The 10 data privacy fails of the decade – and what we learnt from them

Today marks one of the most important days in the calendar for professionals in data  – Data Privacy Day! 

As we enter the 2020s, let’s take a look back over the data privacy fails that shaped the previous decade – and what we learnt from them –  so we can ensure the next 10 years are remembered for championing greatness in data privacy, and produce a decade of privacy wins.

1. Data privacy fails happened in the most unexpected of places…

Imagine buying an app-controlled, Bluetooth connected vibrator to spice up your love life for when your partner isn’t in town. It’s all fun and games until you discover your partner hasn’t been controlling it…it’s actually been hacked by a total stranger. 

Believe it or not, this actually happened in 2016, when it was discovered that anyone with a Bluetooth connection could hijack certain sex toys and control them because of their total lack of security protection. 

And if that’s not off-putting enough, it turned out the company was collecting and storing personal data gathered by the vibrator’s app – without their users’ consent. The app tracked the toys’ temperature and vibration intensity when paired with it – so essentially, the company ended up with large data files that detailed the exact sexual stimulation requirements of their customers. 

There is definitely such a thing as too much information…

Vibrators are not the only unusual objects that were hacked over this past decade. In 2017, cybercriminals managed to hack into a casino in North America through its internet-connected fish tank!

The aquarium in the lobby was fitted with a smart thermometer to regulate the tank’s temperate. It was through this device that the hackers were able to exploit a vulnerability and get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and pull it back across the network, out the thermostat, and up into the cloud. You could say, they went fishing…

What have we learnt?

People should be able to buy things as personal as vibrators and as innocuous as fish tanks in safety. It’s simply astonishing that a vibrator was left so insecure when the risk of assault was so obvious. And it was even worse that the company was behaving so invasively as to capture such personal data without consent. While you could argue that the casino should have known better than to put a smart fish tank inside its security perimeter, the risk of exploiting a vulnerability to gain access to other systems has been well known for years, and the fish tank manufacturer simply should not have put its clients at such risk.

As the Internet of Things continues to grow, more devices will begin to come online, and these devices will come in many shapes and sizes. It’s crucial that the manufacturers of these devices follow a Privacy by Design model, and ensure that privacy and security are baked into products right from the start of the development lifecycle – not tacked on at the end. It’s far less hassle to think about data privacy at the beginning, and work it into a product, than to fix security flaws later down the line – if that’s even possible.

The adoption of IoT technology means cybercriminals can be more imaginative with their cybersecurity attacks, and these incidents are compelling reminders that the IoT devices are vulnerable to being hacked or compromised. The problem often occurs when manufacturers focus solely on the performance and usability of IoT devices, and ignore security measures and encryption mechanisms. Simple cybersecurity protocols such as authentication through OAuth, secure storage, penetration tests, and regular audits should be standard for internet-connected devices.

It’s also important for consumers to remember that any object, no matter how innocuous, that can connect to the internet has the potential to get hacked. Be vigilant, keep your operating systems and software up-to-date, use strong passwords, and if at all possible keep internet of things devices separated from important data..

2. The data privacy fail that stopped Harry from having his surname on his schoolbook…  

No-one wants to lose their identity, but an overenthusiastic reading of the GDPR in 2019 nearly led to just that. A primary school banned the use of children’s surnames on textbooks, in order to comply with (their perception of) GDPR regulations.

The bizarre situation led to a young boy, known as Harry Szlatoszlavek, being labelled as ‘Harry2’ by his classmates. ‘Harry2’ even received a Christmas card from another boy which read: ‘To Harry2 from Jack2.’,