The breach involved improperly encrypted data that gave information about over 173 million individual trips. It revealed the pickup and dropoff location and time, and the license number and medallion number. The problem is, what is this information likely to be used for? In other words, if we're going to boil it down to a risk analysis, there's a risk here. The data was not encrypted properly, it was released, and anyone with any skill at decrypting can figure out all of the information above. On the other side of the analysis- what is this data actually worth?
The article discusses how one cabbie was making an unusual number of trips. At first, I thought this is where the story would get juicy. Maybe he is doing a drug running business on the side. The article says it was just an error in the data. Even assuming it had been a drug running business, that information is useful to the company because they will want to fire him. It's useful to the authorities because they may want to prosecute him. It's not so useful to hackers looking for information to exploit.
There is one scenario where a hacker may benefit from the information. Say there is a particular person being targeted for assassination. They know that this target has an apartment in a particular area. They could use the data to figure out if there is a pattern to the target's movements. There are two problems with this theory: 1) this is the stuff of bad Hollywood movies, and 2) an assassin would likely already have that info without relying upon a data breach. Simple observation is a much more effective way of finding out the info.
In other words, when you finish the risk analysis, lots of information was released, but the information doesn't seem to hold a very high value. That's why this didn't make the front page of the news- no customers were harmed, no valuable sensitive info was taken. It's just an information dump.
The value of examining a breach like this is that it's a good study not only in how not to properly encrypt your data, but also in conducting a risk analysis. Just because information was breached doesn't mean this information was worth anything.
References:
Pandurangan, Vijay. "On Taxis and Rainbows ." Medium. 21 June 2014. Web. 10 Nov. 2015.
No comments:
Post a Comment