I've very mixed feelings about Amazon, but one reason they continue to get my business is that they appear to keep payment information secure.
This is going to be the long term "no free pass" effect of such neglect. Or, if we actually have a "marketplace" with consumer choice, it will be. People will avoid the threat and hassle, and show elsewhere.
Only so far, the larger retailers -- and their incompetent management -- seem to be getting away with their neglect.
P.S. I'm not arguing against better regulation and effective penalties. Rather, I guess, while pointing out the "risk" of poorly serving the market, I'm saying that it doesn't really seem to be working, so far.
Why make an exception for retailers? Let's not give any institution a free pass on Data Breaches, including governments, the Equifaxes of this world and so on.
It's not the price this article is asking for, but if you think that those companies who have had big public credit card data breaches recently haven't seen their credit card processing fees shoot up, you're crazy. that's not the sort of thing that the payment industry lets slide.
That makes a lot of sense. Ultimately, credit card breaches are merely inconvenient to consumers, because fraudulent charges can be reversed. It's the card companies who care, because they eat the cost.
If I were a gambling man, I'd bet that would just lead to "data warehouse" subsidiaries that would hold the liability. In case of a leak, they'd "go broke", and another would be spun up in its place. Same thing is happening with temp agencies to shield employers from workplace injury liability.
I completely agree with you. Shit security should cost money. I just think it has to be something like data leak liability insurance. The costs of having shitty security would be reflected in higher insurance premiums. That way, financial math would be firmly on the side of keeping data secure, instead of limiting exposure via corporate shell games.
There must be a way to carefully craft the law to prevent those sorts of workarounds, no? For example, the business who is making the transaction with the person whose data is leaked is liable. So the consumers in the case of a retailer, or the businesses who use Equifax for background checks in that scenario.
Honestly, I don't know. That's not my field of expertise. I'm mostly just cynical about fines and penalties being paraded around as a curative measure, only to find out that the fines and penalties have such huge loopholes that entire corporations can fit through.
That's how it works with HIPAA. Patients interact with Covered Entities, and they can contract out to a third-party and sign a BAA. The third-party is then on the hook because if they fail at protecting data, the Covered Entity gets the sanction.
We can require bonds on good behavior (basically insurance, not to be confused with other types of bonds) - you can contract it out, but only if whoever contract has a bond for enough money.
Of course whoever backs the bond doens't want to pay, so they will do due diligence in relation to the value of the bond.
Data breaches are definitely not ideal. If there were legislations where penalties, enforcement, and audits added a large cost of the underlying goods I purchase, however, I’m not sure I would like that either. There’s an inherent risk in online businesses, no matter what policies are in place. I would say that whatever progress is made shouldn’t impede new businesses to come in and challenge incumbents or make the overall cost a barrier for less affluent users.
I would envision this system to be something such as:
We have a set of standards that define what negligence looks like for data breaches, security, etc. If a company is found to not adhere to these standards they would be found negligent and assessed some financial penalty.
If a company is found to be adhering to the standards, and is hit by a 0-day, the financial penalty would be negligible or 0.
This is a huge unsolved problem in journalism: reporting whether a company was wildly negligible and deserved to be punished, or did the right things and fell victim to “no org can be bulletproof”
Some standards like PCI attempt to do this, but to date they have no real teeth. GDPR may be the change we need.
I have deep concern that C-levels will learn that breaches don’t matter, just have a CISO you can behead and replace when it does.
There are certain things that are, collectively, patently negligent: storing passwords in plain text, not salting passwords, not using, at a minimum, software firewalls, etc. Those are fairly boolean. It's also fair to assume that any company that is hit with a 0-day is not negligent; even the best prepared companies are susceptible to them. So there is some decent guidelines to rely upon to demonstrate negligence or not on the extremes. Of course, in the middle it does, admittedly a bit gray. But the teeth that come into play would look exactly like GDPR.
Yes, I agree completely, that C-levels will see that the CISO is a replaceable widget that is nothing more than a scapegoat.
You only have to worry about penalties if you're deliberately doing something wrong. Auditing can be done internally, and if making sure you're not putting your customers at risk is too big of a task for a business, maybe the business needs to be re-thought.
> You only have to worry about penalties if you're deliberately doing something wrong.
I don't know how you define "deliberately doing something wrong" without either making it too broad or worthless.
It's rare that any organization "deliberately" exposes their customer information. It's also effectively impossible for any organization to guarantee that the data is unbreachable.
