Tuesday, February 23, 2021

Covid-19 cyberfraud

TL;DR: don't be a sucker.

We need to talk about Covid-19 cyberfraud.

Robert Capps wrote about how there has been a rise in cybercrime due to the pandemic. There are more phishing emails coming from the CDC or WHO, and that with employees working from home, they are getting calls that ask for various passwords and they are giving them out. For all the people who say they wouldn't do that, keep in mind that if you get a call from someone claiming to be in the IT department at your organization, you don't have the benefit of seeing whether they are who they are. They aren't coming by your desk wearing a company badge. They're a voice on the phone and you can't verify their credentials. But they're sure asking you for your credentials! 

A lot of people are predicting that work from home is here to stay. I don't think so, but I'm willing to be wrong. If it is here to stay, we need to get serious about security. You can institute all of the clean desk policies at the office that you want. You can require multi-factor authentication, and floors are monitored by security guards and accessed with keycards. A large chunk of that goes out the window the second you set people out on their own. They may be incredible workers but not understand the point of the policies. And even if they do, there's not a security guard or keycards allowing access to their homes. You have lost some of your security right off the bat. Those calls that were previously getting screened by a menu or receptionist are now being routed to your cell phone and may have lost something in the security. Your organization is weaker. Accept that's true. If you want your workers to continue to work from home, figure out what to do about it. Humans are always the weakest link and if you are running the organization and failed to properly train your staff to avoid these scams, guess which human is to blame... (hint, it's not your employees).

One other thing the article addresses that helps explain why cyberfraud is on the rise during the pandemic is that policies are constantly changing. My own personal firm which I run had to move very quickly from conducting business in the office to doing it remotely across the country. We're digitizing everything because we needed to access it from anywhere, not just a filing cabinet. One of my law clerks left to spend the pandemic with his mom in California, so he was a very different time zone than the rest of us. As we needed to make calls, it became evident that his clocking in around 5pm wasn't going to work because he couldn't make those calls. That switched. We had to have communication software and a process for assigning tasks because yelling across the office did not work anymore. That took trial and error. For my attorney that had already been struggling to bring in clients before the pandemic, he certainly had a hard time adjusting to the new changes when he already hadn't figured out the old process. We parted ways. Although it was almost certainly always headed down that path, the pandemic meant I couldn't give him any help or advice when he couldn't get with the software and had a hard time walking through it with me remotely. So it hastened it. 

All of the changes all throughout were a result of, "the world is in a red level panic, I have to either fire everyone and abandon my office or figure this out and I'm rather tenacious so I guess I have to figure it out." But that didn't mean I knew what I was doing. Nobody did. If I went back in time and told employers to get their BYOD device policies and security in order because they'd need them, I would have been ignored and told they are NEVER going BYOD so this is useless advice to them. We're now at the stage of the pandemic where if somebody told me I need to keep a pair of running shoes at my office, ready at all times, I'd believe them. I don't know why I'd need them, but I can analyze a scenario where I'm going to need to run and I won't want to do it down stairs in heels. 

Apart from the mess-ups, an intelligent employer should see this as a golden opportunity. I don't want to pull an ego trip and pretend I'm an absolute genius, fantastic business card aside. :) But I used this as an opportunity to improve. What am I lacking? Why is all this stuff only accessible on paper? I like to travel- what if I'm in Japan and I need a document right now? Digitize that stuff. Adopt this as a standard practice. I've given serious thought (and even had to low-level implement a few times) the action plan for what happens if I cannot access the written or digital copies? Or what if my power goes down? What is my contingency plan for various scenarios? As much as I dread it and try to prevent it, I know what I'd do if a computer got locked down with ransomware. I don't like it- I don't like any of this- but I've got a plan for it. I even have a contingency plan for if I get sick and a different one if I die from that illness. It's hard enough doing it in a personal way, but I've confronted my own mortality in a business sense and determined here's who gets my data, business, and assets; why that person gets it; how it should be handled; etc. 

If you are a company owner reading this, have you asked yourself how you can improve security? Assume your employees don't know how. 

If you are an individual reading this, first, please understand that businesses aren't throwing meaningless policy and security changes at you for no reason. We're doing the best we can as the situation evolves. Some are doing better than others. But second, ask yourself what you can do. Assume you know nothing and everyone is trying to steal your info. Well, you've heard you need strong passwords- start there. Find out why. You've heard not to write them down or share them. Again, follow that info and learn why. A) You don't want to be the fool that gets disciplinary action for giving out your password over the phone. B) You DO want to look like a cybersecurity hero when you walk back in the office and you have personally adopted some good habits that you can share with others. C) Even if someone else in your company did reveal their password, you might have done enough to keep your stuff sequestered, which REALLY makes you look like a hero. They might not give you a raise since they're paying millions to clean up so-and-so's mistake, but you might get a promotion out of this.

