Biggest Breach Ever? Wait ‘Til Tomorrow!


Biggest Breach Ever?

Yesterday: THIS is the BIGGEST breach ever!

Today: No, THIS is the BIGGEST breach ever!

Tomorrow: You’re both wrong. Now THIS is the BIGGEST breach ever!

At one point in time, not too long ago, data breaches were newsworthy. They happened so infrequently that when they did they were big time news stories. Having worked in the compliance investigation area of the big data industry, I’ve overseen a lot of breach investigations and they were all big stories at the time.

Lately, however, there have been so many breaches that one needs a scorecard, run on a mainframe (24×7) to keep up. In fact, the word Heartland seems like nothing but a fading memory now. Yet, in 2009 it was the biggest breach story of the time.

Today, I saw a story pop up in my inbox from Krebs on Security: Sony Breach May Have Exposed Employee Healthcare, Salary Data.

Then this story from Security Current: Why the Sony Breach May be the Most Significant Security Breach in US History.

Here’s a new twist, an author not saying it’s the BIGGEST breach but the most SIGNIFICANT!

“You say tomato, I say tom-ah-to.” It’s just semantics.

This started me thinking about all the breach information being reported and the impact it’s having on consumers and businesses, or not, as the case may be.

Krebs Count

I started reading Krebs on Security last year some time. Brian’s great and he definitely knows his stuff. He reports on security issues with hard-hitting facts. To get stories, he gets down and dirty delving deep into cyberspace where others wouldn’t dream of going. Brian’s the quintessential “thorn in a spammer’s side.”

As a barometer on the impact of breach stories reported on entities, I thought it would be interesting to go back and take a look at 6 months of Krebs on Security from my inbox to see what Brian’s been reporting. From an informal count, I found that 25/73 (35%) of his blogs had some reference to a breach.

Okay, to be fair, that also means that two-thirds of the time he’s reporting on other issues so breaches are hardly 100% of his focus.

But he’s not the only tech reporter on the face of the planet. Other reporters, institutes, associations and news sources are reporting (often after he does) breach stories, statistics, loss amounts, consumers impacted, cards affected, privacy issues etc. Although, most of the reporters aren’t going as in-depth as Brian’s investigations are.

The fact is that breaches, like wars, are big business. A cottage industry has sprung up with companies who do nothing but support victims of breaches (both businesses and individuals).

Like the slogan said on a sewage pumper truck I saw years ago in Virginia, “Your crap is our bread and butter!” Breach translation: your misfortune is someone else’s (criminals or breach mitigation companies) fortune.

Data Breaches: We’ve Become Desensitized

The news reports about data breaches are astounding. Hardly a day goes by where you don’t hear the word “breach” from someone!

When people get too much of something, they become desensitized to it. Remember that song you just loved the first time you heard it on the radio? Then you changed the channel and heard it again and again and again.

The 93rd time you heard the song in a week you felt like chucking your radio out the car window and didn’t care if you ever heard it again. It’s called o-v-e-r-k-i-l-l and it happens all the time. Too much of anything isn’t a good thing.

Has the massive amount of breach reporting now turned out to be “the boy who cried wolf” story? Sure, the wolf, (data thieves), ultimately showed up and ate his sheep (your data) but by then no one was paying attention.

When the boy cried “wolf” repeatedly it desensitized the villagers to the danger alert. Have we arrived at a place where breach reporting is having the same impact? People have heard reporters say “breach” so many times that they’ve just turned it off? Things that make you go hmmm…

Breach Here – Breach There – Breach Everywhere

There are A LOT of breaches occurring. What used to only happen occasionally happens with incredible regularity now.

Q – When was the last breach that occurred?

A – What time is it now? (Looking at watch)

In September of this year, the USA TODAY cited a Ponemon Institute study saying that 43% of companies surveyed had a breach in the last year. Rounding up a bit, that’s almost half. Reading that story, it’s an alarming number which should keep people in your company up at night.

Maybe, however, it isn’t. The fact is, that there are so many breaches occurring and most of them end up as news stories. This leads me to wonder whether we’ve totally over saturated the news with breach stories to the point where people and companies have become “numb” to them.

I’m not saying we shouldn’t report breach stories because they’re obviously newsworthy. Instead, I’m questioning what the impact of all these breach stories really is on companies and individuals.

What’s the Breach Reporting Takeaway?

Looking back at Brian’s blog activity hardly constitutes a scientific study. However, the fact is that on the surface a third of his blogs, and the number may actually be higher, reference a data breach somewhere.

Again, to be fair, Brian’s investigative reporting reflects the real world and in the real world breach events are happening regularly at companies all around the globe. So, he’s just doing what reporters do…covering current events.

The question I’m posing is have there been so many breaches reported that the information’s end users (consumers and companies) have “tuned out” all the noise and “chucked their radios out the window?”

Those of us in the industry read the stories but the reality is that we may have already lost the attention of the people who need the information the most: businesses and consumers who must defend themselves against the possibility of breach victimization.

The Bottom Line

In my opinion, an even bigger story than the one stating that almost 50% of companies surveyed have been breached is one that delves into what’s wrong with the methods companies are currently using to protect data?

The reality behind all these breach stories is that something’s definitely broken with big data and how it’s secured. “Word to ya IS Department.” If it weren’t, capable folks like Brian would have 35% less to investigate and report.

This leads me to wonder what companies should be doing differently. The alarming number of breaches reported indicates that status quo (data security as usual) clearly isn’t cutting it.

Aside from Dr. Frasier Crane, “is anyone listening?!”