Rahul Vengalil
Guest Article

It's human ignorance, not technology that's behind a data breach

Here's why.

The other day, my wife was telling me about an incident in her office which she termed 'Social Engineering'. A few of her colleagues got a call from someone who claimed to be from a different department asking for contact details of other colleagues. In our daily lives, we might have faced similar situations and many of us would have been gullible enough to share the contact details that were asked for. It could be that of a colleague, friend, family member or acquaintance.

It's human ignorance, not technology that's behind a data breach

Rahul Vengalil

How do you think the telemarketers offering home and personal loans, credit cards, holidays, mobile number portability, spa treatments etc. know of your requirement? Two instances that I recall are the number of phone calls I had to answer while buying a house back in 2013 and calls from CAs while setting up What Clicks. How do you think these businesses were able to pinpoint me? I never sent an SOS to anyone asking for these services.

Data mining or the dubious misuse of data has been happening for a really long time. Haven't you been offered lakhs of customer mobile numbers and email addresses for as low a few thousand rupees? How do you think they collected the data? Most likely through one of those lucky dips where gullible users have given their phone numbers and email addresses. Who do you think should be blamed for the sale of data? The brand that ran the lucky dip or the vendor who ran the program or the business that bought the data?

Let us re-look at the Facebook and CA (Cambridge Analytica) fiasco. Facebook is the brand that ran the lucky di; the freebie being their service of networking, content etc. and CA, being the vendor who ran programs. If we do not blame the regular vendors for a data breach, then should we really be angry at Facebook?

Back in the day, while running a digital agency, I had recommended using custom targeting and lookalike targeting to a CMO. I got a firm "No" from her explaining that she did not know how Facebook would use her consumers' data. Looking back, I realise just how ignorant I was when it came to handling some of the most sensitive data around.

In the past 15 months, we have had many instances where we have found vulnerabilities for many brands, especially via their websites. In our effort to drive awareness to the possibility of a data breach by hackers, we reached out to these brands. Do you know how many brands met with us to understand the problem, after the 1st, 2nd and 3rd follow up? Zero! Yes, you read that right. The issue is not with technology, it is with our ignorance to respond to a challenge that is thrown at us.

Facebook, which is in the eye of the storm, lost over $100bn in market cap since the start of the issue. This is not because they suddenly lost revenue or users. In fact, Mark Zuckerberg testifies that there was no dramatic drop in the usage of Facebook, since the time of the scandal. The primary reason why they lost so much is that they lost the users' trust, which in turn led to the erosion of goodwill towards the brand.

My interaction with businesses with regard to data breaches has led me to believe that brand custodians aren't able to see a tangible loss of revenue due to data breaches. Why else would I get responses like "Our priority is clocking transactions and nothing else". This also shows our ignorance of the larger scheme of things that impacts the business. The biggest fallout for a brand when a data breach is made public is on the brand's goodwill which many of the key stakeholders do not understand or are ignorant of.

Data breaches are not always linked to the hacking of the system. This is a popular misconception. The initial reports of Aadhar data being leaked and sold for INR 500 were not part of an elaborate hacking mechanism. It was later suspected that over 1 lac Village level enterprise (VLE) operators had access to Aadhar data, even after their services where withdrawn. They saw an opportunity to make quick money and using their access, started the scheme. The only way to have avoided this is to have created strict guidelines what should have been followed once the VLEs stopped being partners.

As developers and marketers, all of us would have access to websites, Google Analytics and Social Media pages of businesses that we have worked with in the past, even after leaving the organisation. Imagine that kind of access in the wrong hands. Where are the guidelines and protocols? Isn't this ignorance?

For a business to really fight this menace, which existed for a long time, a lot of awareness needs to be created on the challenges that one would face. Let me draw your attention to the practice of frisking a security guard or a salesperson at the end of the shift in a retail outlet. Shouldn't that be the same with sensitive data? How often do we frisk our marketing colleagues? This again brings me back to the topic of awareness that needs to be created within the organisation on what sensitive data is, how it should be handled, what the protocols should be, the process of handling it and so on.

(The author is CEO of What Clicks, a digital marketing audit firm)

Have news to share? Write to us atnewsteam@afaqs.com