Telcos don’t understand the hacking community – Oracle

Security is a challenge for the industry, we all know that, but the speed in which security threats are evolving is creating new headaches every single day for the telcos.

Speaking to Travis Russell, Oracle’s Director for Cybersecurity, at Mobile World Congress, the issue for the telcos is a relatively simple one to identify, but heartachingly difficult to address.

“Risk management and tolerance is the Achilles Heel for telcos,” said Russell. “The telcos are always looking for a smoking gun before changing risk tolerance.”

This has been the issue in recent years, though it is only today the real damage is being dealt. In by-gone years, telcos have been unwilling to address the problem of security until it has become a direct threat to the business. Due to finite resources and increasing pressure on the spreadsheets, telco have had to focus on immediate problems instead of getting ahead of greater threats.

“IP was an enabler to vulnerabilities,” said Russell. “It took a while for the hackers to catch-up, but now they have.”

As Russell points out, prior to IP being introduced to the world of telcos, risks were much smaller. TDM technologies were incredibly secure, but as networks evolved, new problems emerged. These challenges are persistent today, but the main issue is few people understand the community which is the most dangerous threat.

A lazy stereotype of a hacker would be a 17-year computer whizz, sitting in his pants at his laptop with red bull scattered throughout the room, causing chaos on the digital highways in search of kudos on the dark web. This might have been true one-upon-a-time, but the threat has evolved.

Hackers nowadays can herald from the worlds of organized crime. These are not thugs who extort the local corner shop anymore, but nefarious organizations which use the virtual world as a means to make money illegally. Few people think of organized crime mobs or terrorists groups as containing PHD computer genius’, but this is increasingly becoming the new norm as undesirables poke and prod networks for illicit gains.

However, as Russell mentioned before, the challenge has not been adequately addressed because the smoking gun has not been found. Few people consider a data breach as major news anymore, but that is because there have not been enough reported instances of identity fraud as a result of personal information hitting the dark corners of the web. Another example of a new threat is Metro Bank’s recent incident in the UK.

Here, Metro Bank was the victim of SS7 attacks, which allowed anyone with access to reroute text messages and calls. Considering banks use SMS during the two-stage authentication process, this presents a massive risk for many companies in the future. They are becoming much more common.

Elsewhere, the risks are becoming much more sophisticated as well, with open source communities coming under threat. Russell notes that while ecosystems like Linux might be safe, there are plenty of eye balls on code to ensure its legitimacy, lesser known or more niche ecosystems could be at risk. In these cases, vulnerabilities could be placed into the source code before being used elsewhere. It is a risk few consider and demonstrates the sophistication and intelligence of those who are aiming to do harm.

While this might sound like scaremongering, it is a perfectly legitimate point to make. Due to the fact companies have been brushing aside security concerns for years, there is a lot of catching up to do. Governments need to force security ownership on all segments of the community, as well as do more do educate the consumer on the risk of digital society.

The fact of the matter is, each element of the supply chain has to take ownership for security, even if there are elements which are slightly outside of their control. As it stands, each layer, whether they be connectivity providers, operating systems, hardware manufacturers, software providers or the consumer, has to take a more pragmatic approach to security. The security conundrum can only be solved if each element takes a more serious approach, to create an end-to-end landscape of protection. Gone are the days responsibilities can be passed elsewhere.

The hackers have got a head-start, but with new fines enforceable on incidents and substandard security protocols, security might be taken seriously before too long.

Security is a concern, especially as it can hit bank accounts now

New research from EY suggests British businesses are more concerned than ever about security. Funny that, considering there’s now a whopping fine to worry about.

Security is one of those areas which is constantly discussed but little is done to address. Irrelevant as to how many CEOs tell you its top of the agenda or how many statements start with the phrase ‘our customers security is our number one concern’, it’s an aspect of the technology world which has been swept aside. But not according to this research from EY.

