Three years ago, I opened a column by running through a number of damning data hacks and leaks that looked terrible at the time:
On a Monday, there is a data leak affecting half a billion Facebook accounts, by Tuesday a bot has scraped 500 million LinkedIn accounts. On Wednesday, Stanford University announces a hack that exposed thousands of Social Security numbers and financial details. Then Thursday, the world’s largest aviation IT company announces 90% of passenger data may have been accessed in a cyberattack. And so on. The cycle is endless.
This week, we’re treated to a new batch of significant compromised data, affecting a major bank and FinTech platform provider as well as an identity verification company.
Rather than making the case for a national privacy law with teeth that could put a stop to this, as I’ve articulated too often before, now is a better opportunity to ask why these companies had this information in the first place, and why the KYC/AML policies that require such data collection should be drastically reformed to better protect consumers from this happening again.
The ID leak should dim the prospects for KOSA and other bills
The first hack of the identity verification company was reportedly the result of administrative keys being exposed for over a year.
As reported by 404 Media, the Israeli security company AU10TIX somehow had the master credentials to their logging platform publicly viewable on their database directory, which “contained links to data related to specific people who had uploaded their identity documents.”
A subsequent malware attack allowed hackers to access names, dates of birth, nationalities and identification numbers, and full-resolution copies of uploaded drivers licenses and other identity documents.
Links and examples of this data were posted to various channels on Telegram, selling access to the cache of information that could likely expose the personal data of hundreds of millions of users.
The identity company was a verification service of choice for major platforms including X, Fiverr, PayPal, Coinbase, LinkedIn, Upwork, and many more, though we haven’t gotten confirmation which platform was hit the hardest.
Why is this significant?
First, the fact that this data is available out there – whether on .onion websites on the dark net or elsewhere – means that potentially hundreds of millions of Americans could be vulnerable to identity theft, extortion, or significant financial or personal harm. Even if the harm doesn’t come today, these credentials and information cost virtually nothing to store and weaponize later by bad actors.
Second, companies are required to collect and store this data in order to comply with various statues. And yet more could be on the docket.
As pointed out by R Street’s Shoshana Weissman, this latest hack should once again dim the prospects for the various state and federal attempts at requiring ID verification for online services for both children and adults, whether on social media, pornography websites, or even rudimentary payment services.
Whether it’s the proposed Kids Online Safety Act (KOSA), or various state laws intended to block young people from using or accessing online services, forcing anyone to upload their photo ID and personal information just to use a website or a service demonstrably can do more harm than good.
At the cost of leaking every user’s data to the hacker-infested waters of the Internet, are measures intended to make sure young people can’t use certain websites worth the cost? We’d gather, no.
The financial hack that should undermine the KYC and AML regime
The second significant hack that likely affects not just personal identities but likely billions of dollars is the ransomware attack on Evolve Trust and Bank.
This “cybersecurity incident” of the trusted bank and partner to hundreds of FinTech services has been posted to various darknet websites, and contains social security numbers, account numbers, balances, phone numbers, addresses, and much more.
Considering the significant trove of precious financial information including even individualized transactions, this is likely one of the most costly hacks to ever occur at an American financial institution.
Why did this bank have all of this information at the ready?
Because of the various “Know Your Customer” and “Anti-Money Laundering” laws in place in the United States, financial institutions are required to collect and store this information in case the government wants to build a case against a customer.
The actual laws requiring this are numerous, and the penalties for not complying are just as steep.
The Bank Secrecy Act, PATRIOT Act, the FDIC’s Customer Identification Program, the Dodd-Frank Act, and the Corporate Transparency Act all forcibly require service providers to collect this information and have it handy to give over to authorities to conduct investigations.
The main purpose of these laws are to prevent crime, terrorism, and bad actors. But we must now ask whether the collection and storage of all this data is itself more dangerous than allowing police to do their jobs without significant data collected by private companies.
These criminally motivated and sophisticated attempts at scooping up terabytes of data containing personal and financial information – whether by criminal actors or foreign militaries – are harmful and will lead to terrible consequences.
But their availability – forced by various federal and state laws – should also inform the debate about whether they are necessary at all, and whether we should have a serious conversation about reforming KYC/AML laws in this country.
