The Lie That Accompanies EVERY Data Security Breach

Corporate PR hacks need more original material. Stop saying, “We take your privacy and security seriously”.

About one-third of all 285 data breach notifications had some variation of the line.

It doesn’t show that companies care about your data. It shows that they don’t know what to do next.

Companies don’t care about your security. You have to care about your security. Companies collect data about you, and use that data to make money. Actually putting security in place, keeping systems up-to-date, removing old data, and in general being responsible doesn’t make them money and in fact costs a fair amount. They can’t be bothered.

So they get hacked. Then they deflect, defend and deny. Case in point: OkCupid.

Instead, OkCupid’s response was to deflect, defend, and deny, a common way for companies to get ahead of a negative story. It looked like this:

  • Deflect: “All websites constantly experience account takeover attempts,” the company said.
  • Defend: “There’s no story here,” the company later told another publication.
  • Deny: “No further comment,” when asked what the company will do about it.

And if they are really caught behind the eight-ball, they will pay for 1 year of credit monitoring. Thanks, but I already pay for that, it is a better service than they usually offer, and I need more than 1 year.

Advertisements

Can We Get Some Security?

I don’t understand why we haven’t solved this problem. (No, I do know; there are 2 reasons, but I’ll get to that later.) Here We Go Again: 127 Million Accounts Stolen From 8 More Websites.

According to TechCrunch…. The following user information is for sale on the Dark Web.

Houzz (57 million), YouNow (40 million), Ixigo (18 million), Stronghold Kingdoms (5 million), Roll20 (4 million), Ge.tt (1.8 million), PetFlow (1 million), Coinmama (450,000)

This is on top of the 617 million accounts the same hacker published a few days ago, which impacted the following sites.

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Those 2 reasons?

  1. Programmer arrogance – they never, ever make a mistake, (except when they do) and
  2. Management that doesn’t want to pay for security.

Brave Browser: Not as Private as They Want You to Think

But then Facebook and Twitter are the elephants in the room. Facebook, Twitter Trackers Whitelisted by Brave Browser.

The Brave Browser promotes itself on being built from the ground up to provide enhanced privacy to its users. Yet, users voiced concern today after finding a section of the browser’s source code that shows tracking scripts for Facebook and Twitter are whitelisted so that they are not blocked by the browser.

Why? Because not blocking them would cause some sites to break. (Firefox lets me decide how much privacy/breakage I want.)

They Love to Store Personal Info, They Just Can’t Be Bothered to Secure It

How many kids have credit monitoring? For their entire lives they are going to be troubled by possible identity theft. Report: K-12 Schools Experienced 122 Cyber Attacks in 2018.

For instance, in December, it was discovered that the personal data of more than 500,000 students and staff in the San Diego Unified School District were stolen over an 11-month period. The data included names, dates of birth, Social Security numbers, mailing and home addresses, phone numbers, health information and legal notices.

How much do you think the administrators worry about Security? “Oh, those IT folks, they always want to spend money on something.” So the bad guys have all that info. What do you think they are going to do with it?

Actually it looks like suburban districts are targeted more than inner city schools.

The Scope of the Online Security Problem Is Immense

The firms keep the data because actually thinking about deleting it is hard. 59K Data Breaches Reported, 91 Fines Imposed Since GDPR Enactment.

The Netherlands, Germany and the UK lead the rankings with roughly 15,400, 12,600, and 10,600 reported breaches respectively, as detailed in a report published by the DLA Piper global law firm, while companies from Liechtenstein, Iceland, and Cyprus reported 5, 25 and 35 breaches respectively.

And on the fines front, Google was charged €50 million.

Google’s €50 million fine was the highest GDPR penalty ever and it was issued by the French Commission Nationale de l’informatique et des Libertés (CNIL) on January 21 for not obtaining user consent for processing data for ads personalization purposes and for violating transparency and information obligations.

“Highest ever” is a bit of stretch. GDPR only went into effect in May of 2018.

I wish the US had more privacy controls. Companies keep data about me without my consent. They keep data even after I have withdrawn consent. It isn’t right.

When Your “Security Camera” Isn’t Secure

You bought a security camera to enhance security. But if you act stupidly when you set it up, you won’t be enhancing anything. Family says hacker sent fake North Korean missile warning through Nest camera.

So they reuse passwords. (Get a damn password manager! They are Free. FREE. And easier than trying to remember multiple passwords.) So when one of their sites was hacked, bad guys got access to their Nest camera – because it had the same PW. (No, that is not a good idea.)

And be clear, long before these guys said anything over the speaker, they had full access to the camera.

The first anecdote was almost funny. (Another North Korean missile warning.) But not all of the anecdotes are funny.

The customer service representative speculated that the family had fallen victim to a data breach at another online service and that they had used the same password on their Nest camera.

[SNIP]
Following the incident, Lyons says her husband changed the camera’s password, enabled two-factor authentication, and disabled the device’s speaker and microphone.

Something that should have been done in the beginning.

The less funny incident? (Though the couple from the incident above said their 8-year-old was traumatized.)…

A Texas couple also reported in December that a hacker had accessed a Nest camera in their infant’s room and said, “I’m going to kidnap your baby,” over its speaker.

Sign up for LastPass. Download and use KeePass. Do something. Don’t just reuse the same PW everywhere. And really, really think HARD about putting a camera inside your house that is connected to the internet. Unless you are completely dedicated to maintaining the security of that camera. (And Nest is one of the better companies. Their products are as secure as anything. Not all security cameras are secure. Some are hopeless.)