Capps, R. (2021, February 19). Fight back against covid-19 cyberfraud. Retrieved February 20, 2021, from https://securityboulevard.com/2021/02/fight-back-against-covid-19-cyberfraud/

Tuesday, February 16, 2021

The CIA Helps You Protect Your Data

 TL;DR- wait, what?! The CIA helps me protect my data? Uhhhhh...

To start off, I'm an attorney. This is relevant because we have to do continuing legal education classes (CLEs) to stay current. I'm partially working on this because I hope to present it someday as a CLE at my local bar. They actually take cyberlaw and cybersecurity very seriously. For the cybersecurity professionals reading this, this is going to be Cybersecurity 101 and insultingly simple. For everyone else, let's get to why you need to actually take cybersecurity seriously, ESPECIALLY if you don't know anything about it.

First, I want to start with the most basic definition. What the heck is this cyber stuff anyway? I get what the Internet is (sort of) but what's cyber?! Great question. First, cyber is an adjective. I remember constantly yelling at my TV every time Senator John McCain came on because he'd talk about "we need to improve cyber." I would always yell back, "CYBER WHAT?!? Cybersecurity? Cyberspace? Shall we improve cybercrime, you freakin' idiot?!" So think of cyber as meaning technology and we'll call it good enough. But that's only an adjective. We need to figure out what particular realm we're talking about. Because I promise you, we don't want to improve cybercrime, even though we might want to improve our defenses against it. For purposes of this discussion, we're talking about cybersecurity. Given the definition I've provided, that means the security of technology.

For those new to this, you're probably thinking, "I just figured out what cyber means and that it's an adjective, and now I have to take on security issues. I can't do that! I don't know enough." That's great, because now we have a starting point for the discussion, definitions, and hopefully a willingness to figure it out. 

I would argue that we need to know the goals of cybersecurity before we can apply any fixes. So what are the goals of cybersecurity? That's where we get to the title... Many people would raise an eyebrow that the CIA is going to help protect your data. But we're not talking about that Central Intelligence Agency. Here, the CIA triad stands for: 

  • Confidentiality- C
  • Integrity- I
  • Accessibility- A
Have these three things in place, and you can trust your data. So what do these actually mean?

Confidentiality means that other people who aren't supposed to look at your information aren't looking at your information. Think of it like this- when you go to the doctor, do you want some other patient in the waiting room to pick up your chart and start reading about and discussing all of the various illnesses you have? Do you want your bank teller to take your credit card to lookup your account and then announce to all the other customers what your credit card number and PIN are? Probably not. Confidentiality means keeping certain things secret. For lawyers, rule 1.6 says we have to keep information about representation confidential 1) unless we have informed consent or 2) it's reasonably necessary for certain reasons, AND we have to take reasonable steps to keep information confidential. That's because not many people go visit an attorney because it's the best day of their lives. The way the rule is written, 1 or 2 can apply, but 3 always applies. That means lawyers have an ethical duty to take steps to keep cyberinformation private, so if you do anything on a computer or phone, you must pay attention to cybersecurity.

Integrity: we talk about integrity in the legal profession a lot, but this isn't that kind of integrity. Here, it means keeping the information whole and accurate. Someone might look at that and think it sounds smart, but why would it be necessary. Here's why- what good is information if it's incomplete? If I call another attorney to talk about a case and they say, "I can confirm I represent that person but I cannot provide you with discovery responses because my client shredded the documents." What??? You already know we're going to have a problem in court. Frankly, I don't care if you confirm you represent them at that point because I'm going to do everything I can to make your representation meaningless. Further, I'd argue you aren't really representing them because you haven't done anything on their behalf. How does that look in technology? You go to your computer and open a contract draft to find that the last changes weren't saved, and there went four hours worth of work down the drain. Now you need to explain to your client why you are trying to bill for another four hours for the same task, or you need to write off the time as a loss. Neither is particularly good.

Accessibility- this means your data can be accessed. This can take many different forms. Let's say that your building has a fire and you cannot physically get to your computer. It's not accessible. Let's say that you open your computer one morning and find that the operating system will not load. What that looks like is that you turn on your computer and there is power, but nothing happens. It never loads the screen you use to login. Your information might be fine, but you cannot access it. If you cannot access it, how much good is that information doing?

