[BreachExchange] Your personal data is only worth $3.20 and that’s a massive problem

Inga Goddijn inga at riskbasedsecurity.com
Wed Oct 5 19:43:19 EDT 2016


http://thenextweb.com/security/2016/10/05/personal-data-worth-3-20-thats-massive-problem/

Last years, hackers broke into the UK ISP TalkTalk
<http://thenextweb.com/uk/2015/02/27/talktalks-systems-breached-subscribers-info-stolen-and-used-in-scams/>
and stole the personal information of over 157,000 people. Among the
records stolen were bank details, including sort codes and account numbers.
It was Christmas for identity thieves.

Today, the UK’s Information Commissioner’s Office (ICO) fined TalkTalk a
record £400,000
<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/>
(slightly more than $500,000). This was the largest amount *any* company
has been fined after losing customer data, and is far more than the
£250,000 that Sony was fined <http://www.bbc.co.uk/news/technology-21160818>
in the aftermath of the 2011 PlayStation Network hack.

Explaining their decision, the Information Commissioner Elizabeth Denham
said that the “failure to implement the most basic cyber security measures
allowed hackers to penetrate TalkTalk’s systems with ease.”

“[hacking] is not an excuse for companies to abdicate their security
obligations. TalkTalk should and could have done more to safeguard its
customer information.”

When you read the ICO’s report, you get a sense of the staggering
negligence that allowed this data breach to take place. Put simply,
TalkTalk was sleeping on the job.

There were three different webpages that were vulnerable to an SQL
injection attack. This particular category of vulnerability is easy to
mitigate against, but TalkTalk had failed to scan these webpages for them.
It’s likely that the company was oblivious as to their existence, and to
the fact that they had access to TalkTalk’s customer database.

And now, TalkTalk has been punished. Kinda.

£400,000 sounds like an awful lot of money. I suppose that *it is *to most
people. But TalkTalk is a company with revenues of £1.795 billion ($2.25
billion), and the fine boils down to £2.50 (or $3.20) for each person
caught up in the leak. By every definition, it’s chump change.

It doesn’t begin to compare to the stress those caught up in the breach
have faced. These 157,000 victims are now at a heightened risk of falling
victim to financial crime or phishing attacks. They now have to
indefinitely monitor their credit for any irregularities.

Am I alone in thinking that the punishment doesn’t quite match the crime?
Goddammit, I want heads to roll.

I want to see TalkTalk – and other companies that screw up so egregiously –
to hurt. I want the fines to actually be a punishment, rather than another
cost of doing business. And I want the people whose screw-ups are
responsible for the breaches to face actual personal consequences.

Company directors can face jail time in cases of corporate manslaughter. If
someone screws up so badly, over 100,000 people need to invest in credit
monitoring, then surely that person should also face some kind of
repercussion?

Maybe I’m a little extreme. I’m just sick and tired tired of companies –
Yahoo <http://thenextweb.com/insider/2016/09/22/yahoo-massive-breach/>,
LinkedIn
<http://thenextweb.com/insider/2016/05/18/hacker-is-selling-117-million-linkedin-logins-obtained-in-2012-breach/>,
LastFM
<http://thenextweb.com/insider/2016/09/02/last-fm-leak-shows-people-still-use-dumb-passwords/>
– screwing up so horrendously and getting away with it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161005/803022fd/attachment.html>


More information about the BreachExchange mailing list