BreachExchange mailing list archives
Your personal data is only worth $3.20 and that’s a massive problem
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 5 Oct 2016 18:43:19 -0500
http://thenextweb.com/security/2016/10/05/personal-data-worth-3-20-thats-massive-problem/ Last years, hackers broke into the UK ISP TalkTalk <http://thenextweb.com/uk/2015/02/27/talktalks-systems-breached-subscribers-info-stolen-and-used-in-scams/> and stole the personal information of over 157,000 people. Among the records stolen were bank details, including sort codes and account numbers. It was Christmas for identity thieves. Today, the UK’s Information Commissioner’s Office (ICO) fined TalkTalk a record £400,000 <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/> (slightly more than $500,000). This was the largest amount *any* company has been fined after losing customer data, and is far more than the £250,000 that Sony was fined <http://www.bbc.co.uk/news/technology-21160818> in the aftermath of the 2011 PlayStation Network hack. Explaining their decision, the Information Commissioner Elizabeth Denham said that the “failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” “[hacking] is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information.” When you read the ICO’s report, you get a sense of the staggering negligence that allowed this data breach to take place. Put simply, TalkTalk was sleeping on the job. There were three different webpages that were vulnerable to an SQL injection attack. This particular category of vulnerability is easy to mitigate against, but TalkTalk had failed to scan these webpages for them. It’s likely that the company was oblivious as to their existence, and to the fact that they had access to TalkTalk’s customer database. And now, TalkTalk has been punished. Kinda. £400,000 sounds like an awful lot of money. I suppose that *it is *to most people. But TalkTalk is a company with revenues of £1.795 billion ($2.25 billion), and the fine boils down to £2.50 (or $3.20) for each person caught up in the leak. By every definition, it’s chump change. It doesn’t begin to compare to the stress those caught up in the breach have faced. These 157,000 victims are now at a heightened risk of falling victim to financial crime or phishing attacks. They now have to indefinitely monitor their credit for any irregularities. Am I alone in thinking that the punishment doesn’t quite match the crime? Goddammit, I want heads to roll. I want to see TalkTalk – and other companies that screw up so egregiously – to hurt. I want the fines to actually be a punishment, rather than another cost of doing business. And I want the people whose screw-ups are responsible for the breaches to face actual personal consequences. Company directors can face jail time in cases of corporate manslaughter. If someone screws up so badly, over 100,000 people need to invest in credit monitoring, then surely that person should also face some kind of repercussion? Maybe I’m a little extreme. I’m just sick and tired tired of companies – Yahoo <http://thenextweb.com/insider/2016/09/22/yahoo-massive-breach/>, LinkedIn <http://thenextweb.com/insider/2016/05/18/hacker-is-selling-117-million-linkedin-logins-obtained-in-2012-breach/>, LastFM <http://thenextweb.com/insider/2016/09/02/last-fm-leak-shows-people-still-use-dumb-passwords/> – screwing up so horrendously and getting away with it.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Your personal data is only worth $3.20 and that’s a massive problem Inga Goddijn (Oct 06)