If you read up on the GDPR, the focus is on people 'deliberately doing something wrong'.. which could be not following proper security guidelines, not keeping proper records, not notifying the users in a timely manner, and all sorts of things that are very cut and dry.
It's perfectly possible to have a data breach and not get fined, and as long as you didn't do anything too careless that would allow a breach to happen you're probably in the clear.
Everyone knows there's no perfect system.. but in regards to what we're talking about it's much better to have personal data be a liability rather than an asset, because it puts incentive on companies to only use what they need and make efforts to protect it appropriately.
I don't think not following proper standard is deliberatelt doing something wrong.
What if I'm just unaware of the standard or incompetent?
Not all programmer who save password in plaintext starts by thinking "I'm going to intentionally doing this wrong so that it breaks all security guidelines".
And that's what the GDPR is aimed at stopping. People who work in food preperation who don't wash their hands after handling raw meat aren't thinking "I'm going to intentionally doing this wrong so that it it poisons everyone", but we still have regulations.
Who determines how much careless is "too" careless? "slightly careless" but with huge consequences is more concerning than "incredibly careless" but with no consequences.
Really the punishment should be matching the value of the breach. For example with HIPAA breaches, you can get fined $10k or so, PER RECORD -- obviously medical data is exceptionally more sensitive than most. Credit data should be covered under a HIPAA-like statute. Under HIPAA there's no such thing as "a little careless" -- you either f'ed up or you didn't. There's no gray area.
Not keeping up to date on security best practices is in itself deliberately doing something wrong.
Lets not pretend we will get a perfect law the first time around. Closing a few gaps is already a good first effort. We just need to be willing to close a few more as we discover them. Note too that there are always unintended consequences - we also need to be quick for calling for the elimination of a well intended law where the unintended result is a negative, even if it does get some bad actors.
Data security should not be a concern for retailers. This is only an issue because the architecture of the credit card payment network is fundamentally incorrect. If consumers could push payments to merchants, sign transactions using captive private keys, etc. then merchants would have nothing of value to leak. Creating ever more responsibility to protect our insane shared-secret-number scheme is deck chairs on the Titanic.
Bingo. Let's stop giving retailers a free pass on collecting our data. They can leak their own statistics all day long and only undermine their own competitiveness.
All this talk of "breaches" is a disingenuous framing to deflect from the root of the problem, similar to that continually-pushed nonsense of "identity theft". As if all the surveillance in the world is completely acceptable, just as long as some vague weird other doesn't gain access to that same capability!
Equifax shouldn't be put out of business for having leaked their trove, but for having collected all that surveillance data in the first place.
If one single judge would not give them a free pass, I think we would see a sea change in how computer security is handled across the industry. Put one CEO in prison for criminal negligence after a breach when it is found that they hired cheap, inexperienced, tiny staffs, overloaded them with work, and then ignored absolutely every warning they gave about insecure practices. Every company does this. It's how IT works in the modern world. Hire "engineers" as inexperienced and cheap as possible, give an MBA all the actual say in scheduling and release dates, and constantly complain about the technology that makes their business possible is too expensive.
It's amazing the effect a CEO locked in a cage for a few years like an animal has on the population of CEOs as a whole. Treat digital infrastructure like we treat real infrastructure. If people built bridges the way we build software infrastructure, rafts of executives would be rotting in prison.
> It's amazing the effect a CEO locked in a cage for a few years like an animal has on the population of CEOs as a whole. Treat digital infrastructure like we treat real infrastructure. If people built bridges the way we build software infrastructure, rafts of executives would be rotting in prison.
Never going to happen. Especially in the current 'business friendly' administration. This [1] book does a great job at explaining why. I don't think we'll see a CEO behind bars for anything white-collar in our generation. Sadly. Judges and prosecutors are political animals too, you know.
Honest question here- why is it that rage is always directed at the CEO? I mean, there's usually a CTO and / or a COO, plus a director and some other levels of management who actually make the decisions that lead to these scenarios.
I'm not sure whether I really agree with the singular focus on the CEO or C*O, but often one of the reasons that is given for their large paychecks is that they carry a lot of responsibilities. Following that, it would seem prudent to actually hold them responsible when something goes wrong, especially something with as much impact as a large-scale data breach.
Why would we hold them responsible for something going wrong if what went wrong wasn't their responsibility?
I've known a few CEOs (not personally) and not one of them was in charge of anyone who had these types of responsibilities, directly or indirectly.
