All these endless data breaches could be reduced if we fixed the incentives, but that's difficult. We could never stop it, because humans make mistakes, and big groups of humans make lots of mistakes. That doesn't mean we shouldn't try.
It seems to me a parallel path that should be pursued is to make the impact less damaging. Don't assume that things like birth dates, names, addresses, phone numbers, emails, SSNs, etc are private. Shut down the avenues that people use to "steal identities".
I hate the term stealing identity, because it implies the victim made some mistake to allow it to happen. When what really happened is the company was lazy to verify that the person they're doing business with is actually who they say they are. The onus and liability should be on the company involved. If a bank gives a loan to you under my name, it should be their problem, not mine. It would go away practically overnight as a problem if that were changed. Companies would be strict about verifying people, because otherwise they'd lose money. Incentives align.
Identify theft is not the only issue with data leaks / breaches, but it seems one of the more tractable.
This will never, ever, ever stop happening until executives start going bankrupt and/or to jail for negligence. Even then it won’t stop, but it would at least decrease in frequency and severity.
> “On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life,” referring to a customer relationship management (CRM) database containing information on its customers.
So who the hell was the "third-party, cloud-based CRM system"?
The punishment for poor data security is so low it’s not worth paying for it in most companies. And of course the government makes it nearly impossible to change your ssn yet still uses it as a means of verifying so almost everyone is exposed by now.
Kinda frustrating the last few months I've had to upload bank statements and payslips to rent a house and also refinance a mortgage. I know all my financial details are out there floating and invevitably get leaked. I should be able to upload somewhere temporary where these docs are checked then safely deleted.
I was on the train when some executive support staff joined my car (train ran late and they were easy to find on the internet ...). They behaved like misogynistic ogres and I can vividly imagine those people laugh about this. 0 regard for other people or their societal responsibility.
Mandatory £1000 fine per record lost. Would be company-terminal for companies with millions of customers - and thats right. Right now it's just cheaper to not care, then send a trite apology email when all the data inevitably gets stolen.
The status quo, nobody gives a crap, with the regulators literally doing nothing, cannot continue. In the UK, the ICO is as effective as Ofwat. (The regulator that was just killed for being pointlessly and dangerously usless)
I say this often, and it's quite an unpopular idea, and I'm not sure why.
Security researchers, white-hat hackers, and even grey-hat hackers should have strong legal protections so long as they report any security vulnerabilities that they find.
The bad guys are allowed to constantly scan and probe for security vulnerabilities, and there is no system to stop them, but if some good guys try to do the same they are charged with serious felony crimes.
Experience has show we cannot build secure systems. It may be an embarrassing fact, but many, if not all, of our largest companies and organizations are probably completely incapable of building secure systems. I think we try to avoid this fact by not allowing red-team security researches to be on the lookout.
It's funny how everything has worked out for the benefit of companies and powerful organizations. They say "no, you can't test the security of our systems, we are responsible for our own security, you cannot test our security without our permission, and also, if we ever leak data, we aren't responsible".
So, in the end, these powerful organizations are both responsible for their own system security, and yet they also are not responsible, depending on whichever is more convenient at the time. Again, it's funny how it works out that way.
Are companies responsible for their own security, or is this all a big team effort that we're all involved in? Pick a lane. It does feel like we're all involved when half the nation's personal data is leaked every other week.
And this is literally a matter of national security. Is the nation's power grid secure? Maybe? I don't know, do independent organizations verify this? Can I verify this myself by trying to hack the power grid (in a responsible white-hat way)? No, of course not; I would be committing a felony to even try. Enabling powerful organizations to hide their security flaws in their systems, that's the default, they just have to do nothing and then nobody is allowed to research the security of their systems, nobody is allowed to blow the whistle.
We are literally sacrificing national security for the convenience of companies and so they can avoid embarrassment.
Ignoring the whole pain in the ass this will be for their customers—at what point does this become a tragedy of the commons failure? Actually, I don’t know the case-law on this sort of stuff. If your bank authenticates using credentials that are generally publicly known by black-hats for most people—stuff like your social security number and some random
bits of trivia (mothers maiden name)—shouldn’t they be responsible for any breaches?
Fundamentally the issue is that companies are just not investing enough in engineering and IT. When you farm out this work to offshore workers on a shoestring budget, the result is utterly predictable.
