Here at the Seattle cybersecurity firm Interplay, our job is to keep your business data safely in your hands – and out of the hands of cybercriminals. That’s why, when we find out about new ways your data can be lost, leaked, stolen, or otherwise compromised, we let you know about it.
And wow. The new DataSpii privacy issue leaks your business data in a big way. That’s why we really need to talk about DataSpii. Right now.
Heads up: By the end of this blog, we’re going to have you check your internet browser for extensions and maybe even delete some. If you’re our client and you need help with that, just reach out. You know us, we’re always happy to lend a hand.
A newly discovered privacy issue, DataSpii is a cybersecurity problem that lurks in the Google Chrome browser (and sometimes in Firefox and Opera). Drawing from one of eight identified browser extensions, DataSpii invisibly siphons off your most private personal and business data – then sells it.
Once your data is sold, anyone can view it. And we mean anyone.
Who’s making your data publicly available? Well… a lot of companies probably, but the one that we know about right now is called Nacho Analytics.
A subscription-based analytics product that markets itself as “God-Mode for the internet” allowing you to “See Anyone’s Analytics Account,” Nacho Analytics offers small business leaders and entrepreneurs the ability to view real-time website analytics.
Their stated goal is to essentially democratize the market research process by offering a low-cost version of the software tools that big businesses use to perform their comprehensive (AKA “disturbing”) market research.
Nacho Analytics sure is low cost and comprehensive all right. For as little as $49, anyone could buy a subscription to the service and potentially view your:
Since Nacho Analytics was leaking internal memos from Apple, Tesla, Blue Origin (Jeff Bezos’s spaceflight company), and even global cybersecurity leader FireEye, there’s a good chance your internal records were revealed too.
It all depends on whether you or your staff were using one of the eight browser extensions that were collecting your data and selling it to Nacho Analytics.
As a Seattle cybersecurity firm, we’ve seen a lot of data privacy issues in the nearly 20 years we’ve been in business. This one, though… it really creeps us out. That’s why we’re here to give you a hand in securing your data.
If you’re ready to protect your business data, you’ll need to first identify if you have any of the leaky browser extensions.
The eight browser extensions are:
Not sure what a browser extension is? They’re mini apps that help you use the internet better. You’ll know you have some if you look for little icons next to the address bar in your browser.
Here’s what a browser extension looks like:
Many people use browser extensions, so it’s likely you found a few. Not all browser extensions are selling your data like the eight above but, before we move on, it’s important that you know a little bit about how these tools work. That way, you can protect your data better.
See, when you originally install a browser extension from the Chrome Web Store, a popup appears informing you about the permissions you’re giving the extension. Here’s an example:
You may think, “What’s the big deal in that?” but, as we’ve seen with the DataSpii privacy issue, enabling those permissions can make it hard for you to protect your business data.
Our expert recommendation is that you take five minutes, right now, to delete any browser extensions you don’t use often – and definitely delete the eight leaky extensions.
Here’s how to do that in Chrome:
For extensions you’re not sure about, you’ll see a toggle to the right of the Remove button. Toggling it off (it will change from blue to gray when it’s off) disables the extension but doesn’t delete it. We recommend you just delete the darn things instead of simply disabling them.
Got all those deleted? Good! Score one for Seattle cybersecurity practices!
Now it’s time to talk about data privacy in general because privacy is really important these days.
Nacho Analytics makes its money collecting and selling your data, which may sound creepy (it is), but it’s also pretty much the way the internet works.
You already know that Google makes its money by offering free services like Chrome, Gmail, and Google Sheets, using them to collect data about you so they can sell advertising space to businesses (and display those ads across your “free” services). You already know that Facebook is using your data to sell advertising space too – and that they keep getting in trouble for sharing too much of your data.
However, you’re participating in this cycle too. Your company probably uses Google Ads and Facebook Business, along with some of the many, many other online services that make it possible for you to market your business on the web.
As we said, this buying and selling of data is how things work on the internet. The Nacho Analytics business model wasn’t illegal, they were just purchasing their data from a vendor online. A vendor who got you to agree to give up your data, for free.
(By the way, we’ve talked about this slippery slope of giving away your data before when we warned you about that “free” coffee in Providence, R.I.)
Of course, Nacho Analytics could have done a much better job protecting everyone’s digital privacy; they really dropped the ball on scrubbing a lot of data. But remember, it wasn’t Nacho Analytics that was siphoning all that data from people, it was the browser extensions. The ones you and your staff willingly installed on your computers.
At this point, no one is sure if the browser extensions sold your data to anyone else, but even if they didn’t, your data is still for sale. Researchers from North Carolina State University found that 3,800 Chrome extensions are leaking privacy-sensitive data and the researchers suspect that 382 extensions, with nearly 8 million total users, are in the business of selling collected data. That means that, even though DataSpii was identified and is being stopped, the data privacy problem continues.
In short, you can’t be sure who’s collecting, selling, and viewing your data online – so it’s up to you to protect your business data at all times, from all people.
We’re here to help.
Since 2001, the Seattle cybersecurity firm Interplay has been helping business leaders across a range of industries get more from the IT they have, strategize for their future IT needs, and — above all — protect their data.
Our team of cybersecurity experts are here to help Seattle business leaders like you secure your data around the clock – because you never know exactly who is collecting your data, who is looking at your data, and who is selling your data.
With Interplay, you’ll have help keeping your data out of the wrong hands.
Get started on your path to better data protection with this handy list of 19 things you can do to protect your data in 2019.