Data breaches, but worse: When hackers target our public services | Opinion
These days, getting a data-breach notification feels like just another part of waking up in the morning. Is it a day ending in the letter “Y?” Then yes, hackers probably stole my password, Social Security number and first pet’s maiden name from some company’s system.
I’m barely exaggerating. A list of data breaches in Washington from the state’s Attorney General’s Office lists more than 90 incidents so far this year. And those are just the ones we know about.
In the case of the Tuesday before Thanksgiving this year, some residents of Sumner and Lakewood found out their personal information and passwords were caught up in a data breach of CodeRED data. That’s an emergency-alert service used by local governments around the country. (I’m currently waiting to hear back from Crisis24, the company that makes CodeRED on whether any other local agencies used their service.)
Just because this has become an everyday experience doesn’t mean we should move on without thinking about why things are this way. What stands out to me is how often government services are involved in data breaches.
It’s always a shame when something erodes the public’s trust in services meant to help them. Anything that could turn people away from an emergency-alert system is a prelude to tragedy.
I asked Deveeshree Nayak, a cybersecurity professor at the University of Washington, about this. She said information is still coming out about what made this breach possible, and there’s always a risk to using online services. Governments and companies have a big responsibility to protect user information and respond to breaches.
Users also have a role. You can help by taking basic steps like using unique passwords, storing them in a password manager and keeping your device’s software updated. This lowers the risk of a data breach to you personally.
“I strongly encourage everyone to educate themselves,” she said.
Like so many government services today, emergency alerts from CodeRED are a public service run by a private company. It makes perfect sense for a city to work with companies that run these kinds of platforms. It’s way more cost-effective than using government workers and computer systems.
But it can have unexpected consequences. One of those is amassing way more data on one company’s system than a single local government ever could.
Consider the data breach at the Pierce County Library System earlier this year. In its aftermath, the library is paying for credit-monitoring services for affected patrons. It’s also facing a lawsuit from members of the public over the library’s handling of the data.
Still, the hackers stole substantially less data than is likely at issue in the CodeRED breach. The company didn’t respond to my question about how many people were affected. But a statement from the Sumner Police Department said the breach involved data from hundreds of localities. That means the CodeRED platform could collect a cache of data on far more users than the nearly 337,000 people who gave their information to the Pierce County Library System.
It’s not just the number of people affected. The bigger pile of passwords could tempt more hackers. To borrow a concept from the legal world, it’s an attractive nuisance.
Hackers aren’t the only thing to worry about when several governments pool our data on the servers of one company. In October, researchers at the University of Washington reported they’d found signs that the U.S. Border Patrol had accessed license plate reader data from police departments in Pierce County and around the state. The cameras came from a private company: Flock Security.
Regardless of how you feel about the immigration aspect of the situation, what’s concerning is that the data sharing was probably unintentional. We want our government agencies to know and control exactly who can see our data.
Local police departments are prevented by state law from assisting in federal immigration enforcement efforts, so it’s a legal requirement to keep the surveillance data contained. Department chiefs said they were unaware they had enabled settings to let others access the surveillance data they were collecting with the Flock cameras. That shouldn’t be possible.
Turning back to emergency alert systems, it’s crucial for people in Pierce County to sign up for them. I’m sure I don’t need to tell you why, but here are a few prompts to get you motivated: earthquakes, wildfires, mudslides… and that one huge, active volcano. Pierce County ALERT is the countywide system.
If you have to create an account for any government service, use good password practices. Create a unique, complex password. Save it in a password manager. Change your password right away when you find out about a breach. It’s worth the extra effort.
And for the love of Pete, don’t reuse passwords from your email or banking accounts, ever.
