacked, resulting in the leakage of data from tens of thousands of students affiliated with the public “Cadi Ayyad University” in Marrakech.
Private Companies: Uber launched an investigation in September 2022 following a customer data breach resulting from a vulnerability in its Slack account used for communication between customers and the company. This allowed the hacker to gain control over internal company systems and databases. Following this, Uber suspended the service after its shares decreased by 5%. The hacker threatened to leak the company’s source code, claiming the breach was done for amusement, despite resulting in the seizure of the company’s web services and some internal financial data.
Banking Institutions: Around 1.25 million banking card details were leaked on the dark web in October 2022 on a marketplace known as (BidenCash). These personal data included customers’ email addresses, phone numbers, and addresses. Cybersecurity experts attributed this to registration data found on purchasing pages of several hacked e-commerce sites. Furthermore, leaked banking data provided to the German newspaper “Süddeutsche Zeitung” regarding clients of Swiss bank “Credit Suisse” in February 2022 revealed the wealth of certain political figures and former/current rulers, as well as individuals involved in money laundering and drug trafficking in Egypt, Jordan, Algeria, Oman, and beyond, encompassing more than 18,000 bank accounts amounting to over 100 billion dollars without any hint of current banking operations.
Major Global Companies: In October 2022, a server from Microsoft known as (Azure Blob Storage) was breached, leading to the exposure of data from over 65,000 companies across 111 countries. This data included client information such as names, phone numbers, email addresses, as well as names of some companies and sales-related data. The company reached out to affected clients without offering any detailed statistics regarding the breach.
Healthcare Companies: In November 2022, hackers demanded a ransom of 10 million dollars to prevent the leakage of Medibank records, one of Australia’s largest healthcare companies, through which they accessed information from 9.7 million current and former clients, including Australian Prime Minister Anthony Albanese. The leaked data included sensitive details about drug addicts, sexually transmitted disease patients, and women undergoing abortions, which were all published on the dark web, including names, addresses, and birthdates of hundreds of clients.
Major Implications The growing number of data breaches can be highlighted through several points:
Increase in Extortion Cases: Hackers typically target data from influential and wealthy individuals or large institutions concerned about their reputation/market value, or organizations that are likely to pay substantial amounts to prevent their information from being published. The more sensitive the data, the higher the chances of extortion. This implies that its leakage could necessarily lead to other crimes, including selling it on the dark web or to national newspapers/media outlets. Nevertheless, paying a ransom to prevent the release or trading of data indicates that hackers have successfully achieved their goals, which may encourage them to target the same entities again in the future due to their belief that they will pay again. Conversely, not paying usually results in the publication of user data and an increased likelihood of claims for compensation that may be less or greater than the ransom sum; however, paying does not guarantee data recovery or non-publication.
Global Character and Spread: Data breaches can affect all countries regardless of their level of advancement, as well as all companies regardless of their size. For instance, in July 2022, a leak of information from one of Shanghai’s police databases exposed the details of a billion citizens, with over 23 terabytes of data sold for 10 bitcoins (approximately 200 thousand dollars) on a hacking forum. Conversely, in December 2022, the Netherlands also saw the leak of passport details and vaccination certificates of hundreds of professional table tennis players online, following a security issue related to the International Table Tennis Federation’s server.
Growing Importance of Data Globally: Similar to various programs and video platforms, data is subject to hacking and breaches, and as reliance on it increases among individuals and businesses, it becomes increasingly targeted. The widespread global nature of data breaches—spanning government services, major tech companies, global supply chains, and more—highlights its critical importance, indicating its transformation into the oil of the 21st century. Data has become the backbone of the global economy and one of the foremost pillars of economic development. Furthermore, it underpins digital transformation and serves as the main gateway to the global digital economy.
Weak Protection Mechanisms: Despite the numerous privacy protection laws in place, they do not deter hackers, especially considering the challenges of revealing their identities due to advanced obfuscation techniques, to name a few. Moreover, the effectiveness of these laws usually pertains to cases where major tech companies incur financial penalties due to user data leaks. For this reason, one hacker offered Elon Musk the opportunity to buy leaked Twitter data exclusively to avoid hefty fines. Similarly, Meta agreed to pay 725 million dollars to settle a years-long lawsuit alleging violations of user data in 2018 and its sharing with political consulting firm Cambridge Analytica. This penalty is slightly less than that imposed by the National Data Protection Commission in Luxembourg on Amazon in 2021, amounting to 746 million euros for violating EU data protection laws.
Heightened Importance of Data Localization: The proliferation of data breaches, particularly targeting social media platforms, underscores the necessity of data localization, meaning storing and processing data on national servers instead of those overseas to ensure a secure environment for information exchange in cyberspace. This calls for the establishment of national alternatives for social media, as exemplified by China, which mandates foreign tech companies to store user data domestically and implements new restrictions on content, with its social media sites comprising more than half of the world’s most active social platforms.
In conclusion, the increasing importance of robust protection for user data has become paramount, as this data represents the greatest treasure for social media platforms that offer free services without users realizing that they are the price paid for them. Users cannot ascertain the fate of their data, nor will they be aware of the numerous companies, institutions, and governmental agencies, alongside hackers, that pursue it. Therefore, investing in cybersecurity measures and raising awareness of the importance of data protection and localization is critical, especially in light of the myriad challenges it faces.