Plenty of C-level and director types have large paychecks. To randomly place blame because of that would only make matters worse. Those responsible would have a convenient scapegoat, and CEOs would just demand higher salaries as compensation for taking on risks outside of their control.
Honestly, the whole "get the CEO" movement has always smacked of intellectual dishonesty to me, as though catharsis were in any way a decent value to base public policy on.
In both cases the amount of data leaked per person is huge, way more than just an email address or credit card number. And in both cases there was no way for customers to opt out of their data being gathered. Those two characteristics seem related. The most valuable data isn't going to be somewhere that is subject to regulations like GDPR. And it's going to be running on the same insecure stacks and practices as everything else we see. If we want to plug holes, these are the sorts of places where we need to begin. Facebook is a child's bagatelle in comparison. MyFitnessPal doesn't even register.
Good call. Those are the most devastating by far because the first is effectively a bad mail database while the second destroys most forms of identity proofing for all time.
Though it's unfair calling the OPM incident a "breach" as management of the database was outsourced to an outsourcer to an outsourcer so the final party had full read/write access over it for potentially years. As I noted at the time, every clearance granted or denied during that period must be reviewed.[0]
I agree. The media talked just as much about the Target POS breach as they did Equifax.
But losing credit card numbers is merely an inconvenience. CC users aren't even liable. On the other hand, losing your SSN and other supporting details can be devestating.
One the huuuugely under-appreciated benefits of Apple Pay is that it is immune to these retailer hacks.
It never transmits your card number or name to the retailer. Instead it uses a token (substitute number) that is tied to iPhone-based authentication. Even if stolen, it's useless.
So I don't think we should give retailers a pass, but the bigger issue here is the whole PCI compliance architecture was a security nightmare to begin with. We should usher in modern methods like Apple and Samsung Pay ASAP that remove that retailer vulnerability altogether.
As far as I understand it, Samsung Pay essentially replicates swiping your standard magnetic strip card. I don't see that as being in the same camp as Apple Pay for protecting your information.
Who's giving them a free pass to begin with? I'm still upset about Equifax and OPM/etc, but there's nothing that I can do about it. I don't really have choice but to participate in the credit bureau game. :/
"Let's Stop Giving Retailers a Free Pass on Data Breaches"? What a joke; the very headline conveys a sentiment that frames the debate around how out of touch corporate media (and thus any blind repeater site) is.
Corporate media has been giving passes with one-off coverage that often neglects to mention any proposals for remedying long-term public ramifications. But the public's interest isn't well served by corporate media nor is public interest properly evaluated by corporate media.
Let's also stop thinking the stock market is a proper means of evaluating something applicable to most people's interests, because that's never been true. The stock market has more to do with wealthy people than most people.
The corporate death penalty seems right and proper for very egregious offenses like credit rating agencies because the public will suffer the most and for the longest time (possibly the rest of their lives) when these records are insecure. Organizations will continue to lazily make evaluations based on these records but the records could have been tampered with. And judging by Equifax's successful lobbying, the ratings agencies get away with scarce punishment and therefore have little reason to care about fixing what they broke. Relatedly, it's time we stopped trusting so few organizations with something so precious. The market just isn't designed to handle truly important things, so we should stop trusting it to do so.
No, let's not give them or any other organization passes, but let's also realize that most of these organizations use proprietary software (untrustworthy by default) to keep that data secure where nobody (including the organization) simply can't do effective audits. How proprietary software works is a secret, so such software is structurally incapable of ever being reasonably considered a sound choice for data safety. And organization's choices affect user's data safety, so users have an interest in this but not enough control over how their data is stored.
> let's also realize that most of these organizations use proprietary software (untrustworthy by default)
This is completely incorrect. The only example of a data breach you gave was a result of open source software (Apache Struts for Equifax). Open source software has contributed to plenty of data breaches, and I seriously doubt you've ever audited the millions of open source packages and dependencies you're using.
This is bad corporate security, by believing this type of nonsense. Then you'd inadequately assign risk, and fail to protect against real threats, instead focusing on 1990's "M$" risk.
> How proprietary software works is a secret
I don't need to know how exactly software works to make calculated decisions about risk. We sign vendor service agreements with other companies, that give us assurances about their data handling practices, their audit/compliance history, etc. I can look at how vendors manage their PSA process, how transparent they are with security disclosures, things like that.
No the market in it purest form is designed to allocate resources. However the market isn't pure & personal data shouldn't be considered first as a resource. At least you can take comfort in the knowledge that the GDPR is coming into force this year for any company doing business in the EU..