Let's say there's a blizzard of the century and you cannot physically get to your office to get the files off your computer, but there is a Zoom hearing in three hours. Your information is complete and whole. It's saved on your computer and remains confidential. So what? You lost one of the legs of the table and now it is useless to you. Let's say alternatively that your computer is hacked. You can still access it- that's not the issue. All of the data is whole and integral. That's a problem here because confidentiality has been breached. Finally, let's say your data is confidential. You've used good passwords and you can access it. But the changes in that contract didn't save, so it doesn't have integrity. You're working with pieces of it. This is why you need all three. 

----------------------------------------------------------------------------------------------------
So great- you're convinced. You need the CIA triad. What can you do if you don't know much about cybersecurity? 

For confidentiality, use strong passwords. Yes, they are annoying. No argument. Use one very strong password with upper and lower case letters, numbers, symbols, and at least 8 characters long. Memorize the heck out of that password and get yourself a password manager. Don't rely on your browser- get a password manager. If you remember that one password, it unlocks all the other passwords and can help you generate strong ones. Some of them will work across devices, so for example, I have one that helps me on any of my computers or my phone.

For integrity, do regular backups. Admittedly, you may still not get the last draft of that contract, but you won't have to recreate every contract you're working on. Backup your information. Set this to automatically do it regularly and do it to a flash drive, a DVD, an external drive, or a cloud service such as Google Drive. Somewhere that isn't on your computer.

For accessibility, there's a lot of tie-ins with integrity. If your computer is inaccessible and you have that external drive with you, you can access it from home via that. It's even easier with the cloud services because Google Drive can be accessed from anywhere. 

But again, think about how these work in relation to each other. If you're backing things up to an external drive but you leave that in the same place as your computer, it might be destroyed in the same event that takes out your computer. If you backup and take the external drive with you, you shouldn't leave it in your car for someone to steal, because this will destroy the confidentiality. 

This is the crash course in how the CIA helps you protect your data. This is not meant to be an exhaustive discussion on the nuances of cybersecurity. This is meant to get you thinking and asking questions about how to protect your data, why it's important to do so, and demystify the whole thing.

Thursday, February 11, 2021

Social Engineering

I'm currently taking three classes in my last semester of a cybersecurity degree, and one of them is Human Aspects of Cybersecurity. I did not expect this at all, but I'm kind of having a blast. Essentially, it's social engineering. What's that, you ask? Manipulation. How are people manipulated to give up information?

It's actually terrifyingly easy. People are so conditioned to be friendly. And apparently, being friendly means opening up your entire life story. Some are worse than others. I have met people that in less than ten minutes, I know how many ex-husbands they have, their neighbor's horse's names, and that they spend large amounts of money on antique furniture. 

I can't do much with this information, nor do I want to. But I think about certain friends I know that can't resist a good Facebook quiz. In fact, one that I'm thinking of, I know that she's Capricorn born on January 5th, her favorite color is purple, she's divorced but in a new relationship since then, and where she's eaten in the last week. I can use this. How many security questions ask your favorite color? How many verifications want your date of birth? I can start predicting patterns based on where she regularly eats. I can get into other things based on the name of her new relationship. This is all info in various Facebook quizzes and profile. It's even discarding a lot of other random things I could learn simply by "relating" to her. Drop a mention about Supernatural or Harry Potter and I can find out a lot. 

And this isn't just her. It's shocking the amount of stuff people put out there for everyone to read. The Internet has a long memory, and when someone is posting upwards of 10 posts or more a day, it takes some time to sift through, but they've given you an entire picture of who they are.

Off of Facebook, it's not much harder. You just have to do more work for it. I know that my next door neighbors have two adult children- one of whom has twins. They live in Michigan. That probably irritates dad because of a long standing football rivalry. The guy worked at a dishwasher repair place before retiring and has had heart issues. The woman works as a hostess at a local Italian restaurant. Her sister also worked there and has served Chrissie Hynde. She likes to run, her mom has dementia, and their dog was named Jake and he liked to sleep under the tree in my yard. 

How do I know all of this? I listen. People talk. You're probably thinking, "yeah, but it's a friend and your next door neighbor. Not everyone does this." Sure they do. I've had conversations with complete strangers and they told me they're fixing up their house so they can sell within the next six months. Cool. If I was evil-inclined, I'd wait for your house to go up for sale, break in, and if caught, I know the name of the owner. She introduced herself to me. 

