Attacks/Breaches

11/1/2018
02:30 PM
Richard Ford
Richard Ford
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Where Is the Consumer Outrage about Data Breaches?

Facebook, Equifax, Cambridge Analytica ... Why do breaches of incomprehensible magnitude lead to a quick recovery for the businesses that lost or abused the data and such little lasting impact for the people whose information is stolen.

Facebook recently (and again) made the cybersecurity headlines, but for all the wrong reasons. As reported by numerous news organizations, on Sunday, September 16, Facebook engineers discovered that almost 50 million accounts had been compromised, and, weeks later, the public still doesn't know precisely what was taken, by whom, and for what purpose.

In more bad news for the company, the Irish Data Protection Commissioner also announced an official probe to check if Facebook complied with its obligations under the new General Data Protection Regulation. Coming relatively quickly on the heels of recent fines over the Cambridge Analytica scandal, it seems as if the company is entering stormy waters again.

Will these repercussions leave a lasting impact? That's a hard maybe. Historically, that's not how the aftereffects of breaches have played out in the commercial world. For example, cast your minds back to Equifax. Let's ignore how consumers felt about the company as the news of Equifax's woes broke, because that is irrelevant. Instead, let's get down to business … and I mean real business. Let's look at the stock price.

After the news became public, the company took a hard hit in the wallet, with its stock sliding to $95 per share, from the previous day's $141. A slow recovery gave it a 52-week high of $138.69 (reached on September 18, 2018), nearly matching the level before the company announced it had lost the personal data of almost 150 million people. It seems that the breach led to a sharp decline, a year of recovery, and then business as usual. That's really quite a run — and not a particularly unique pattern on news like this.

Such a recovery leads me to ask: Where is the outrage about breaches? Why does a breach of almost incomprehensible magnitude lead to such a quick recovery and so little lasting impact, despite long-term or even permanent consequences for those who lost their personal data?

My thesis for this is simple: We've become inured to data breaches. Our senses seared, if you will. Numb. At some level, we know they are bad, but a combination of factors has come together to mean that even with the best of intentions, the consequences to the stakeholder who lost the data are small compared with the potential impact on those whose data is now "out there" in the ether.

Three Drivers: Control, Consequences, Trust
To understand something this broad, I'm a big believer in perspective: We have to zoom out and take a more holistic view. To that end, I'd offer these following three drivers for our apparent laissez-faire attitude: a sense of a lack of control, the seeming absence of personal consequences, and the fundamental changes to trust that the last few years have witnessed.

First, there are huge issues around a sense of lack of control — and in this, users have a legitimate point. It's extremely difficult to protect one's own information online. Even if you opt out of social networks, use great passwords, and even switch to a more cash-only world, you are not going to be immune to data aggregation. Thus, people really don't have control in this space. That can lead to disengagement because there's a strong feeling that one's choices don't change the ultimate outcome. Faced with a world where one has a sense of no control, users just opt for convenience out of a type of denial.

The second issue is that there is no obvious and immediate connection to the breach and the personal consequences of it. For example, you decide to use a sketchy-looking website to buy something online because it's cheaper there. Months later, you notice some odd charges on your credit card, but you don't connect the cause to the effect. Another more serious example: We read about mega-breaches such as Equifax in the headlines … and then nothing appears to happen. When something does actually cause an impact — for example, you file your taxes just to discover an attacker has already snagged your rebate — you don't make the connection. This lag time between cyber events and personal events is a pernicious problem that's much broader than just breaches, and we need to think hard about ways to address it.

Finally, and this is a big one, there's the question of trust. In Rachael Botsman's excellent book Who Can You Trust? she argues — and I wholeheartedly agree — that how we trust has fundamentally shifted. While there was a time that our trust was based in brands and institutions, there has been a steady shift away to new models of trust … and distrust. Thus, there's a certain cynicism (we didn't trust them to begin with!) that means we don't expect better results than the ones we get. That belief then becomes a self-fulfilling prophecy.

What's at Stake
Combined, these factors have created the perfect storm that leaves us in an unenviable position. Logically, we know that much of the modern world is based on information and that by putting this information in the wrong hands, there will be negative outcomes. In fact, I'd go so far to say that breaches and the ready availability of information exposed as a result create issues that go well beyond personal security and snake out to threaten the foundations of democracy worldwide.

The stakes are high, the implications enormous, and the clock is ticking with respect to the time to act. Maybe for Facebook, things will play out differently because of the new EU laws, or some of the other headwinds the company is facing around privacy and nation-state-level psychological operations. Who knows? But in general, I firmly believe that nothing real will change until there is a genuine and informed sense of outrage over breaches, and that outrage, sadly, seems to be wholly missing in action.

 Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Richard Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings over 25 years' experience in computer security, with knowledge in both offensive and defensive technology solutions. During his career, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RFordOnSecurity
100%
0%
RFordOnSecurity,
User Rank: Author
11/5/2018 | 6:45:40 AM
Re: Outrage: tracking the wrong thing.
It took me a while to think about this, but I think I now understand your reasoning. Here's the thing. While some countries claim to be democratic republics, you should mostly focus on the "democratic" part of that description. Thus, the lack of voter concern effectively makes this less of an issue for the politicians. In a true democracy, laws reflect the will of the people, and without *voter* outrage companies (who sometimes have signficant influence in the legislative process) will have a much larger role than we would like in shaping the next generation of laws. 

I do agree laws help - but I think laws in the long term reflect the concerns of society, and thus the outrage really does matter. 

Lastly, for most senior executives in large companies, the largest part of compensation is tied to stock performance; thus, the stock price is a strong incentive for shaping the actions of C-Suite members. 
DonT183
0%
100%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:32 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
DonT183
50%
50%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:28 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
DonT183
50%
50%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:00 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...