It is very easy to stop data breaches. Make C-Suite executives and the board of directors personally liable for any breaches caused by failing to have appropriate security controls in place. I bet once a few of these executives were bankrupted for failing to implement adequate security controls, things would change pretty quick.
These executives get paid a large sum of money, and then skirt all responsibility when these things happen. They get fired and move onto the next gig like nothing ever happened. There is no accountability for these failings.
In Ancient Rome the builder/designer of an arch was required to stand under it as the wooden scaffolding was removed (the most dangerous time).
It is high time we re-introduced accountability into our governance systems.
51 comments
[ 2.9 ms ] story [ 120 ms ] threadThis is going to be the long term "no free pass" effect of such neglect. Or, if we actually have a "marketplace" with consumer choice, it will be. People will avoid the threat and hassle, and show elsewhere.
Only so far, the larger retailers -- and their incompetent management -- seem to be getting away with their neglect.
P.S. I'm not arguing against better regulation and effective penalties. Rather, I guess, while pointing out the "risk" of poorly serving the market, I'm saying that it doesn't really seem to be working, so far.
https://www.educationdive.com/news/cost-of-education-data-br...
HomeDepot: https://www.bankinfosecurity.com/court-clears-way-for-banks-...
Target: https://consumerist.com/2017/02/03/court-to-review-targets-1...
If you can't keep data secure you don't need to be in business.
http://projects.thestar.com/temp-employment-agencies/
I completely agree with you. Shit security should cost money. I just think it has to be something like data leak liability insurance. The costs of having shitty security would be reflected in higher insurance premiums. That way, financial math would be firmly on the side of keeping data secure, instead of limiting exposure via corporate shell games.
Of course whoever backs the bond doens't want to pay, so they will do due diligence in relation to the value of the bond.
We have a set of standards that define what negligence looks like for data breaches, security, etc. If a company is found to not adhere to these standards they would be found negligent and assessed some financial penalty.
If a company is found to be adhering to the standards, and is hit by a 0-day, the financial penalty would be negligible or 0.
Some standards like PCI attempt to do this, but to date they have no real teeth. GDPR may be the change we need.
I have deep concern that C-levels will learn that breaches don’t matter, just have a CISO you can behead and replace when it does.
Yes, I agree completely, that C-levels will see that the CISO is a replaceable widget that is nothing more than a scapegoat.
I don't know how you define "deliberately doing something wrong" without either making it too broad or worthless.
It's rare that any organization "deliberately" exposes their customer information. It's also effectively impossible for any organization to guarantee that the data is unbreachable.
It's perfectly possible to have a data breach and not get fined, and as long as you didn't do anything too careless that would allow a breach to happen you're probably in the clear.
Everyone knows there's no perfect system.. but in regards to what we're talking about it's much better to have personal data be a liability rather than an asset, because it puts incentive on companies to only use what they need and make efforts to protect it appropriately.
What if I'm just unaware of the standard or incompetent?
Not all programmer who save password in plaintext starts by thinking "I'm going to intentionally doing this wrong so that it breaks all security guidelines".
Who determines how much careless is "too" careless? "slightly careless" but with huge consequences is more concerning than "incredibly careless" but with no consequences.
Really the punishment should be matching the value of the breach. For example with HIPAA breaches, you can get fined $10k or so, PER RECORD -- obviously medical data is exceptionally more sensitive than most. Credit data should be covered under a HIPAA-like statute. Under HIPAA there's no such thing as "a little careless" -- you either f'ed up or you didn't. There's no gray area.
Lets not pretend we will get a perfect law the first time around. Closing a few gaps is already a good first effort. We just need to be willing to close a few more as we discover them. Note too that there are always unintended consequences - we also need to be quick for calling for the elimination of a well intended law where the unintended result is a negative, even if it does get some bad actors.
All this talk of "breaches" is a disingenuous framing to deflect from the root of the problem, similar to that continually-pushed nonsense of "identity theft". As if all the surveillance in the world is completely acceptable, just as long as some vague weird other doesn't gain access to that same capability!
Equifax shouldn't be put out of business for having leaked their trove, but for having collected all that surveillance data in the first place.
It's amazing the effect a CEO locked in a cage for a few years like an animal has on the population of CEOs as a whole. Treat digital infrastructure like we treat real infrastructure. If people built bridges the way we build software infrastructure, rafts of executives would be rotting in prison.
