23 comments

[ 2.9 ms ] story [ 58.9 ms ] thread
Is there ever a reason to do this intentionally for some sort of financial benefit where the known punishments really don't outweigh whatever the (I don't know what) benefits are? Obviously a loaded question here, I apologize in advance. But I can't help but wonder about it when something like this happens. Are there reasons that this information would want to be leaked? I'm not interested in arguments for Hanlon's razor.
The punishment for mishandling data does not outweigh the benefit in collecting it, that's why this keeps happening. At this point any 'punishment' is just 'operating costs', and only increases the value of collecting customer/client data.
Correct.

Also, up until about three years ago you could purchase cheap cyber security insurance. When Sony got hacked over “The Interview” policies went up.

Still, most companies don’t do anything to really prevent issues.

The punishment rolls down to the architects designing the system, who risk getting fired. Ultimately, they are the ones who decide if something is compliant or not. In my anecdotal experience;people in good rep tech companies take compliance requirements very, very seriously.

While the punishment may not have a huge adverse affect on the company, it does on the people implementing said systems. Being the one in the middle of a GDPR/SOC2 compliance oopsie means you lose all upward mobility in said company and risk getting fired.

(comment deleted)
Well of course, a bad agent who wished they had the data may simply pay off an insider to 'accidentally' set the permissions as public...

Consider Deep Root, the 198 Million records of detailed voter demographics left in an open S3 bucket. Maybe it was accidental, maybe it was plausible deniability for transferring the data to foreign entities. "We didn't collaborate, we were hacked !"

Intentionally leaking the data this way, probably not in most cases.

Intentionally choosing to accept the (increased) risk of such incidents instead of spending money to secure it properly, on the other hand, seems likely.

The cost of breaches for the company that allowed other people's data to get leaked is still way too low, so there is little incentive to secure the data appropriately. Additionally, costs/benefits in security are hard to measure. In business decision making, visible costs/benefits tend to win over invisible costs/benefits, so the very visible cost of paying someone to get it right has an additional disadvantage over the invisible risk of maybe, potentially, having to actually pay the (small) cost of a breach in the future.

The figure of 264GB doesn’t really tell us much, it would be more informative if they shared the # of people affected.
264GB in client profile pictures perhaps, that would be a lot of people affected!
if we can assume its mostly text data, then it speaks a bit to the scope.
It might be full of those scanned PDFs that are 100 MB each.
Therefore 2640 people? That's a lot of people.
"a log management server was leaking system-wide information"

Interesting. Similar to Facebook's issue with logs. Though it didn't leak outside the company in their case.

Elastic Search with no firewall or auth?
Well, I meant similar in that logs don't need to have sensitive info in them. Or that if they do, access should be really narrow.
I love how companies say no credit card data was leaked, and don't admit that everything else know to the company including client and employee PII data was there. All of these sorts of things can be turned into money including blackmail and identity theft.
And cc data is the very least important thing. Banks are required by law to return fraudulent charges. They are on the hook, not you.

As for having your identity stolen, that can be a very expensive and long drawn out process to recover from.

I wish companies were responsible, open, and honest.
But the DNC emails definitely weren't leaked and coincidentally the favorite past-time geopolitical scapegoat is the one to blame, also vote for us. ;)
Is there a product that tracks all the data infrastructure of the companies including the log and analytics systems and detects if there's any sensitive data in it?
There are products that look for patterns that might be PII like SSNs, CC numbers, etc.

Google for something like "pii scanning".

It looks like they're mostly designed for desktop. It would be a good idea to make it compatible for cloud IMO. Could be a good startup idea, anyone interested might shoot me an email. :)
For the existing cloud ones, search for: casb pii