“It’s not surprising that businesses are most concerned with the threat of cyberattacks,” said Adrian Baschnonga, Global Lead Telecommunications Analyst at EY. “The introduction of 5G will help organisations unlock new growth opportunities, but this transition comes at a time when fears regarding data breaches and network security are especially pronounced.”

While you always have to take statements like this with a pinch of salt, it might be right this time. Why? Because if you want to make executives care about something aside from their annual bonuses, you have to fight fire with fire.

Under the General Data Protection Regulations (GDPR) brought into play last May, any company which is found to have inadequately protected customer or employee data are subject to fines of 3% of annual turnover or €20 million. GDPR fines are proportionate to the risk posed by a breach, allowing flexibility for regulators to tackle the problem, but it certainly seems to have caught some attention.

According to professional services firm RPC, in the 12 months prior to September 30 2018 (the period in which GDPR was introduced) the Information Commissioners Office issued fines totalling just over £5 million, a 24% increase on the previous period of 12 months. Considering the ICO only had a couple of months to swing the GDPR stick at offenders, it would be fair to assume the watchdog is fully embracing the new powers offered to it.

This also seems to have hit home with those investing in new technologies. 40% of respondents to EY’s survey are worried about 5G and cyberattacks, while 37% saw IoT as a risk. These numbers aren’t particularly high, but they are the biggest concerns.

Another factor to consider is the consumer. While many will have been blind to the risk of data breaches in by-gone years, this does not seem to be the case anymore. Recent Lloyd’s research claims 44% of UK consumers believe there is a risk to personal safety in the sharing economy, perhaps indicating they would be hard-pushed to share data. If enterprise organizations are going to benefit from the data boom, they’ll have to convince customers that their personal information will be safe.

Whether this translates to appropriate security investments remains to be seen, as there seems to be a lack of ownership over security overall. Enterprise organizations are looking to suppliers for security to be built into products, while it is perfectly reasonable for suppliers to ask enterprise organizations to do more. Security should be built into products, but if an individual buys a front door, the manufacturer cannot be blamed when it is left open or an inadequate lock is used.

More often than not the carrot is used to incentivise business, but it seems the GDPR stick is an effective tool in bringing security to the front of executive’s minds. Hopefully now there will be less pandering for PR headlines and more affirmative action.

Cybersecurity investments on the up but not sustainable – study

Research from Strategic Cyber Ventures points to an increased appetite for cyber security investments, but the euphoria sweeping the segment forward is not sustainable.

On numerous occasions we have commented security is the ugly duckling of the technology world. It is critical to ensure the industry, and digital society on the whole, functions appropriately, though more often than not it is ignored. There will be numerous reasons for this, perhaps because security is a thankless and often impossible task, but the data suggests 2018 might have been a watershed year.

Not only did 2018 see $5.3 billion in global venture capital funding, 81% more than 2016, M&A activity increased as did private equity investments. On the M&A side of things, Cisco made a bang with a $2.4 billion acquisition of Duo Security, while Blackberry acquired Cylance for $1.4 billion. These are two of the larger deals, though there was increased activity in the segment across the period.

In terms of private equity, Barracuda Networks was acquired for $1.6 billion by Thoma Bravo, Bomgar by Francisco Partners for $739 million, while Blackrock spent $400 million on Cofense. Elsewhere in the more complicated financial world, Skyhigh Networks acquired McAfee with assistance from its financial sponsors Thoma Bravo and TPG Capital.

Cybersecurity one

Overall, the trends for the security segments are heading in the right direction. Perhaps now this is an area which will be taken more seriously by the industry, with adequate investments heading into security department.

That said, Strategic Cyber Ventures has warned the trends from a funding perspective are not exactly the most favourable. The amount of cash being invested is increasing, though it does not appear the rewards are reflecting this. Some of these companies have raised funds through big rounds, but growth has slowed, perhaps due to vendor fatigue or increased competition. The risk here is firms cannot raise additional funds at increased valuations from prior rounds, meaning they will have to lean on existing investors. Eventually these parties will grow tired of keeping them alive for minimal rewards.

