[BreachExchange] After 2017, data breach fatigue should be a thing of the past
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Dec 28 19:40:43 EST 2017
http://searchsecurity.techtarget.com/blog/Security-
Bytes/After-2017-data-breach-fatigue-should-be-a-thing-of-the-past
After the number of major data breaches in 2017, it wouldn’t be surprising
to see some measure of data breach fatigue set in for both the general
public and enterprises. Such an occurrence, however, would mean we missed
valuable lessons from some of this year’s worst breaches.
First, a disclaimer: there have been too many major breaches and
cyberattacks this year to count. Most infosec news sites, including
SearchSecurity, can’t cover all of them. In fact, they may not get to most
of them. Rampant nation-state hacking, global ransomware campaigns and a
continuing series of baffling accidental data exposures have generated too
much material to cover.
In addition, the scale and scope of damage has changed. So many names,
email addresses and credit card numbers have been spilled over the last
five years that it’s hard to get worked up about another breach that
exposes information that is in all likelihood already on the dark web.
Again, some level of data breach fatigue – or at least, acceptance – is to
be expected.
What may have seemed like a major data breach five years ago might not even
garner a second look today. An incident that exposes a few million customer
usernames and email addresses might have stopped the presses back then, but
today it barely registers as a speed bump.
That is, unless there are unique circumstances involved in these incidents,
which should stave off data breach fatigue. We’ve witnessed several such
breaches this year, and those unique circumstances should serve as lessons
for both consumers and infosec professionals. Here’s a summary of those
breaches.
- Equifax: The credit rating agency’s data breach exposed the names, birth
dates, addresses and Social Security numbers of 143 million U.S. consumers,
but that was only half the story. Equifax’s breach response was a series of
confounding errors and missteps, from setting up an insecure website for
consumers to check if they were affected or not, to an interim CEO who
didn’t know whether consumers’ personal data had been encrypted following
the breach. It’s easy to look at Equifax and see yet another major breach
that exposed a lot of personal information that may have already been
exposed in other, unrelated breaches. But that shouldn’t be the takeaway;
breaches are bad, but they can be made even worse by incompetent responses
and ill-prepared leadership that put customers and the organization at
further risk.
- Uber: In 2016, the ride-sharing startup suffered a major breach that
exposed the names, email addresses and phone numbers of 50 million users.
On the surface, the incident doesn’t look like much – until you consider we
didn’t learn about the breach until a year later. Uber officials concealed
the incidentand paid the hackers to stay quiet. It’s unclear why the breach
was covered up – Uber fired two executives for their alleged involvement in
the cover up – but the company has since been hit with a number of lawsuits
from both users and state attorneys general. There are grave practical
implications — If customers and employees don’t know an incident has
occurred, then they obviously can’t do anything to protect themselves or
their company – as well as ethical implications for this kind of corporate
behavior. It’s impossible to know if it’s a common practice, but the Uber
incident could be an indication that breach concealment is not as rare as
we’d like to believe.
- Amazon Web Services (AWS) exposures: There have too many of these
accidental breaches to list, which offers some idea of how dire the
situation is. To summarize: Cybersecurity vendor UpGuard has been scanning
the internet for publically accessible AWS Simple Storage Service (S3)
instances and discovered that many of these S3 buckets were misconfigured.
As a result, organizations ranging from the Pentagon to Dow Jones & Company
have had their sensitive data exposed on the internet. Most experts agree
these accidental breaches are the fault of the customers and not AWS (after
all, S3 buckets are private by default). Unfortunately, the scale of the
problem suggests enterprises are either suffering from a lack of proper
access control knowledge or allowing untrained and ill-equipped personnel
to spin up cloud services for sensitive data. Neither explanation speaks
well of enterprise security, which is apparently struggling so mightily
that some companies don’t even need hackers to expose their data – they’ll
do it on their own.
These cases offer valuable lessons on breach response, ethics and
prevention for enterprises and consumers alike. They should serve as potent
remedies for data breach fatigue. And if these breach lessons aren’t
heeded, then we’ll be doomed to repeat them for years to come.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171228/f77af170/attachment.html>
More information about the BreachExchange
mailing list