Identity Breaches And Compromise Are Becoming Routine
ADragan / iStock / Getty Images Plus
It’s become almost a reflex now: another email in your inbox or another letter in the mailbox, “we regret to inform you that due to a breach, your personal data may have been….” The number of identity compromises by this point is over 10 times the population of the United States, and yet life continues. The unthinkable has become the mundane and the routine. However, this still doesn’t excuse ongoing breaches.
And then we get the Wawa breach, which many may have missed and is being talked about in some circles as possibly the biggest breach in history with over 30 Million identities compromised.
We’ve heard it before, and not just when President Bush couldn’t quite get it right: “Fool me once, shame on you. Fool me twice, shame on me.” But fool me ten times, then what?
Enough is enough!
It’s time to really up the ante: minimize the extent of possible breaches and compromises, minimize exposure when breaches like this occur. Having customer data is a privilege, not a right. The time to beef up security is long past. Simply automating the apology process to send out identity monitoring and form email or snail mail smacks of insincerity.
This still needs a light shone on it. Explanations for breaches of this sort in the payment card and financial services demand a little more than a form letter and business as usual. Transparency is essential and then demonstration of lessons learned. For those who haven’t been breached, show us you’ve learned from the lessons learned by others. If someone finds a new way to compromise data, the numbers shouldn’t be in the 10s of millions, and the stories of how it’s done should be getting more sophisticated. If not, it’s like hanging outside a sign saying “jobs wanted” by the fraudsters; and that’s not acceptable in 2020.
And then not a week later SpiceJet, a massive air carrier in India, had an enormous identity breach. The attacker was described as an “ethical hacker” whose name has not been disclosed due to supposed concern about violating US computer security laws. The researcher first told SpiceJet about their compromise and then apparently reverted to alerting CERT-In, which is an unusual progression to follow prior to this all becoming public.
Ethical hacking is easy to get wrong under the best of circumstances and hard to do right. In the case of SpiceJet, not much is known except the apparent “absence of malice,” but there is most definitely a story there waiting to be told and hopefully one that will come out with no new victims in the future.
However, the real concern is less about what this hacker did than about what others might have done or not up until now with the weakness exposed. SpiceJet has gone on record as saying the following:
“At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
Sacrosanct is a big word even if we don’t push too hard on “fully capable” and “always up to date.” It’s hard to get from security policy to public statement coherently when a breach and potential media crisis is looming. So rather than bayonet the wounded, let’s look at what needs to happen going forward given that “safety and security” are sacrosanct.
SpiceJet needs to demonstrate best of breed practices or investment in ramping such up. It takes time to get mature, and this sort of error is a big one. Is this systematic? How is it being proven? If this is to be more than lip service from yet-another-big-company-dealing with a breach, they should invite ethical hacking and put a program in place or share the one they already have and why this hacker turned to CERT-In.
You can be a hero or a villain as a company, not a victim. SpiceJet has demonstrated they want to be a hero, and that means leaning in harder and putting money where the company’s mouth is or risk being vilified.