The issue here is the need and hype around security. Its critical to secure the expanding perimeter of the digital economy, creating the need for the segment, while executives constantly talk about security being a number one priority of firms, creating the hype. This would seem to be the perfect recipe for investment in security companies and start-ups. However, the segment hasn’t taken off, perhaps due to the preference of customers investing in technologies which will make the company money as opposed to more secure?

This is maybe the most accurate assumption on why the security segment has faltered continuously over the years. Companies have limited spending power with executives choosing to invest in areas which will make the company more profitable, such is the pressure from investors and shareholders. However, consumer attitudes might be changing.

While many would have ignored the security risks of the digital economy in years gone, today’s consumer is more educated. Privacy scandals have demonstrated the power of data forcing the consumer to consider security more critically. This might have an impact on future buying decisions.

According to research by Onbuy.com 60% of US and 44% of UK consumers believe there is a risk to personal safety in the sharing economy, while 58% of all the respondents believed the risks outweigh the benefits in the sharing economy. Such attitudes will force companies to consider their security credentials as there is now a direct link back to the bottom line.

What this means for VC funding and investments from around the ecosystem remains to be seen, though the tides are turning in favour of the security segment. As Strategic Cyber Ventures notes, the current levels of investment are unsustainable, but there certainly are rewards.

Facebook is said to be shopping for a security company

The social network giant Facebook is speculated to be close to acquiring a cybersecurity company to shore up its of data protection capability.

In the wake of a massive security breach, when 29 million users’ data were compromised, Facebook is desperately scrambling for a quick and effective solution. As it emerges, one way of doing so, in addition to working with the FBI, is shopping. The Information reported that according to four separate sources, Facebook has approached several unidentified cybersecurity companies for acquisition. One source told the online technology publication that a deal with one of the target companies could be reached before the end of the year.

A professional security solution sourced from outside could help refresh Facebook’s internal measures that might have overlooked vulnerabilities. The leak in late September, which initially was thought to have affected up to 50 million users, resulted from a coding loophole in the “View As” feature, which was attacked by an unknown party disguised as a 3rd-party marketing company. Facebook later clarified that about 30 million users actually had their access tokens stolen, but the attackers failed to gather information on 1 million of them.

On top of the technical expertise to be acquired, a high-profile purchase of a security company would also improve the perception that Facebook is serious about safeguarding user data. The company’s reputation has been repeatedly battered since the Cambridge Analytica scandal, prompting it to go more aggressive with its PR strategy. After recruiting a high calibre ex-politician to its team, adding a professional security solution to its toolkit would do no harm.

 

Shareholders start wrestling Zuckerberg for Facebook control

Five Facebook shareholders are fighting back against Mark Zuckerberg’s control of the company he founded after several scandals have plummeted share price.

Citing privacy outrages, political influence, the proliferation of fake news and data leaks, the asset managers are hoping to raise support to remove Zuckerberg as Chairman. The reputation and credibility of Facebook as a business which can effectively operate in the digital economy has certainly been called into question, though considering Zuckerberg himself control 60% of the Facebook voting rights, it might prove to be a difficult battle.

New York City Pension Funds, Illinois state treasurer Michael Frerichs, Rhode Island state treasurer Seth Magaziner, Pennsylvania treasurer Joe Torsella, and Trillium Asset Management are the troublesome shareholders, though the filing should be viewed as nothing more than symbolic. With Zuckerberg’s control over Facebook coming close to a dictatorship, it is unlikely anything will change. That will not prevent investors from complaining however.

At the time of writing, the Facebook share price was standing at $159, having started the year at $181 and reaching a peak of $271 in July. This is the lowest since July 2017, a period which has seen Facebook get grilled by politicians over fake news and political influence, Cambridge Analytica dragging the company down and data breaches leaking personal information to nefarious actors. While Facebook will always be a target for hackers and the bottom-dwellers of the internet, the shareholders are calling into question Zuckerberg’s ability to manage the business.

