Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2018
02:30 PM
Richard Ford
Richard Ford
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Where Is the Consumer Outrage about Data Breaches?

Facebook, Equifax, Cambridge Analytica ... Why do breaches of incomprehensible magnitude lead to a quick recovery for the businesses that lost or abused the data and such little lasting impact for the people whose information is stolen.

Facebook recently (and again) made the cybersecurity headlines, but for all the wrong reasons. As reported by numerous news organizations, on Sunday, September 16, Facebook engineers discovered that almost 50 million accounts had been compromised, and, weeks later, the public still doesn't know precisely what was taken, by whom, and for what purpose.

In more bad news for the company, the Irish Data Protection Commissioner also announced an official probe to check if Facebook complied with its obligations under the new General Data Protection Regulation. Coming relatively quickly on the heels of recent fines over the Cambridge Analytica scandal, it seems as if the company is entering stormy waters again.

Will these repercussions leave a lasting impact? That's a hard maybe. Historically, that's not how the aftereffects of breaches have played out in the commercial world. For example, cast your minds back to Equifax. Let's ignore how consumers felt about the company as the news of Equifax's woes broke, because that is irrelevant. Instead, let's get down to business … and I mean real business. Let's look at the stock price.

After the news became public, the company took a hard hit in the wallet, with its stock sliding to $95 per share, from the previous day's $141. A slow recovery gave it a 52-week high of $138.69 (reached on September 18, 2018), nearly matching the level before the company announced it had lost the personal data of almost 150 million people. It seems that the breach led to a sharp decline, a year of recovery, and then business as usual. That's really quite a run — and not a particularly unique pattern on news like this.

Such a recovery leads me to ask: Where is the outrage about breaches? Why does a breach of almost incomprehensible magnitude lead to such a quick recovery and so little lasting impact, despite long-term or even permanent consequences for those who lost their personal data?

My thesis for this is simple: We've become inured to data breaches. Our senses seared, if you will. Numb. At some level, we know they are bad, but a combination of factors has come together to mean that even with the best of intentions, the consequences to the stakeholder who lost the data are small compared with the potential impact on those whose data is now "out there" in the ether.

Three Drivers: Control, Consequences, Trust
To understand something this broad, I'm a big believer in perspective: We have to zoom out and take a more holistic view. To that end, I'd offer these following three drivers for our apparent laissez-faire attitude: a sense of a lack of control, the seeming absence of personal consequences, and the fundamental changes to trust that the last few years have witnessed.

First, there are huge issues around a sense of lack of control — and in this, users have a legitimate point. It's extremely difficult to protect one's own information online. Even if you opt out of social networks, use great passwords, and even switch to a more cash-only world, you are not going to be immune to data aggregation. Thus, people really don't have control in this space. That can lead to disengagement because there's a strong feeling that one's choices don't change the ultimate outcome. Faced with a world where one has a sense of no control, users just opt for convenience out of a type of denial.

The second issue is that there is no obvious and immediate connection to the breach and the personal consequences of it. For example, you decide to use a sketchy-looking website to buy something online because it's cheaper there. Months later, you notice some odd charges on your credit card, but you don't connect the cause to the effect. Another more serious example: We read about mega-breaches such as Equifax in the headlines … and then nothing appears to happen. When something does actually cause an impact — for example, you file your taxes just to discover an attacker has already snagged your rebate — you don't make the connection. This lag time between cyber events and personal events is a pernicious problem that's much broader than just breaches, and we need to think hard about ways to address it.

Finally, and this is a big one, there's the question of trust. In Rachael Botsman's excellent book Who Can You Trust? she argues — and I wholeheartedly agree — that how we trust has fundamentally shifted. While there was a time that our trust was based in brands and institutions, there has been a steady shift away to new models of trust … and distrust. Thus, there's a certain cynicism (we didn't trust them to begin with!) that means we don't expect better results than the ones we get. That belief then becomes a self-fulfilling prophecy.

What's at Stake
Combined, these factors have created the perfect storm that leaves us in an unenviable position. Logically, we know that much of the modern world is based on information and that by putting this information in the wrong hands, there will be negative outcomes. In fact, I'd go so far to say that breaches and the ready availability of information exposed as a result create issues that go well beyond personal security and snake out to threaten the foundations of democracy worldwide.

The stakes are high, the implications enormous, and the clock is ticking with respect to the time to act. Maybe for Facebook, things will play out differently because of the new EU laws, or some of the other headwinds the company is facing around privacy and nation-state-level psychological operations. Who knows? But in general, I firmly believe that nothing real will change until there is a genuine and informed sense of outrage over breaches, and that outrage, sadly, seems to be wholly missing in action.

 Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Richard Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings over 25 years' experience in computer security, with knowledge in both offensive and defensive technology solutions. During his career, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RFordOnSecurity
100%
0%
RFordOnSecurity,
User Rank: Author
11/5/2018 | 6:45:40 AM
Re: Outrage: tracking the wrong thing.
It took me a while to think about this, but I think I now understand your reasoning. Here's the thing. While some countries claim to be democratic republics, you should mostly focus on the "democratic" part of that description. Thus, the lack of voter concern effectively makes this less of an issue for the politicians. In a true democracy, laws reflect the will of the people, and without *voter* outrage companies (who sometimes have signficant influence in the legislative process) will have a much larger role than we would like in shaping the next generation of laws. 

I do agree laws help - but I think laws in the long term reflect the concerns of society, and thus the outrage really does matter. 

Lastly, for most senior executives in large companies, the largest part of compensation is tied to stock performance; thus, the stock price is a strong incentive for shaping the actions of C-Suite members. 
DonT183
0%
100%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:32 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
DonT183
50%
50%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:28 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
DonT183
50%
50%
DonT183,
User Rank: Black Belt
11/2/2018 | 4:24:00 PM
Outrage: tracking the wrong thing.
The cost of customer outrage is not in the stock price nor in the dust and ashes public. Mourning for the lost. Look here and one will never see the costs. Concluding a policy based on known short term effects is logic worthy of the doomed Flying Dutchmen. Doomed never to see the truth and cursed to manage a problem that was never rightly measured or seen. Look instead at the costs to the business in its avoidable customer retention costs. Look also for the new legislation pending with your firm name as its justification. Everyone knows that Enron and WorldCom cause Sarbanes Oxley regulations. We all bear the increased costs to comply consequentially. Honestly a data breach could easily cost a firm 4% of its annual revenue in dirext IT and customer retention clean up costs. The fine for not reporting bound up in new European regulation has its basis in average damage experiences of firms that did report. These legal concepts are coming to a country near you. Watch that metric for better insight. Or, circle the oceans in a never ending quest, guided by the wrong stars and never to see the problem for what it is.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.