Your data travels to places you would never dream of, thanks to low-cost managed service providers in far-away countries. And when they get hacked, it’s an open question who’s been taking a look at your data – and if you will ever learn about it — like in the hypothetical phone call below:
Hello, your personal data has been stolen. I bet you did not know that we sent it to India, sorry. But, it was probably stolen by someone else, from another country. We don’t know what they stole. We just know that they looked around and took copies of everything. You might want to change your passwords. Relax, it will all be OK.
Your data has been outsourced
Reassuring this is not. But, this is a phone call that dozens of companies could be giving their clients in the near future. Wipro, a huge Indian-based IT services company has admitted that it was hacked. And while the company isn’t saying much, cybersecurity reporter Brian Krebs is. He broke the news that the Wipro systems had been hacked and intruders had been using this company’s network as a jumping off point into the emails and accounts of at least 12 of their clients.
So far, there are minimal known details about the hackers. According to the Krebs report, it is believed that the hackers are a nation-state group more interested in data than in cold hard cash. The hackers approach seems to be like a late 2018 attack against HP and IBM. That attack was attributed to hackers working on behalf of China’s Ministry of State Security.
Your security has (not) been outsourced
It’s sometimes a question how important security issues (such as data privacy) should be for companies. In regards to HP and IBM, the responsibility is clear – their accounts were hacked, the invaders took the data of their business and of their clients. For IT outsourcing firms, while the risks of a data breach are just as high, responsibility seems to be a bit less direct. As Wipro CISO Sridhar Govardhan stated in a recent interview, “security cannot be a show stopper for business priorities.”
Only time may tell
Wipro has said there were zero-day vulnerabilities harnessed in the attack, they’ve hired a forensics firm to look into the issue, but that there were some inaccuracies in the Krebs report. However, they passed up an opportunity to directly clarify the issues with him in an open call with investors.
So when it comes to data security, you can keep tabs on your own data, you can try to see what happens to companies directly holding and collecting your data, but you will be hard pressed to even know the names of many of the firms that have been outsourced to work with your data.