Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2018
02:30 PM
Richard Ford
Richard Ford
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Where Is the Consumer Outrage about Data Breaches?

Facebook, Equifax, Cambridge Analytica ... Why do breaches of incomprehensible magnitude lead to a quick recovery for the businesses that lost or abused the data and such little lasting impact for the people whose information is stolen.

Facebook recently (and again) made the cybersecurity headlines, but for all the wrong reasons. As reported by numerous news organizations, on Sunday, September 16, Facebook engineers discovered that almost 50 million accounts had been compromised, and, weeks later, the public still doesn't know precisely what was taken, by whom, and for what purpose.

In more bad news for the company, the Irish Data Protection Commissioner also announced an official probe to check if Facebook complied with its obligations under the new General Data Protection Regulation. Coming relatively quickly on the heels of recent fines over the Cambridge Analytica scandal, it seems as if the company is entering stormy waters again.

Will these repercussions leave a lasting impact? That's a hard maybe. Historically, that's not how the aftereffects of breaches have played out in the commercial world. For example, cast your minds back to Equifax. Let's ignore how consumers felt about the company as the news of Equifax's woes broke, because that is irrelevant. Instead, let's get down to business … and I mean real business. Let's look at the stock price.

After the news became public, the company took a hard hit in the wallet, with its stock sliding to $95 per share, from the previous day's $141. A slow recovery gave it a 52-week high of $138.69 (reached on September 18, 2018), nearly matching the level before the company announced it had lost the personal data of almost 150 million people. It seems that the breach led to a sharp decline, a year of recovery, and then business as usual. That's really quite a run — and not a particularly unique pattern on news like this.

Such a recovery leads me to ask: Where is the outrage about breaches? Why does a breach of almost incomprehensible magnitude lead to such a quick recovery and so little lasting impact, despite long-term or even permanent consequences for those who lost their personal data?

My thesis for this is simple: We've become inured to data breaches. Our senses seared, if you will. Numb. At some level, we know they are bad, but a combination of factors has come together to mean that even with the best of intentions, the consequences to the stakeholder who lost the data are small compared with the potential impact on those whose data is now "out there" in the ether.

Three Drivers: Control, Consequences, Trust
To understand something this broad, I'm a big believer in perspective: We have to zoom out and take a more holistic view. To that end, I'd offer these following three drivers for our apparent laissez-faire attitude: a sense of a lack of control, the seeming absence of personal consequences, and the fundamental changes to trust that the last few years have witnessed.

First, there are huge issues around a sense of lack of control — and in this, users have a legitimate point. It's extremely difficult to protect one's own information online. Even if you opt out of social networks, use great passwords, and even switch to a more cash-only world, you are not going to be immune to data aggregation. Thus, people really don't have control in this space. That can lead to disengagement because there's a strong feeling that one's choices don't change the ultimate outcome. Faced with a world where one has a sense of no control, users just opt for convenience out of a type of denial.

The second issue is that there is no obvious and immediate connection to the breach and the personal consequences of it. For example, you decide to use a sketchy-looking website to buy something online because it's cheaper there. Months later, you notice some odd charges on your credit card, but you don't connect the cause to the effect. Another more serious example: We read about mega-breaches such as Equifax in the headlines … and then nothing appears to happen. When something does actually cause an impact — for example, you file your taxes just to discover an attacker has already snagged your rebate — you don't make the connection. This lag time between cyber events and personal events is a pernicious problem that's much broader than just breaches, and we need to think hard about ways to address it.

Finally, and this is a big one, there's the question of trust. In Rachael Botsman's excellent book Who Can You Trust? she argues — and I wholeheartedly agree — that how we trust has fundamentally shifted. While there was a time that our trust was based in brands and institutions, there has been a steady shift away to new models of trust … and distrust. Thus, there's a certain cynicism (we didn't trust them to begin with!) that means we don't expect better results than the ones we get. That belief then becomes a self-fulfilling prophecy.

What's at Stake
Combined, these factors have created the perfect storm that leaves us in an unenviable position. Logically, we know that much of the modern world is based on information and that by putting this information in the wrong hands, there will be negative outcomes. In fact, I'd go so far to say that breaches and the ready availability of information exposed as a result create issues that go well beyond personal security and snake out to threaten the foundations of democracy worldwide.

The stakes are high, the implications enormous, and the clock is ticking with respect to the time to act. Maybe for Facebook, things will play out differently because of the new EU laws, or some of the other headwinds the company is facing around privacy and nation-state-level psychological operations. Who knows? But in general, I firmly believe that nothing real will change until there is a genuine and informed sense of outrage over breaches, and that outrage, sadly, seems to be wholly missing in action.

 Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Richard Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings over 25 years' experience in computer security, with knowledge in both offensive and defensive technology solutions. During his career, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RFordOnSecurity
100%
0%
RFordOnSecurity,
User Rank: Author
11/5/2018 | 6:45:40 AM
Re: Outrage: tracking the wrong thing.
It took me a while to think about this, but I think I now understand your reasoning. Here's the thing. While some countries claim to be democratic republics, you should mostly focus on the "democratic" part of that description. Thus, the lack of voter concern effectively makes this less of an issue for the politicians. In a true democracy, laws reflect the will of the people, and without *voter* outrage companies (who sometimes have signficant influence in the legislative process) will have a much larger role than we would like in shaping the next generation of laws. 

I do agree laws help - but I think laws in the long term reflect the concerns of society, and thus the outrage really does matter. 

Lastly, for most senior executives in large companies, the largest part of compensation is tied to stock performance; thus, the stock price is a strong incentive for shaping the actions of C-Suite members. 
DonT183
0%
100%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:32 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
DonT183
50%
50%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:28 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
DonT183
50%
50%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:00 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.