Skip to content

Involuntary Data Breaches

An involuntary data breach is a data breach where you information got compromised without your direct involvement. This is typically where your information is stored in a data location that you're unaware of, or have no control over. In a recent security incident, my own contact details have been exposed, through a friend's compromised phone. This is the story of that event.

The Anatomy of Phone Hacking

Mobile phones are very common. Everyone has one (or more!), and every possible app that can help you do wonderful things are installed on them. They help us achieve great things, keep us in touch with friends and family, and help us organise our lives.

It is of no surprise that breaches via mobile phones are on the rise. A phone, at its core, is just a computer. It is a machine that is running some software that can be compromised, and tricked into doing things it was not designed to do. While internal vulnerabilities are patched relatively quickly, it still doesn't stop the owner of the phone from making mistakes.

Everyone likes their apps. They install the latest wallpaper app, or game, or whatever they think is cool today, without realising that the app they just installed will gain access to some sensitive information. Both Apple and Google got much better at this, where they are warning their users that a particular app is requesting access to some sort of data. In my experience, people do not read those alerts. If they did, they would realise that they have just granted the app full access to all their contacts, their messages, their photos, and so on.

Another common breach type, as old as time itself, is when the user receives a link from a "trusted" individual. They click the link, it asks for a username and password, they gladly provide it, and then wonder why their phone got hacked.

I've said this before, and I'll say it again : DO NOT CLICK ON LINKS IN EMAILS AND TEXTS.

When Your Data is Breached Through Someone Else

Did I provide my phone number to this person? I honestly cannot remember. Like with most cases, phone numbers tend to spread through family networks. You meet someone, they store your number in their phone. You meet the rest of their friends and family, and the contact details organically flow through the family network.

Have you been asked to share someone's phone number? A mutual acquaintance may ask for your number from a friend, and in most cases, they don't think anything of it. The number is then shared again, to someone who should or should not have access to that number.

There's a natural tendency for this information to be free-flowing. It is not ideal, but that's the reality of the current system we have.

The Personal Impact of Involuntary Contact Exposure

Over the last few days, the number of spam phone calls I receive have increased. I do not have the patience of Kitboga to deal with these guys, but I try. The latest call I got yesterday from 02 7238 5059 claimed to be from Amazon Prime. Their story was that I (apparently) signed up for the trial period of Amazon Prime about a month ago, and now they are going to charge me $99 to continue the service. Whenever I get a call like this, I never reveal any personal information, I never confirm anything they would like to confirm. Interestingly, they knew my name was Phil, and they knew my phone number. I told the guy I was quite happy with my Amazon Prime service, and I'm happy to continue with it. "Go ahead and charge the $99." I said to the scammer... That threw him! He did not expect that answer. Shortly after, he hung up on me.

This was not the first try. The number is increasing. With more and more breaches, scammers are able to collate information from multiple sources to build a profile of who they're targeting.

The question of legal liability is a tricky one. There is no real evidence that the phone breach of my friend's phone was directly responsible to the phone call I received. Even if it was, there's the issue of the individual abusing the information, as well as my own gullibility to fall for the scam.

The more concerning scenario is where a scammer uses this information to call your bank (as an example), and change your banking details to their using your information. Rachel Tobac demonstrated it in this clip.

Preventative Measures You Can Take

  • Clear Communication: When sharing your number with friends and family, make it known to them that you do not want your number shared.
  • Secondary phone: Use a secondary phone number for most interactions and keep your primary number private.
  • Privacy-Focused Apps: Move communication to encrypted apps with username options. This is a limited option with 3rd party organisations that still rely on normal phone call networks.
  • Caller ID Masking: Implement caller ID restrictions on iPhone or Android.
  • Disposable Numbers: Use burner or temporary numbers for online forms and services.
  • Restrict Access: Ensure your number is not visible on social media or public platforms.

Conclusion

Involuntary data breaches, particularly through phone hacking, highlight how vulnerable our personal information can be, even when we aren't directly involved in the breach. Whether it's a trusted friend's compromised phone or the habitual sharing of contact details within social circles, the result is often the same—your information ends up in places beyond your control. As mobile phones become increasingly central to our lives, the risks of unintended exposure grow. By taking preventive measures such as limiting the sharing of your number, using privacy-focused tools, and educating those around you, you can better protect your personal information from falling into the wrong hands.