“Facebook plays an outsized role in our society and our economy,” said New York City Comptroller Scott Stringer. “They have a social and financial responsibility to be transparent – that’s why we’re demanding independence and accountability in the company’s boardroom.

“We need Facebook’s insular boardroom to make a serious commitment to addressing real risks – reputational, regulatory, and the risk to our democracy – that impact the company, its shareowners, and ultimately the hard-earned pensions of thousands of New York City workers. An independent board chair is essential to moving Facebook forward from this mess, and to re-establish trust with Americans and investors alike.”

This is not the first time Zuckerberg has faced a challenge to his reign. Three of the aforementioned funds also supported a proposal in 2017 to create an independent board, though many of the largest shareholders voted against the proposal. This new filing, which also suggests the creation of an independent board chair to improve oversight, is set to feature at the 2019 AGM, with the troublesome shareholders stating they will be drumming up support over the coming months.

What is worth noting is this is not a revolutionary idea. Most other companies, especially multinationals, appoint an independent board to oversee operations and maintain transparency for shareholders. It is common business practice. Perhaps the steamroller success of Facebook and the continuous supply of profits have convinced shareholders this is not necessary at Facebook, but the declining share price is certainly something to worry about. Facebook is under pressure from numerous different governments, consumer groups and regulators, and Zuckerberg doesn’t seem to want to do much about it.

The UK is an excellent example of inaction from Zuckerberg. After ignoring numerous calls to appear in-front of a Parliamentary committee, the UK Government has threatened Zuckerberg with a summons should he ever set foot in the country again. It is difficult to imagine any other multi-national business taking this approach to criticism and condemnation.

While the filing might be nothing more than a PR statement, it is clear the shareholders are not happy with the way Zuckerberg is running the business. Unfortunately, it might appear the socially-incompetent Zuckerberg is under little pressure to do anything about it considering his voting power. Ironically, the social media giant seems the closest thing to a dictatorship the US has to offer the world.

50 million accounts breached at Facebook, but Europe needs to find the bad guy

Details of 50 million accounts have been lost to unknown nefarious individuals, but Facebook might get away with just a heavy hand-slapping from European watchdogs until the full consequences have been identified.

Last week, data from 50 million Facebook accounts was lost due to a vulnerability in the ‘View As’ feature, though as the incident was reported in the 72-hour window set forward by the European Commission, the social media giant might avoid serious penalties under GDPR. The maximum fine would be $1.63 billion.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” said Guy Rosen, VP of Product Management. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”

Attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature which allows users to view their profile from the perspective of another. This vulnerability allowed the attacker/s to steal ‘Access Tokens’, allowing them to hijack user accounts. Access tokens are the equivalent of digital keys keeping people logged in to Facebook so they don’t need to re-enter their password each time they use the platform.

While this might seem like a significant oversight from the Facebook security, it might just avoid a significant fine. The incident was reported to the relevant authorities after two-days, well within the required window, while the consequence of this incident is also unknown for the moment. As part of GDPR, those companies who report an incident within the required window and who are deemed to be compliant with investigators, will not receive the heaviest fines. The objective here is to remove the stigma of self-reporting, essentially rewarded those who come clean and do not try to hide the incident.

The consequence of the breach is also an important factor. Until misuse of the data can be identified, political persuasion for example, watchdogs are unlikely to be heavy handed. Using both the consequence and compliance with investigators as reasons to reduce the fine are important factors in ensuring the industry works with regulators. The less time these watchdogs spend policing the industry and searching for potential incidents means more time can be spent proactively making security features and processes more resilient. If watchdogs appear rational in their approach to punishments, industry will be much more of an ally.

“The time between detection and public notification on this one may be one for the record books, likely driven as much by risk to reputation and a wary eye on some of the large fines levied lately, as much as by GDPR and other compliance requirements,” said Dan Pitman, Principal Security Architect at Alert Logic. “New features increase the risk that vulnerabilities like this can become part of the live application, and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.

“This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge.”

