FOR tech companies, it’s all about data, since their growth depends on it. While collecting data, companies often lose sight of the privacy aspect, resulting in privacy violation for millions of people. The recent Facebook-Cambridge Analytica crisis raised such concerns. Even in Pakistan, as computer and internet usage has grown, we’ve seen increasing data breaches, both in state-owned and private companies.
In 2017, systems at the Punjab Land Records Authority were hacked. Officials thought running systems off the internet would safeguard them, but then someone used a USB-internet to dash their hopes. This led to a suspension of services, and consequently, to loss of productivity.
Last year, WikiLeaks reported that data was stolen from the National Database Regis�tra�tion Authority although the latter denied it. Nadra is Pakistan’s primary data registry, containing sensitive personal information of citizens. Breaching such a critical database would leave citizens perilously exposed.
Careem, an international ride-hailing startup also operating locally, and used by many, recently saw a massive data breach. In a press release some weeks ago, it said that customers’ names, email addresses, phone numbers and trip data were stolen, but there were few details. For one, what constitutes trip data? And there was limited information about the scope of the breach across different regions and its causes.
Meanwhile, customers and drivers did not know how to find out whether/how they were affected. Moreover, the announcement came three months after the breach, which is not nearly soon enough for customers to be able to safeguard themselves. Protecting personal data is not a priority for companies. What can such a data breach mean to an individual? You normally don’t share your phone number, address and detailed trip information with a stranger. In the age of big data and artificial intelligence, manipulation becomes a reality with access to a large set of personal and trip data. As leading security researcher Ross Anderson has pointed out, cybercrime costs a fortune. There are direct losses, including money withdrawn from victims’ accounts and the time and productivity loss involved in resetting accounts. Anderson also describes indirect losses. After a breach, a firm loses a fair amount of the trust of its customers and its reputation, leading in turn to lost business opportunities and revenues.
Moreover, companies incur defence costs in order to prevent additional security breaches. This may entail buying security products, training employees and engagement with law enforcement. Anderson concludes that the sum of direct losses, indirect losses, and defence expenses is a significant cost to society itself.
If all this is so pricey, then why aren’t privacy and security taken more seriously by our tech companies? The first reason is the lack of high-quality software security and privacy curriculum in many of our computer science schools. Most software engineers are not well-versed in how to safeguard software code and data against common security vulnerabilities. The same people are promoted to senior positions, and security and privacy never get the attention they need. Second is that the protection of data and privacy is never a priority for companies, in the absence of stringent regulations.
Source : Dawn