The Wall Street Journal published a story in the beginning of August titled “Executives Rethink Merits of Going Public with Data Breaches” (link here). It’s a fine piece of writing, and an intriguing point of view. Unfortunately, it’s wrong.
I encourage you to read the article for yourself and draw your own conclusions but allow me to walk through some of the points outlined in the story. Dawn-Marie Hutchinson, one of the subjects of the story and the head of information security at Urban Outfitters, kicks off the story by arguing that all data breach announcements do is create hysteria in the public. To be fair, I understand why Ms. Hutchinson (and some of the other executives mentioned but not named in this story) would be opposed to disclosing breach activity: it is perceived as a direct reflection of their job performance. The article indicates that disclosing a breach would be the equivalent of ringing the dinner bell for thousands of other potential attackers indicating a vulnerable network ripe for plundering. And that may be true. But I doubt it.
Since data breaches can come in so many colors and flavors, let’s narrow the definition for this discussion down to those involving sensitive customer data: credit card numbers, social security numbers, and usernames/passwords. This type of data has value to the criminal element, since it enables credit card fraud (credit card numbers), identity theft (social security numbers) and online identity theft (email addresses with passwords). While emails and passwords are nice, clearly the easiest path to money is through access to valid credit card numbers and social security numbers.
Let’s play the hypothetical game: You’ve been put in charge of information security, and discover that unauthorized persons accessed and stole some of your sensitive customer data. Decision time. You have two options: do nothing or disclose the breach.
If you chose nothing, then you leave the burden of discovery on your customers. They will be the ones to discover the unauthorized charges on their credit card or the new credit line opened in their name or the spam originated from their email account. You’ll be in violation of disclosure laws in at least 47 states (assuming you have customers there), and likely make a stronger case against yourself in all the civil litigation that is likely to follow. After all, if the breach is of any significance, sooner or later someone else is going to find out and tell the world. That’s what happened to Target. Other people noticed the huge surge in stolen credit cards on the market, and did the footwork to find the source. Target would have likely been forced to disclose anyways. Instead they stayed silent for almost two weeks while the news media circulated stories about the massive breach.
On the other hand, if you disclose the breach, you alert your customers to the problem and enable them to be proactive. Customers can implement locks on their credit file. Banks re-issue credit cards. Passwords are changed. And you devalue the stolen information the attackers left with.
And de-valuing the stolen data is probably the best defense you can mount these days. Remember, the motivation of the criminal group who looks to steal this information is to sell it. Credit card numbers only have value if they are valid and social security numbers only have value if they connect to a person with a good credit rating.
The practice of defensive information security is very difficult. Assuming that you are sophisticated enough to determine that a breach has actually occurred (not as easy as it sounds), trying to determine exactly who executed the attack is nearly impossible. Even if you somehow get the attribution right, your options for stopping these attackers are pretty limited. It’s like trying to stop a burglar with a paintball gun: each time you catch them they have to start over. But they get to start over, and keep at it until they find what they are looking for.
I’m reminded of a quote from Bruce Schneier, a luminary and pioneer in the information security world: “I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually ‘Nothing, you’re screwed.'”
A common perception about data breach notifications is that once a company goes public with a security event, they face:
- Stock price drop
- Brand damage
- Customer loss
- Civil lawsuits
As very effectively put by Adam Shostack in his keynote presentation “Beyond Good and Evil: Towards Effective Security“, those perceptions are wrong. While companies may experience a brief hit to their stock price, they generally bounce back within 2 or 3 days. Not even a week. Customers tend not to leave because the transparency encourages trust (always a good thing). And the vast majority of civil lawsuits are dismissed before discovery, especially if the breach disclosure process is effectively executed, and provides those individuals effected with mitigating options like credit monitoring services.
And most importantly, effective sharing on data breaches is the only way we, as an industry, can get better. Keeping quiet about a security event doesn’t help you, or your peers, get better at preventing these attacks. It only helps your enemy the malicious attacker. I think they’ve got enough of an advantage, don’t you?
Thanks for reading, and stay safe out there!