The very path to ensuring a more engaging platform might well be what is causing Facebook problems, but in the pursuit of relevance, the Facebook business model might be undermined. Just as with the Cambridge Analytica scandal, users might be discouraged from putting additional information onto the platform, or even encouraged to remove some. At first, this will not have a significant impact on Facebook, but straws piling up on the camel’s back will eventually cause some damage.

While exiting users might be incrementally impacting the Facebook business, the advertisers might start looking at the platform as well. This is not to say people will stop advertising on Facebook, but the more incidents impacting the brand and the more stories of people becoming disengaged might have an influence. Facebook might have led the way when it comes to hyper-targeted advertising but others are catching up. Google is arguably the only platform which can compete toe-to-toe with Facebook, but it doesn’t have the suspect clouds lurking overhead. Twitter has upped its game, Microsoft’s Xbox platform is one worth keeping an eye on, as is AT&T’s advertising business Xandr. Even when you look at companies like Sky, the AdSmart platform offers an incredibly targeted offering. These security breaches might start to weigh heavy considering there are other options out there.

Another very important factor to consider with this incident is GDPR. Since being passed in May, this is the first major incident to test the resiliency and credibility of the rules. How European investigators, currently being led by the Irish data protection watchdog, react will set precedent and also impact the way which other companies view the rules. The next few weeks are very important for Europe in terms of validation.

The issues which the regulators are facing at the moment are consequence and bad guys. To make an appropriate ruling, demonstrate the importance of security and dish out the appropriate fine, there needs to be someone or something to point the naughty finger at.

“Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles,” said Greg Foss, Senior Manager of Threat Research at LogRhythm. “It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account.

“If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”

When a bad guy has been found, the threat becomes real and there are tangible consequences. This is when the appropriate punishment can be justifiably dished out, while also maintaining a positive relationship with industry, and the dangers of the digital economy can be effectively communicated to the general public. This will scare Facebook more than anything else.

Fines are okay, they are a one off hit, but negative PR and public outcry will mean less people engage with the Facebook community. This will have an impact on the bottom line. Managing this negative impact will be significantly more important than any fine dished out by the European Commission.

Could a security breach de-rail the magenta express train?

T-Mobile, ably led by wild-eyed CEO John Legere, has been causing chaos throughout the US wireless market, but a data-breach could impact the brands credibility in the eyes of customers.

Customer opinion is a fickle thing. It can sometimes only take a minor incident and all of a sudden the brand is as attractive as a turd in a washing machine. T-Mobile has been generating some serious momentum over the last few years, readily stealing subscribers from the likes of AT&T and Verizon by undercutting tariffs, though how much of an impact with a data-breach have on brand perception?

“Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information,” T-Mobile wrote in a statement to customers.

“On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”

According to reports and rumours across the industry, the breach could have left as many as 2.5 million subscribers exposed to the attack. According a T-Mobile spokesperson talking to Motherboard, the incident occurred after hackers compromised company servers through an API, although no further technical details have been disclosed. The attackers are believed to be international.

This is not the first time T-Mobile US has been exposed for security flaws. In May, researcher Ryan Stephenson found a bug which allowed external parties to access customer information just using a phone number. An API used by T-Mobile staff allowed them to look up customer details simply by entering their phone number, though it was not password protected meaning anyone could take advantage of the short-cut if they found the sub-domain. The oversight unveiled a customer’s name, address, billing account number, and in some cases, information about tax identification numbers, as well as security question information.

Every company will have flaws in the system, the perimeters are simply too vast nowadays making the concept of 100% secure almost impossible. The issue here is about credibility; how much of an impact will the news have on customers perception of T-Mobile as a brand and a trusted guardian of their personal information?

As mentioned before, customers are very fickle, especially when much of the attraction to a brand is based on price. Some customers might be asking a simple question now; are a few saved dollars each month worth the risk of my personal information being exposed? T-Mobile has been excellent at hoovering up new subscribers over the last couple of years, but this has been due to highly aggressive marketing moves focused on acquisition. The retention capabilities of the brand have not genuinely been put to the test.

