This module is a resource for lecturers
Cybercrime that compromises privacy
Cybercrime violates individuals' privacy and the security of their data, particularly hacking, malware, identity theft, financial fraud, medical fraud, and certain offences against persons that involve the revealing of personal information, messages, images, and video and audio recordings without individuals' consent or permission (e.g., cyberstalking, cyberharassment, and cyberbullying discussed in Module 12 on Interpersonal Cybercrime).
Data is considered a commodity online and offline by both legal and illegal actors (Maras, 2016). For this reason, data is a primary target of cybercriminals. Data also plays an integral role in the commission of many cybercrimes, primarily because it is not adequately protected and can be illicitly accessed and obtained. Data breaches have resulted from lost or stolen encrypted flash drives and other storage devices (mainly laptop and smartphones), poor system and data security, unauthorized access to the database or the exceeding of authorized access to a database, and accidental disclosure, release or publication of data. Some notable examples of data breaches include:
- India's national centralized government ID database (Aadhaar), which stores the biometric data (i.e., thumbprints and iris scans) and identity data of 1.2 billion Indians, and is used to verify nationals' identities for financial, government, utilities, and others services, was subjected to a database breach in 2018, resulting in the compromise of identity data, such as access names, twelve-digit identity number, phone numbers, email addresses, and postal codes, but not the biometric data (Safi, 2018; Doshi, 2018).
- The information of approximately 30 million South Africans was leaked online in 2017, including their names, genders, income, employment history, identity numbers, phone numbers, and home addresses, because of a data breach suffered by one of the top real estate companies in the country, Jigsaw Holdings (Fihlani, 2017; Gous, 2017).
- Over three billion Yahoo users' data were compromised in 2013, including names, email addresses, passwords (with encryption that could be easily bypassed) and birth dates (Newman, 2017).
- Deloitte, a global consulting firm was accessed through an unsecured account compromising the usernames, passwords, among other information, of approximately 350 clients (Hopkins, 2017).
- The personal data (i.e., national identifier, name, gender, parents' names, home address, date of birth, and city of birth) of over 49 million Turkish citizens was made available in 2016, through an online searchable database (Greenberg, 2016).
- The personal and biometric data of over 55 million voters in the Philippines were compromised in 2016, after black hat hackers (for information on the distinction between black, white, and grey hat hackers, see Module 2 on General Types of Cybercrime; see also Radziwill et al., 2015; Chatelain, 2018b) gained unauthorized access to the Commission of Election (COMELEC) website (Tan, 2016).
Did you know?
Stolen passwords can cause harm beyond the compromised accounts as people often recycle passwords and use them (or parts of these passwords; for example, certain numbers) on more than one website, email account, app, and/or online platform.
Outside of breaches, medical, financial, and other personal data could be found on dedicated online carding forums (i.e., online sites dedicated to selling debit and credit card data) and darknet sites (located in the Deep Web) (discussed in Cybercrime Module 5 on Cybercrime Investigations; see also, Maras, 2014 or Finklea, 2017, in English, and Chatelain, 2018a, in French, for more information about the darknet and the Deep Web).
In addition to releasing this data for financial purposes, compromised data can (and has) been released to shame people and expose their real or perceived immoral actions and behaviours. A case in point is the posting of the personal information (e.g., names and email addresses) of approximately 37 million users of Ashley Madison, a website which connected users seeking extramarital affairs, online (Zetter, 2015).
The burden to secure data is often placed on the individuals whose data is stolen. These individuals are informed to minimize their "digital footprint" by updating security settings on apps, websites, social media, and other online platforms, and removing and/or reducing the amount of data about themselves that they make available to others (Maras, 2016). This victim-centred approach puts the onus of protection on the victims of cybercrime, and not the offenders and the companies whose systems were breached. The reality is that victims cannot protect their personal data when it is "stored in and stolen from third party databases far removed from… [their] control" (Maras, 2016, 289). It is also increasingly difficult to minimize one's "digital footprint" today. Fewer, if any, alternatives are available for individuals who opt out of the collection, analysis, and use of their data. For example, an individual who uses social media has one of two options: provide the minimum amount of required personal information to use the social media platform (which is essentially what the individual "pays" for using the service) or opt out of providing this information and not use the platform. There is no other alternative offered. Internet of Things (IoT) devices (discussed under Introduction) also require personal information in order to be used. Increasingly, new devices entering the market - even those not previously Internet-enabled, such as household appliances, jewelry, clothing, and toys - are Internet-enabled (Maras, 2015), leaving consumers with fewer options should they chose to obtain a device that does not have these capabilities.