What does this have to do with cybersecurity? Everything. According to the Verizon Data Breach Incident Report, 30% of attacks involved an insider (https://enterprise.verizon.com/resources/reports/dbir/2020/introduction/). Now, this doesn't necessarily mean that a person in a company intentionally attacked their own company 30% of the time. It does mean they bear responsibility for it. Lousy password security, not locking your computer, etc. all make it very easy for an attacker to get in. Not shocked yet? In 2003, 90% of office workers at London's Waterloo station gave away their computer password in exchange for a cheap pen (https://www.theregister.com/2003/04/18/office_workers_give_away_passwords/). People are ridiculously lax with their information and security of that information.

So where am I going with all of this? Well, be smarter than that. Not just the computer password in exchange for a pen, but stop doing the Facebook quizzes to find out your spirit unicorn name. Be bold. Make up your own spirit unicorn name! While you don't necessarily have to stop chatting with the neighbors, be circumspect about who you reveal information to. 

Monday, December 28, 2020

Software blues

 tl;dr: I have a love/hate relationship with software.

Let me explain what happened... Last year, about this time, I had one attorney and three law clerks working for me. We had checklists and the law clerks would use a template, change the header information, and edit from there. We rarely sent out discovery because it took approximately an hour to edit the template and just wasn't worth the money. 

And then (like more or less everyone is saying), the pandemic hit. We had some staff who were high risk. We had some simply take off to go "home" to California before the state shut down. We had some like me that were just scared and didn't want to be around humans that breathed the same air. So, we moved to work from home (WFH). I still interpret those letters as "what fresh hell?!".

Because I'm primarily practicing in debt defense and because the creditors developed a little bit of a conscience, cases dried up. I'm not one to sit and wait for things to get better and I knew that this was likely only temporary. If businesses are shutting down and people are being laid off, the creditors aren't going to simply get over someone owing them thousands of dollars. They're going to wait, they're going to get their judgments eventually, and when they can do so without looking like pandemic profiteers, they're going to collect. I knew we would eventually see an absolute tsunami of debt collection lawsuits and bankruptcies. So, I took the downtime to improve my software. 

We'd need a communication function. If some are in Ohio, some in California, some in South Carolina, and nobody is face to face, we'd need a way to communicate "I need you to do this answer by Monday." We found some software that worked. I also needed to streamline the process for the future. I put together some Word templates that allow me to enter the information in one place and it auto-populates throughout. Suddenly, I boiled down a process that should have taken approximately 3 hours to less than 30 minutes. Finally, we digitized everything. Every single file came home and got scanned, uploaded, renamed, and sorted into digital files so that it was all accessible from anywhere.

This worked great until recently. I'm licensed in a ridiculous number of states and that tsunami of cases I mentioned?? Well, we haven't even been hit by the hardest wave yet but we can see it coming for us. Frankly, my office manager is struggling to keep my calendar up to date and accurate. So, for the second time in less than a year, we're changing our entire software. 

This has led to about two weeks of 3-4 hours sleep a night while I'm inputting client info. We had a false start on one software before realizing it was not going to do everything I needed it to do. I just paid for a different one today. The scalability is incredible, and I keep finding little features here and there that make me more and more impressed. I truly feel like I'm punching above my weight class with this one, because it's going to take that 30 minute process and streamline it to more like 10. All of the future invoices for future work... it's no longer a matter of 5 minutes per invoice and more time to actually be sent. It's literally a matter of pushing two buttons to create it and then hitting the send button without even switching to a different screen. It's impressive. It's a CRM (client relationship management) software, and although it's often used in sales, I don't think too many law firms use it outside of the major firms.

So why do I hate software? Why do I have software blues? Do you know what it's like to enter information for approximately 200 clients? Everything from the court to opposing counsel to a file number, etc. Then we have to get the files associated with the right people. Finally, I have to create all of the templates all over again that let me push two buttons to send an invoice. Once all of that is done, we still have yet to really dig deep into it and figure out how to make it accomplish even cooler things because I have the gut feeling I've only explored about 15% of this. I am tired. I did not think I would be completely abandoning an entire workflow system and creating a new one from scratch TWICE in one year (let alone this dumpster-fire of a year).