With data protection and privacy high on the agenda following several scandals, most notably the Facebook Cambridge Analytica saga, customers are becoming more sensitive to such incidents. Whether this is enough to de-rail the magenta steam train remains to be seen, but it does ask questions over the company’s credentials.

ICO report shows UK is starting to take privacy and data protection seriously

The UK Information Commissioner’s Office has released its annual report for 2017/18 which hints the UK is starting to present the right attitudes to privacy and data protection.

Privacy and data protection are areas of the technology world which everyone seems to deeply care about, but few seem to want to do anything. Consumers are constantly shocked about the lack of protections offered to their personal information by leaky organizations, but the same consumers are always more than willing to hand over data when it means avoiding payment. It has seemed to be a bugbear of convenience for the consumer, but perhaps this report indicates these attitudes are changing.

“This is an important time for privacy rights, with a new legal framework and increased public interest,” said UK Information Commissioner Elizabeth Denham. “Transparency and accountability must be paramount, otherwise it will be impossible to build trust in the way that personal information is obtained, used and shared online.”

Denham and her team do of course have a challenging task. In the mission statement of the Information Commissioner’s Office some very lofty goals are listed, increasing the public’s trust and confidence in how data is used for instance, or improving standards of information rights practice across industry, though winning this battle will rely not only on companies taking their responsibilities more seriously, but also consumers realising it is also their duty to manage their own personal data. Sceptics would argue neither of these ideas are being taken seriously at the moment, though optimists might point towards the statistics.

The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1% year-on-year, while 30,469 live chats were requested, up 31.5%. The caseload from 31 March 2018 to the same date in 2018 has increased from 115 to 3526. Over the course of the year, 21,019 calls were focused on data protection, a 15% increase from 2017, with most people concerned about subject access (39%), the disclosure of data (16%), its accuracy (11%) and securing the right to prevent processing (9%). The sceptics might still have a case that privacy and data protection is not being taken seriously, the fact enquiries and complaints are heading upwards suggests the general public and businesses are starting to acquire a new appreciation for how the digital economy works, as well as the risks.

On the data breach front, the number of self-reported cases is also on the up. 3,172 incidents were reported to the ICO over the course of 2017/18, a 29.6% increase. The majority of these case did not result in a fine, there is wiggle room if a company is able to demonstrate its approach to security could be deemed stringent, though healthcare is proving to be the most porous in the UK, accounting for 36% of the incidents.

Security has seemingly never been a top priority for many organizations, except when trying to generate PR points, though the same could be said of the consumer. The last 12-18 months has seen a change in attitude towards personal information, consumers are more sensitive about giving information out freely, though there does seem to be a lack of understanding of how terms and conditions work in the app economy. How many realise that by playing Clash of Clans, the user is effectively handing over ownership of a lot of personal information?

Awareness is only one area of the industry which needs work, as the ICO also points out there are still a few risks on the horizon. There is still uncertainty over the final wording of the upcoming Data Protection Bill and its enactment, while operational changes necessary to regulate GDPR will cause issue, as will introducing a new funding regime for data protection work.

A lot is changing on the regulatory front, but the worrying question about bureaucrats still remains; are they able to keep up the pace and sheer breadth of change which is constantly taking place in the technology world?

UK Government shows some teeth on cyber security defences

The UK Government has finally had enough of the data breaches which have been popping up over the last 18 months, threatening businesses with a fine up to £17 million if defensive standards are not met.

New sector-specific regulators will be set up to assess the individual needs of those sectors which are deemed critical to the UK, such as energy, transport or healthcare. The National Cyber Security Centre will publish new guidelines today (January 30) which will roughly outline the rules and expectations, though businesses will be encouraged to actively engage with the newly-formed regulator.

“Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online,” said Margot James, Minister for Digital and the Creative Industries.