Never going to happen. Especially in the current 'business friendly' administration. This [1] book does a great job at explaining why. I don't think we'll see a CEO behind bars for anything white-collar in our generation. Sadly. Judges and prosecutors are political animals too, you know.
[1] https://www.amazon.com/Chickenshit-Club-Department-Prosecute...
I've known a few CEOs (not personally) and not one of them was in charge of anyone who had these types of responsibilities, directly or indirectly.
Plenty of C-level and director types have large paychecks. To randomly place blame because of that would only make matters worse. Those responsible would have a convenient scapegoat, and CEOs would just demand higher salaries as compensation for taking on risks outside of their control.
Honestly, the whole "get the CEO" movement has always smacked of intellectual dishonesty to me, as though catharsis were in any way a decent value to base public policy on.
* The OPM breach: https://www.opm.gov/cybersecurity/cybersecurity-incidents
* Equifax: https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breac...
In both cases the amount of data leaked per person is huge, way more than just an email address or credit card number. And in both cases there was no way for customers to opt out of their data being gathered. Those two characteristics seem related. The most valuable data isn't going to be somewhere that is subject to regulations like GDPR. And it's going to be running on the same insecure stacks and practices as everything else we see. If we want to plug holes, these are the sorts of places where we need to begin. Facebook is a child's bagatelle in comparison. MyFitnessPal doesn't even register.
Though it's unfair calling the OPM incident a "breach" as management of the database was outsourced to an outsourcer to an outsourcer so the final party had full read/write access over it for potentially years. As I noted at the time, every clearance granted or denied during that period must be reviewed.[0]
0 - http://caseysoftware.com/blog/opm-background-check-hack-a-di... (I had a clearance previously so I was included in this one.)
But losing credit card numbers is merely an inconvenience. CC users aren't even liable. On the other hand, losing your SSN and other supporting details can be devestating.
It never transmits your card number or name to the retailer. Instead it uses a token (substitute number) that is tied to iPhone-based authentication. Even if stolen, it's useless.
So I don't think we should give retailers a pass, but the bigger issue here is the whole PCI compliance architecture was a security nightmare to begin with. We should usher in modern methods like Apple and Samsung Pay ASAP that remove that retailer vulnerability altogether.
[1] https://www.samsung.com/us/support/answer/ANS00043932/
Corporate media has been giving passes with one-off coverage that often neglects to mention any proposals for remedying long-term public ramifications. But the public's interest isn't well served by corporate media nor is public interest properly evaluated by corporate media.
Let's also stop thinking the stock market is a proper means of evaluating something applicable to most people's interests, because that's never been true. The stock market has more to do with wealthy people than most people.
The corporate death penalty seems right and proper for very egregious offenses like credit rating agencies because the public will suffer the most and for the longest time (possibly the rest of their lives) when these records are insecure. Organizations will continue to lazily make evaluations based on these records but the records could have been tampered with. And judging by Equifax's successful lobbying, the ratings agencies get away with scarce punishment and therefore have little reason to care about fixing what they broke. Relatedly, it's time we stopped trusting so few organizations with something so precious. The market just isn't designed to handle truly important things, so we should stop trusting it to do so.
No, let's not give them or any other organization passes, but let's also realize that most of these organizations use proprietary software (untrustworthy by default) to keep that data secure where nobody (including the organization) simply can't do effective audits. How proprietary software works is a secret, so such software is structurally incapable of ever being reasonably considered a sound choice for data safety. And organization's choices affect user's data safety, so users have an interest in this but not enough control over how their data is stored.
This is completely incorrect. The only example of a data breach you gave was a result of open source software (Apache Struts for Equifax). Open source software has contributed to plenty of data breaches, and I seriously doubt you've ever audited the millions of open source packages and dependencies you're using.
This is bad corporate security, by believing this type of nonsense. Then you'd inadequately assign risk, and fail to protect against real threats, instead focusing on 1990's "M$" risk.
> How proprietary software works is a secret
I don't need to know how exactly software works to make calculated decisions about risk. We sign vendor service agreements with other companies, that give us assurances about their data handling practices, their audit/compliance history, etc. I can look at how vendors manage their PSA process, how transparent they are with security disclosures, things like that.
These executives get paid a large sum of money, and then skirt all responsibility when these things happen. They get fired and move onto the next gig like nothing ever happened. There is no accountability for these failings.
In Ancient Rome the builder/designer of an arch was required to stand under it as the wooden scaffolding was removed (the most dangerous time).
It is high time we re-introduced accountability into our governance systems.