One number, two weeks. Go.
Last week, the paper ran a story regarding a recent cybersecurity breach at the Region of Durham offices, and focused on the length of time it took for the public to find out about said breach which, incidently, was one month. The Cosmos is further looking into why it took so long for the region to let residents know that personal information may have been accessed. At the moment, I’m giving the region the benefit of the doubt, and can only surmise that it took its time doing a thorough investigation of what exactly occurred, as it did not want to unnecessarily alarm residents. Only after such a thorough investigation did the region think it necessary to alert residents about the cyber attack.
That’s me being nice. The not-so-nice part still says “one freaking month before you let people know that their information ‘may have been’ hacked?” One month is a long time.
Back in my fourth year of university, I took an investigative journalism course. At our very first class, after a brief introduction and an outline of what we could expect from the semester, our professor handed out little slips of paper to everyone. Each slip had a different alpha-numeric sequence on it. We were given absolutely nothing else except a task and a deadline.
“Come back to class in exactly two weeks and tell me everything you can about the slip of paper you’re holding,” said our prof. So off we went.
We students quickly figured out that our slips of paper all had various driver’s licence numbers on them. That, my friends, quite literally opened up the world to us. Two weeks later, we went to class as instructed. Many of us had file folders, some of us had banker’s boxes full – FULL – of the information that we had gleaned from our slips of paper.
I had three file folders full of papers, photos and other paraphenalia I had collected regarding my person. Let me tell you a bit about him.
He was a third year engineering student at the same university as myself, Carleton. I found out his name, age, and address just from his licence. From there, I found out his class schedule, who his professors were, where his classes were. I was able to track him down on campus, follow him, take photos (I loved this part – had me look into becoming a private investigator for the RCMP!).
I knew where he banked, and I knew what kind of accounts he had. I learned what clubs he belonged to, who his friends were, what they were studying, where they hung out on campus, what food they ate, what beer they drank. I knew his bus route, and mapped out his schedule.
I found out what his parents and grandparents’ names were, what his siblings (two sisters and one brother) names were. I discovered where his siblings went to school and what they were studying, or what grades they were in. I knew their ages, I knew their after school activities. I was able to discover who their family doctor was, and did discover one health card number (the old red and white card days).
I discovered where one grandfather had come from in Europe, and one aunt, from Great Britain. If I remember correctly, I even discovered when the aunt came to Canada and when she got her citizenship.
I could go on and on about the contents of my three file folders. I knew more about my person than my person knew about himself. If I’d had more than two weeks, I could have accumulated even more information, I’m sure of it. And it’s worth remembering that this was all in 1993, there was no internet at our disposal.
I’m not telling this story to brag about my stellar investigative journalistic skills. I’m telling it to show that, even in the pre-cyberspace dark ages, it was possible for a fourth-year university student to gather a lot of very personal information on an unsuspecting soul. Had this exercise been for something other than a class project, had I had a more nefarious scheme in mind, I could have quite easily ruined several people’s lives. I could have stolen identities, emptied bank accounts, blackmailed peopled… the list is endless. Fortunately, my capacity for nefarious activities (and my desire to stay in school) was and is extremely limited, so my subject and his life were spared.
Every person who “donated” their driver’s licence number was in cahoots with our prof, and we had full permission to go after whatever we could find, of course on the understanding that it would all be destroyed after presentation, which it was. Some of the licence volunteers were actually present when we revealed what we had discovered. They were shocked by what we had been able to uncover about their lives from just a number, in just two weeks.
We have no privacy, not really. It’s only in the best circumstances that our information is kept in secrecy, and we have to trust that it stays that way. It doesn’t take a university brain to figure out that we deserve to know right away when that trust has been breached. It’s our little lives that nefarious types like messing with.