First Equifax, now Uber. Another day, another data breach, right? Nope. These two recent mega-hacks are different.
They’re different because Equifax waited six weeks to publicly disclose a breach involving the personal data of 143 million people.
Over at Uber, the top dogs (including infosec chief Joe Sullivan, who’s since been fired) waited a full year to notify the public of a hack involving the data of 57 million customers and drivers. To top it off, Bloomberg reports Uber paid the hackers $100,000 to delete the stolen data and keep the whole thing quiet, a claim Uber has not yet refuted.
Failing to prevent a cyber attack is one thing. Deliberately hiding a massive data hack from your own customers is quite another.
At the recent SecTOR security conference in Toronto, a panel of four infosec pros took digs at the culture of silence and blame shifting that surrounds cyber breaches. Within that culture, they said, far too many organizations do three things when they get hit by hackers: 1) keep quiet, 2) downplay the damage, 3) fully blame the hackers without examining the role their company’s own failings played in the hack.
These tactics, said SecTOR panelist Ben Sapiro, end up normalizing breaches as being so commonplace that they’re just another part of doing business these days.
“The attitude is ‘the breach doesn’t matter because it’s happened to everybody else so it’s okay that it happened to us,’” said Sapiro, senior director of security, privacy and compliance at Vision Critical.
Most breach post-mortems, he said, focus on the granular reasons a hack took place but don’t explore the systemic cultural issues within an organization that allowed the breach to happen.
Fellow SecTOR panelist Rich Mogull argued a culture of macho competitiveness persists in infosec. When a breach hits someone else, “our response is ha, ha, those idiots!” instead of offering to help the victimized company or taking a closer look at our own weak spots, he said. No one wants to admit they’ve been pwned.
“These are cultural issues that most of us in this room helped create,” said Mogull, CEO of Securosis Labs. “One is coming out of the hacker, pen-tester set. The other is the one-upmanship that is still pervasive in our community at all levels.”
Truth or consequences
This competitive culture of normalizing, downplaying and shifting the responsibility for breaches leads to companies like Equifax and Uber deliberately hiding hacks from the public.
What will it take to change this part of infosec culture? Consequences — but what kind of consequences?
According to Cisco’s 2017 Cybersecurity Report, almost 40 per cent of organizations say they’ve lost customers and revenue after a breach. Yet the fear of those consequences obviously wasn’t strong enough to change the infosec culture at Equifax and Uber.
Would the fear of jail time do the trick?
As Jeff John Roberts points out in Fortune, although U.S. organizations are subject to fines and lawsuits in the event of a data breach, there are no U.S. laws that can send individual executives to prison for their actions (or lack thereof) after such incidents.
So while Martha Stewart found herself crocheting in the clinker for securities fraud worth a paltry $45,000, no one at Uber faces prison stripes for hiding the theft of 143 million customer names, addresses, phone numbers and social security numbers.
Jeff Skilling rightfully spent 14 years in the slammer because he hid the truth about Enron’s finances when he was its CEO. Why won’t any Uber executives face a jail sentence for paying off hackers and then hiding their crime for an entire year?
Is potential prison time the one thing that will force infosec culture to be more transparent and accountable about breaches and hacks?
If you look at the Harvey Weinstein scandal, many people say the culture of normalizing, downplaying and denying responsibility for sexual harassment is only shifting because other powerful men fear the same harsh consequences Weinstein is facing: a lost career and various criminal investigations.
Companies pay fines and lawsuit settlements; only people go to prison. Maybe criminal charges are the only consequences that would change the cover-up culture that took over infosec at Uber and Equifax.