Naturally, since I'm getting my Cybersecurity Master's degree, I am considering all of the other stupid things that normal people don't. Do I change the address making it easier for my employees if they get logged out, or leave it complex so it is not easy for hackers to find? Do I require two-factor authentication and complex passwords, or do I need to set fire to my employees who will just write it down anyway? What is the exact level at which I set permissions for my office manager who needs access to both my calendar and email, but needs to leave the forms alone because she was experimenting with them and changed categories I very much needed? How do I clearly explain the workflow process to my paralegal so that she can do her job when I haven't really played with that particular feature too much in depth? And in a sense, this familiarity with software and cybersecurity is what led to the false start a week or so ago when we tried the other software but ultimately found it lacking. I could not do the things I wanted and needed to do, and I thought it was rather dumb that I couldn't customize it the way I wanted. Ultimately, if I'm told software cannot do something, I know there are plenty of other programs out there. If I can't allow people to do their job to the best of their ability but restrict them from changing something that will badly disrupt other areas, I will go elsewhere.

Friday, December 4, 2020

Alexa, what are my security concerns?

 TL;DR- my daughter doesn't trust Alexa because she didn't program it.

First, I need to give you a little context... my daughter is a world champion in robotics at 18 years old. No, seriously. She was on her high school robotics team and they won several notable competitions. One is called "Night at the Museum" where they were playing at the Smithsonian museum and literally practiced directly under the space shuttle. The second notable competition was the year before when she was a junior. Her team went to World's competition. Her team won the Design award at both, which is one of the highest awards given out. It means that they have an exceptional log, can thoroughly explain things in interviews with the judges, and in general, display a high degree of excellence. She was the logger on her team, so she recorded literally everything in a notebook for the judges to review.

At my house, I've started converting all light switches and outlets to smart switches and smart outlets. It's a small thing of beauty because I can walk into my living room and say, "Alexa, turn on living room lights," and the whole room becomes much brighter. In the kitchen, not only can I listen to my favorite music while I'm loading the dishwasher, but if my hands are full or messy, I just say, "Alexa, turn on kitchen lights" and suddenly I have all the task lighting I need. 

But my daughter refuses to speak to it. She'll say, "can you tell it to turn on the lights?" with disdain in her voice as if it is a contemptuous necessity. Sometimes I will tease her and say, "no, but you can" and she will continue to sit in the dark or use the light switch the old fashioned way. The only time she has used it is that she accidentally triggered it one time with something that was in no way the dreaded "A-word" and it started playing a Justin Bieber song; and one time when she asked for the "gummi bear song", which is an abomination of music that should not exist or ever be played. I asked her why she wouldn't use it. She answered: "because I didn't program it".

I can't say she's fully wrong. She is smart enough to program one and she has programmed one before. It's low level, but I certainly couldn't manage it! And it is a little disturbing that it listens to everything (although according to Amazon it almost instantly deletes it if it does not hear its wake-up word). Can I guarantee that's happening? No, not really. My boyfriend told me of a vulnerability whereby someone could take it over if they had sight of it (it is supposed to be fixed now). As I considered my home, I couldn't think of where I would place it that was within reach of an outlet but not within sight of a window. Combine this with the fact that I have several throughout my home to create a wide net where I can exit the living room and head for the stairs to my room, announcing lazily, "Alexa, turn off living room lights... Alexa, turn on bedroom lights" without breaking my stride. Plus, it's concerning that I'm in my last semester of a cybersecurity degree, know all of the risks, use it as more or less a lightswitch, and still shrug off all of the security concerns. But turning on my own lightswitch with my fingers?? Do I look like a Neanderthal?! 

It's very convenient to simply announce, "Alexa, turn off my bedroom lights" instead of getting out from under the very cozy blankets at night. But I understand my daughter's concerns. She's a tech whiz Luddite who enjoys technology very much, but doesn't trust the brains behind it. Her robots were fine because she programmed them to follow her commands from her controller. And maybe that's something where I could learn a lesson. She's done her own analysis, decided she does not trust Amazon, and therefore she will not give it directions. She knows she cannot stop me from using it, but she's not going to actively participate in it because she doesn't want a hand in training something for a company she distrusts. 

"I don't trust it because I didn't program it." For a lot of people, that would be a funny line to toss off, but for her, it's a fully considered, philosophical, principled stance. I may never become swayed enough by it to give up the convenience, but I support young people understanding technology AND I support them taking stands for what they believe in. 

But I swear to god... the Gummi Bears song?! Truly torture!

*This has been Blog 1 of my Current Trends in Cybersecurity class. If you have something to say, let me know in the comments!

