You could see from the look on his face that conspiracy theorist Alex Jones knew he was in trouble.
“Your attorneys messed up,” Mark Bankston informed a stunned-looking Alex Jones. They had sent a digital copy of every text message Jones had sent. Bankston represents the parents of one of the twenty children killed in the 2012 shooting at Sandy Hook Elementary School in Newtown, Connecticut.
Since 1999, Alex Jones has used InfoWars to transform a host of outlandish claims into a multi-million dollar media business. Key among those conspiracy theories, Jones’s insistence that the attacks of September 11, 2001 on the World Trade Center and the Pentagon were a “false flag operation” and that the Sandy Hook Elementary School shooting was a hoax created by the United States government to grease the skids for gun control legislation.
The text messages that Jones’s attorneys accidentally sent to the opposing side prove that Jones knew the shooting was real, and that he knowingly misled his audience about the 2012 murder of 20 children and six teachers at Sandy Hook Elementary School.
The phone also apparently contained information about his role in the Jan. 6th attack on democracy, which means the lawyerly fumble that cost him over $49.2 million so far, may finally cost him significantly more.
Setting aside the courtroom drama and the schadenfreude of seeing a deeply unpleasant man finally facing consequences for fanning the flames of culture war, the compromise of Jones’s phone data highlights another scourge in America: Bad cyber hygiene.
The cost of the average cyber data incident is $4.35 million this year. While that is a fraction of the amount of money that the leak of his phone data has cost Alex Jones so far, it should serve as a teachable moment for any organization.
Poor data hygiene is the root cause of most information breaches, compromises, leaks and hacks. Jones’s attorneys failed to protect sensitive data, and we’ve most likely not seen all the consequences of that failure.
So, what can we learn? While we don’t know how the phone data was stored or accidentally sent, had it been password-protected the opposition would have been standing on shakier ground, since they would have had to pick a digital lock to access the information–something that might be protected by law.
Jones’s attorneys are by no means alone in practicing poor data hygiene. The SolarWinds hack happened because a key Federal vendor used “solarwinds123” as a password. The Equifax breach that exposed the data of 150 million people was traced back to an uninstalled software patch.
Regardless, the data should have been air-gapped, i.e., not stored on a computer or network, and not accessible via the Internet. The data could not have been sent easily had it been stored on an air-gapped device. Most organizations have data that is as sensitive as Jones’s complete and unabridged texts, and it should be stored in an encrypted form on an air-gapped device protected by multi-factor authentication.
As Alex Jones is discovering this week, data can be very valuable. A failure to organize, silo and protect data can be an extinction-level event. Human error is inevitable, which is why cybersecurity and good data hygiene matter. And so, finally, Alex Jones has managed to circulate some useful information, and for that we should be grateful.