Today a person shares personal information almost with all: online platforms, government institutions, private companies. These data can be leaked to the internet, or even worse they can be stolen. Therefore, one needs to learn how to protect personal information.
Dana Buralkieva of public foundation ‘Erkindik kanaty’ tells CABAR.asia about what a personal data leak is and how to prevent it. She is an independent researcher, expert and trainer for the freedom of expression and personal data protection.
What is a data leak?
It is a disclosure of confidential, protected or sensitive information, which becomes publicly available due to illegal actions. Personal data is leaked often.
What is personal data?
It is the data that identifies the personal. It can be surname, address, e-mail, date of birth, phone numbers, postal addresses, including IP address (unique code of any device connected to the internet). Personal data also includes financial information: information about bank accounts, credit and debit cards, information about revenues and payments. Medical information is also on the list – analyses, diagnoses, genetic and biometric information (fingerprints, eye retina, vein print, voice).
Why is biometric data leak more harmful than leak of any other kind of personal information?
Because an e-mail address or bank account can be changed, but fingerprint patterns remain unchanged for life. “Imagine that you have access to a very important place. For example, your apartment can be opened by your fingerprint. And then the storage and processing system, where you store your fingerprints, gets hacked. Now intruders have access to your biometric data and then can download it or replace your fingerprints with their ones to get into your apartment,” Dana Buralkieva gave an example.
How to prevent personal data leak?
It is very important to not share your data with one and all. Very often, people provide their data to swindlers who call them on the phone, ask them to share their bank card data, tell them the code on the back side, etc., and then withdraw money from the card. Such situations are complicated because it is not always possible to find the perpetrators as they are often located beyond Kazakhstan, beyond our jurisdiction. One more important point is the privacy policy of organisations you share your data with. You should carefully study it. According to Dana Buralkieva, one needs to read all privacy policy.
What to pay a close attention to when reading the privacy policy?
It is important to know what applications you provide access to when you install an application. “If your flashlight requires access to a voice recorder, it is weird,” Buralkieva said. The privacy policy must contain clauses that specify that data collection must be approved by you. For example, when you download an app on iPhone, you’ll get a message that the application wants to track down your activity. In this case, you’d better check “not allow”. The most important clause in the privacy policy is about data protection. For example, what the organisation does to prevent the leak and what measures will be taken if it occurs.
Where can information leak from?
According to Dana Buralkieva, it can be various sources: both online and offline. For example, information can leak from online systems or databases. It could be phones, memory sticks, PCs. All these systems can be hacked, and physical carriers can be lost or stolen. If they contain important information, e.g. financial data or EDS (electronic digital signature), such information can be used by swindlers.
What to do if my data gets on the internet without my authorisation?
First, you should assess your risks to get the scope of leak, and then you should isolate the leaked data. For example, if your physical carrier (memory stick or laptop) is lost, you should disconnect it from all electronic online systems to suspend access to this data in order to prevent further leak of information. If your data is leaked from the computer system, you should take measures to close it. To do that, you should contact the organisation that let the leak happen. Second, you should make responsible persons, e.g. the organisation you work with, aware of it. Besides, you should contact law enforcement bodies. Third, you should understand how this information was used. According to Dana Buralkieva, it is a small internal investigation: to explore what for and who needed it, how this information will be used against you. According to the expert, you should make a list of measures to take in case this information is used against you. It should be done to know in advance how you should respond.
How to find out on your own who provoked the leak?
It is a very complicated process and most probably cannot be done on your own. According to Dana Buralkieva, you should not only understand the laws and the technical part of the problem, but also have special equipment. However, the organisation that stored the data can analyse the situation independently – namely, the data that were compromised, date and period of the leak, its method. It can help narrow the list of potential sources. However, it is better to invite a technical specialist dealing with cyber security.
What to do if leak occurs via ChatGPT or another AI-based service?
According to Dana Buralkieva, the mechanism of dealing with the consequences is the same as in any other platform: one should report to the support services. Afterwards, one should stop using the unreliable AI-based service. “Moreover, in case of leak via the AI-based services that are beyond the jurisdiction of Kazakhstan, it is impossible to protect oneself by law. The only way to protect oneself is to comply with the cyber security rules. The most important thing is not to upload sensitive information to the AI-based service, especially personal data,” the expert said.
What to do if information about me was leaked from a private company or a government institution?
In terms of the law “On personal data and protection”, there is no difference between responsibility of a government institution or a private company. According to the law, you have the right to file an action against any organisation that you entrusted with personal data, which was leaked.
Is it possible to remove data that was leaked?
According to Dana Buralkieva, it is a very difficult task. Sometimes, impossible one. Nevertheless, you need to contact the host platform, which received the leaked data, and ask it to remove the data. They have their own procedures to carry out in such situations. Once again, you need to cooperate with law enforcement bodies. Moreover, if the leak has serious consequences or can be related to criminal activity.
Is there any penalty provided for a personal data leak?
Yes, there is. There is both administrative and criminal liability for individuals and legal entities. According to article 79 of the Code of Administrative Offences, there is a penalty in the form of a fine. Article 147 regarding privacy of private life provides for criminal liability. It provides for penalty in the form of a fine, or custodial restraint or imprisonment depending on the components of crime.
Where to resort to avoid further data leak?
If you have resources, you can resort to companies dealing with cyber security. According to the expert, organisations that do not have money to pay to IT security specialists often have problems with data leak. In this case, you can resort to non-profit foundations that will help you to solve the problem.
This publication was funded by the European Union. Its contents are the sole responsibility of IWPR and do not necessarily reflect the views of the European Union.