Monday, November 16, 2015

Summary of the cybersecurity posts

Over the span of the last twelve weeks, I have examined some of the breaches and hacks that have occurred. I chose this particular theme because I think if one is going to study cybersecurity, you need to have a strong understanding of where it can go wrong.  One thing that I have noticed in several of my classes throughout this degree is that the cybersecurity professionals like to discuss what should be done to protect the system as if there is an infinite budget that a company can give to the IT department to protect things.  In reality, companies MUST work with a limited budget, and IT will not get to use that entire budget.  It has to be shared with the rest of the company.  Therefore, it's fine to say that the company needs to have certain standards in place or use certain technology.  But you really learn from studying what happens when you don't use those standards or technology.  In the real world, you need to know how you will be affected and how you will overcome the problems.

Not long ago, I received my law degree.  I remember having a similar argument with one of my law professors.  He insisted that a better contract was needed between the parties, and that would have solved the problem.  I replied that from what I had seen in my office and in my studies, that was probably a true answer, but it doesn't account for the fact that every single case we study involves a situation where the parties failed in some respect.  Nobody goes to court when everything is going perfectly according to the contract.  The parties in that particular case didn't draw their contracts carefully.  How are they supposed to proceed now?  Furthermore, what happens when I get a client that didn't have me do their contract; instead, they did it themselves, and now they are having problems, and I need to help them solve those problems.  My professor didn't have a good answer.

The same is true in IT.  If the company engaged in perfect security measures for their information at all times, there is no need for a cybersecurity degree.  Everything is going smoothly, and no hackers exist.  Unfortunately, that's a fictional world.  Companies mess up and hackers want to exploit those mistakes.  So how do we proceed in helping companies that have messed up?  The easy answer is to simply throw money at the problem and fix it before it's ever a problem.  That's a good answer in many respects.  Create a strong system and there's less to do later.  But how do you proceed if you are hired at a company that hasn't done that?  You have to study how other systems were breached.  You need to know what is occurring in the real world, and figure out how to make it work when it's imperfect.

I examined breaches and hacks because it's the imperfect side of business.  These involve big and small companies.  Some focused on the insider threats, whereas others were outside attacks.  Some could have easily been fixed, while others are still perplexing years later.  My goal was simply to shine a light on these past breaches in an attempt to learn more about them.

The assignment was valuable because it showed me where to look for breach causes.  In some cases, I discovered the answer, and some I didn't.  This exercise also taught me to think about other consequences, such as when I received a letter than my information was compromised for a company I had no dealings with.  How did they get my information?  Was this a proper use of my information, or were they not supposed to have it in the first place?  These questions all drive at the root of discovering how breaches occur and what they affect.

Tuesday, November 10, 2015

Week 11, New York Taxis

I discovered an article that talks about a data breach involving New York taxis (Pandurangan, 2014).  At first, this sounded very juicy- after all, a data breach involving taxis in one of the world's most populated cities could be a horrific problem.  In the end, this breach turned out to be a bit anti-climactic.

The breach involved improperly encrypted data that gave information about over 173 million individual trips.  It revealed the pickup and dropoff location and time, and the license number and medallion number.  The problem is, what is this information likely to be used for?  In other words, if we're going to boil it down to a risk analysis, there's a risk here.  The data was not encrypted properly, it was released, and anyone with any skill at decrypting can figure out all of the information above.  On the other side of the analysis- what is this data actually worth?

The article discusses how one cabbie was making an unusual number of trips.  At first, I thought this is where the story would get juicy.  Maybe he is doing a drug running business on the side.  The article says it was just an error in the data. Even assuming it had been a drug running business, that information is useful to the company because they will want to fire him.  It's useful to the authorities because they may want to prosecute him.  It's not so useful to hackers looking for information to exploit.

There is one scenario where a hacker may benefit from the information.  Say there is a particular person being targeted for assassination.  They know that this target has an apartment in a particular area.  They could use the data to figure out if there is a pattern to the target's movements.  There are two problems with this theory: 1) this is the stuff of bad Hollywood movies, and 2) an assassin would likely already have that info without relying upon a data breach.  Simple observation is a much more effective way of finding out the info.

In other words, when you finish the risk analysis, lots of information was released, but the information doesn't seem to hold a very high value.  That's why this didn't make the front page of the news- no customers were harmed, no valuable sensitive info was taken.  It's just an information dump.

The value of examining a breach like this is that it's a good study not only in how not to properly encrypt your data, but also in conducting a risk analysis.  Just because information was breached doesn't mean this information was worth anything.

References:
Pandurangan, Vijay. "On Taxis and Rainbows ." Medium. 21 June 2014. Web. 10 Nov. 2015.