Is there any consequence? I’ve seen now a new practice where companies won’t even tell you what was compromised. For example a big one last year (?) was at the University of Washington. I had family receive vague letters saying some other place called Fred Hutch cancer center got hacked, and for some reason, the patient data of the university’s own hospitals was shared with this other place (even though they aren’t patients of Fred Hutch). Both Fred Hutch and UW refuse to tell individuals what data of theirs was compromised, but just say it can include all personal info including medical records and test results and social security numbers. It’s infuriating to just see a vague letter with free credit monitoring from companies that should be doing more and fined more.
That’s partially due to SF devs not knowing enough about the product but also due to Salesforce treating security as an afterthought.
For a poorly configured implementation it takes 2 web requests as an unauthenticated user to know all of the data you can pull down and then do it.
Don’t even get me started on the complete lack of monitoring. I basically had to design an entire security monitoring setup outside of Salesforce using their (absolutely awful) logs to get anything close to usable.
Edit: here’s a guide someone wrote. https://www.varonis.com/blog/misconfigured-salesforce-experi...
Seriously, you can automate this and then throw it at the end of recon to find SF sites. I’ve done it.
I don't know how the social engineering happened, beyond what's mentioned in the article as a possibility (calling helpdesks). But there's a ton of corporate information that's widely available for exploitation.
LinkedIn, for example is a goldmine for social engineering, and there's no way to secure a profile from being viewed by logged-in users, even if they are unconnected.
I'm surprised more employers don't closely audit their employees profiles.
30 comments
[ 3.8 ms ] story [ 47.8 ms ] threadOur industry is pathetic.
It seems to me a parallel path that should be pursued is to make the impact less damaging. Don't assume that things like birth dates, names, addresses, phone numbers, emails, SSNs, etc are private. Shut down the avenues that people use to "steal identities".
I hate the term stealing identity, because it implies the victim made some mistake to allow it to happen. When what really happened is the company was lazy to verify that the person they're doing business with is actually who they say they are. The onus and liability should be on the company involved. If a bank gives a loan to you under my name, it should be their problem, not mine. It would go away practically overnight as a problem if that were changed. Companies would be strict about verifying people, because otherwise they'd lose money. Incentives align.
Identify theft is not the only issue with data leaks / breaches, but it seems one of the more tractable.
Unless it's e2e encrypted (like in Proton Mail or Proton Drive), these incidents will occur. Manage your risk accordingly.
So who the hell was the "third-party, cloud-based CRM system"?
The status quo, nobody gives a crap, with the regulators literally doing nothing, cannot continue. In the UK, the ICO is as effective as Ofwat. (The regulator that was just killed for being pointlessly and dangerously usless)
(Edit: fix autocorrect)
Security researchers, white-hat hackers, and even grey-hat hackers should have strong legal protections so long as they report any security vulnerabilities that they find.
The bad guys are allowed to constantly scan and probe for security vulnerabilities, and there is no system to stop them, but if some good guys try to do the same they are charged with serious felony crimes.
Experience has show we cannot build secure systems. It may be an embarrassing fact, but many, if not all, of our largest companies and organizations are probably completely incapable of building secure systems. I think we try to avoid this fact by not allowing red-team security researches to be on the lookout.
It's funny how everything has worked out for the benefit of companies and powerful organizations. They say "no, you can't test the security of our systems, we are responsible for our own security, you cannot test our security without our permission, and also, if we ever leak data, we aren't responsible".
So, in the end, these powerful organizations are both responsible for their own system security, and yet they also are not responsible, depending on whichever is more convenient at the time. Again, it's funny how it works out that way.
Are companies responsible for their own security, or is this all a big team effort that we're all involved in? Pick a lane. It does feel like we're all involved when half the nation's personal data is leaked every other week.
And this is literally a matter of national security. Is the nation's power grid secure? Maybe? I don't know, do independent organizations verify this? Can I verify this myself by trying to hack the power grid (in a responsible white-hat way)? No, of course not; I would be committing a felony to even try. Enabling powerful organizations to hide their security flaws in their systems, that's the default, they just have to do nothing and then nobody is allowed to research the security of their systems, nobody is allowed to blow the whistle.
We are literally sacrificing national security for the convenience of companies and so they can avoid embarrassment.
The risks associated with medical malpractice certainly slows the pace of innovation in healthcare, but maybe that’s ok.
LinkedIn, for example is a goldmine for social engineering, and there's no way to secure a profile from being viewed by logged-in users, even if they are unconnected.
I'm surprised more employers don't closely audit their employees profiles.