Nobody likes to be embarrassed. That goes for company executives. This fact of human nature helps explain why the breach-disclosure laws that have been adopted by many states can be leveraged by data thieves for even more profit than they could realize before.
Companies have always been reluctant to admit to data breaches. A lot of that reluctance can be attributed to simple embarrassment: We’ve been telling our customers that our security would keep their sensitive data safe, even when we knew that no security system is perfect.
This is true even for companies that you wouldn’t think were capable of being embarrassed. After all, companies whose business has been facilitating extramarital affairs and offering porn on demand have been breached. They undoubtedly would have welcomed the resulting publicity, except that the circumstances made it clear to their customers that their names were in danger of being made public.
That reluctance to go public has led many jurisdictions to require companies to report data breaches. One problem with such laws is that they do not overcome the embarrassment that goes with public acknowledgment of a security failing. And so companies split hairs and come up with ways to rationalize not reporting breaches..
That, in turn, is giving the bad guys a new opening.
When a company’s executives decide to hide a breach, their action can morph from unsavory to illegal. But that decision can leave them vulnerable to the attackers behind the breach in the first place, who know that the company has not done what the law requires and can now threaten it with disclosure.
That is also a two-stage threat. An attacker breaking into your network and then bragging ab out it is embarrassing. But if the attacker breaks in and waits to see if you report it—and if you run out the clock and opt to not report it, the attacker’s disclosure could expose you and your colleagues to civil penalties. In short, it makes a bad situation far worse.
Who in the world would take such a risk? Quite a few people. When your job is to prevent break-ins and one happens anyway, it’s pretty easy to rationalize a cover-up.
The risks that such decisions give rise to were made dramatically clear on Thursday (March 31) when Reuters noted a new global crime trend of cyberthieves partnering with traditional organized crime syndicates to attack banks across the world. If the banks are hesitant to reveal that they were successfully attacked. Without disclosure, law enforcement is not informed.
, it’s a win-win-win for the bad guys: They get to keep the money and sell the data, and they don’t have to worry about evading law enforcement. And if they’re especially greedy, they can also extort more money from the bank in exchange for a promise to keep quiet. Put another way, the bank can get victimized in four ways via one breach. Even worse, unlike the typical cyberthief, these gangsters don’t mind getting physical in their threats. Cyberthieves are bad, but they rarely get into the kneecap-smashing end of things. With this arrangement, they now have partners who will.
“Hundreds of millions of dollars, and perhaps much more, have been stolen from banks and financial services companies in recent years because of this alliance of traditional and digital criminals, with many victims not reporting the thefts for fear of reputational damage,” the Reuters story said. “Typically, security and cyber-crime experts say, hackers break into the computer systems of financial institutions and make, or incite others to make, fraudulent transactions to pliant accounts. Organised crime then uses techniques developed over decades to launder the money, giving the alliance much higher rewards than a hold-up or bank vault robbery, with much less risk.”
But let’s ponder a bit more about why companies would allow themselves to be placed in such a situation. One factor is that, even in the U.S. states that mandate disclosure, the laws offer a healthy amount of wiggle room. First, companies can be exempted from the requirement if law enforcement is willing to sign off on the need for secrecy during a post-breach probe. All too often, law enforcement is happy to do that. Moreover, the laws often are applicable only if the breach is a direct threat to consumer privacy. That becomes a judgment call — one that is made by people who have a very strong incentive to conclude that the breach is not a direct threat to privacy.
Because the decision to report a breach is not black and white, it’s easy to see why companies can end up saying, “All right, let’s not embarrass ourselves needlessly.” Think about it. Most Fortune 100 companies see a huge number of penetration attempts every day, and some of those attempts will get further than others. At what point do they cross the line into a breach? Lacking evidence that any data was accessed, most companies are going to decide that no breach that has to be reported occurred. But does lack of evidence of success equal evidence of an attack’s failure? Of course not.
Consider a company that’s been subjected to a distributed denial-of-service attack. Theoretically, a DDoS attack does not translate into data being stolen, so it’s easy for the fear of embarrassment to lead to a (highly justified) decision not to disclose. Besides, the parties rationalize, there’s probably not a lot that law enforcement can do that our own people can’t, so let’s just hire a confidential forensic security team and call it a day.
Ah, but what if the DDoS attack is only a diversion so that your security people will be intently focused on fighting to keep the site up, leaving no one to notice that files are being accessed at the same time? By the time the DDoS is halted, all logs and evidence of the real attack will have been deleted or altered. No beach detected, no breach reported. End of story? Yes — until the attackers contact the company with a blackmail demand.
My point is that data breaches and breach-disclosure laws are realities that affect each other and that companies need to think about carefully. They must work out precise and explicit guidelines long before they are in the thick of a real incident. To decide things on the fly, based on the particulars of each situation, is a recipe for inconsistency. You are letting the people who are in charge of preventing attacks decide when they have to tell the world about an attack — and the potential for embarrassment will influence their decisions, because they will be sure that the world is going to decide that they failed to do their job.
Look, keeping quiet out of a sense of shame can cost you a lot more than you realize — and everything will probably be disclosed in the end anyway.