Is there ever a reason to do this intentionally for some sort of financial benefit where the known punishments really don't outweigh whatever the (I don't know what) benefits are? Obviously a loaded question here, I apologize in advance. But I can't help but wonder about it when something like this happens. Are there reasons that this information would want to be leaked? I'm not interested in arguments for Hanlon's razor.
The punishment for mishandling data does not outweigh the benefit in collecting it, that's why this keeps happening. At this point any 'punishment' is just 'operating costs', and only increases the value of collecting customer/client data.
The punishment rolls down to the architects designing the system, who risk getting fired. Ultimately, they are the ones who decide if something is compliant or not. In my anecdotal experience;people in good rep tech companies take compliance requirements very, very seriously.
While the punishment may not have a huge adverse affect on the company, it does on the people implementing said systems. Being the one in the middle of a GDPR/SOC2 compliance oopsie means you lose all upward mobility in said company and risk getting fired.
Well of course, a bad agent who wished they had the data may simply pay off an insider to 'accidentally' set the permissions as public...
Consider Deep Root, the 198 Million records of detailed voter demographics left in an open S3 bucket. Maybe it was accidental, maybe it was plausible deniability for transferring the data to foreign entities. "We didn't collaborate, we were hacked !"
Intentionally leaking the data this way, probably not in most cases.
Intentionally choosing to accept the (increased) risk of such incidents instead of spending money to secure it properly, on the other hand, seems likely.
The cost of breaches for the company that allowed other people's data to get leaked is still way too low, so there is little incentive to secure the data appropriately. Additionally, costs/benefits in security are hard to measure. In business decision making, visible costs/benefits tend to win over invisible costs/benefits, so the very visible cost of paying someone to get it right has an additional disadvantage over the invisible risk of maybe, potentially, having to actually pay the (small) cost of a breach in the future.
I love how companies say no credit card data was leaked, and don't admit that everything else know to the company including client and employee PII data was there. All of these sorts of things can be turned into money including blackmail and identity theft.
But the DNC emails definitely weren't leaked and coincidentally the favorite past-time geopolitical scapegoat is the one to blame, also vote for us. ;)
Is there a product that tracks all the data infrastructure of the companies including the log and analytics systems and detects if there's any sensitive data in it?
It looks like they're mostly designed for desktop. It would be a good idea to make it compatible for cloud IMO. Could be a good startup idea, anyone interested might shoot me an email. :)
23 comments
[ 2.9 ms ] story [ 58.9 ms ] threadAlso, up until about three years ago you could purchase cheap cyber security insurance. When Sony got hacked over “The Interview” policies went up.
Still, most companies don’t do anything to really prevent issues.
While the punishment may not have a huge adverse affect on the company, it does on the people implementing said systems. Being the one in the middle of a GDPR/SOC2 compliance oopsie means you lose all upward mobility in said company and risk getting fired.
Consider Deep Root, the 198 Million records of detailed voter demographics left in an open S3 bucket. Maybe it was accidental, maybe it was plausible deniability for transferring the data to foreign entities. "We didn't collaborate, we were hacked !"
Intentionally choosing to accept the (increased) risk of such incidents instead of spending money to secure it properly, on the other hand, seems likely.
The cost of breaches for the company that allowed other people's data to get leaked is still way too low, so there is little incentive to secure the data appropriately. Additionally, costs/benefits in security are hard to measure. In business decision making, visible costs/benefits tend to win over invisible costs/benefits, so the very visible cost of paying someone to get it right has an additional disadvantage over the invisible risk of maybe, potentially, having to actually pay the (small) cost of a breach in the future.
Interesting. Similar to Facebook's issue with logs. Though it didn't leak outside the company in their case.
As for having your identity stolen, that can be a very expensive and long drawn out process to recover from.
Google for something like "pii scanning".