“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

While the majority of data breaches do occur in the US, there are of course examples everywhere else as well, with the UK hosting its fair share. In November, shipbrokers Clarkson warned shareholders of an upcoming breach as it refused to pay a ransom to the hacker, Deloitte suffered a breach as it was believed the firm did not have two-step verification set up and BUPA suffered a leak affecting 500,000 customers on its international health insurance plan.

Moving forward, incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. These regulators will also have the power to issue legally-binding instructions to improve security, and hand out fines. A £17 million fine is certainly a deterrent, though it won’t be handed out willy-nilly. Companies which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack, will not face a fine.

Interestingly enough, that irritating ‘up to’ qualifier has appeared again. £17 million is the maximum fine which can be placed on an organization, but there has not been any guidance about how the amount will be assessed. The guidance from the National Cyber Security Centre will possibly offer more detail, but for the moment we’ll have to wait for the formation of the new regulators. These watchdogs might well be feisty, or they might be just another bloated government body.

Cute pug dog sleep rest in the bed, wrap with blanket and tongue sticking out in the lazy time

Are you data breach fatigued?

Data breaches are nothing new – quite the contrary – in fact their very frequency makes it likely that we’re fatigued to the point of indifference by the number of leaks which are surfacing.

Knowing the value of money is a lesson parents have been teaching children for years, but how many are teaching the value of personal information? If you do not know the value of something, can you actually care when it has been lost?

Despite what many people will say, the digital economy is not quite with us yet. Or at least not in the sense which most would want. Whether it is paying for a newspaper with coins, or using your Oyster card to get onto the tube, or flagging down a Black Cab in central London, there are still those around who are embracing the old ways.

We’re in the middle ground right now, where the idea of using information as a currency is a novelty, and because it’s still a novelty, no-one really understands it. If no-one understands it, then no-one really appreciates the dangers. Finally, if no-one really appreciates the dangers, how do we adequately protect ourselves.

This lack of understanding will lead us to leave too much personal information out there, but it will also mean we do not appreciate the damage which can be done through data breaches and leaks. How often are you paying attention to news stories about companies losing data?

Telecoms.com is guilty of this. We do not to cover all data breach stories because there so many of them. It’s not always engaging content because it happens so much; we are breach fatigued. And we suspect many in the general public feel the same as well.

As a disclaimer, we cannot claim credit for the term breach fatigue; credit has to be given to Trend Micro’s VP of Security Research Rik Ferguson who raised the idea to us in a conversation a couple of weeks ago, but in light of the Equifax meltdown, it is an interesting idea to raise.

Did the data breach at Equifax get anywhere near the same attention as similar incidents in recent months? Or how about the one at the InterContinental Hotels Group in February? Or Verifone in March? What about the Taringa breach where more than 28 million records were exposed?

If it was a bank we would in a state of hysteria. This is our money which they are messing around with. But this is supposedly the beginning of the digital economy. We should be just as incensed by the exposure of our personal information as this is apparently the new currency of the connected society. Does this difference devalue our personal information?

It’s a vicious circle we currently find ourselves in. If we are not bothered by breaches, it implies we do not value our personal information that much. If we do not value our personal information that much, companies are less inclined to protect it as stringently. When we become desensitised to breaches, companies will start to cut corners; they will soon realize there are fewer consequences. A little less will be spent here, a little bit more risk taken there. The number of breaches will increase, and we will care less. It’s a worrying trend to be involved in.

The big problem is we do not yet know the consequences of data breaches. If a bank loses our money, we know what the consequences are there, but what about personal information? What is there to lose? We haven’t humanized the consequences of data breaches yet. With the Equifax breach 143 million records were exposed, but right now that is 143 million faceless individuals. How do you associate pain with anonymity?

At the moment, people are living in a blissful ignorance of a problem which is everywhere. Perhaps we are losing control of security because people are becoming fatigued by the breaches which are created by a lack of attention.

Every time something is done to correct a problem it is because someone has been punished. There is a human element to the error. Right now we are not seeing the human cost of data breaches, but will the number and depth of these data breaches increase until we do?