Anyone who has even the slightest amount of contact with the internet is familiar with the scenario: An email or actual piece of mail arrives from a company who apparently handles some part of your connected life. The letter calmly identifies its author as a company you do business with, either by choice or by default. It blandly informs you that there has been a security incident in as little detail as possible. You have already heard about it on the news. It was probably a month ago and in more detail than in the letter currently staring back at you. Then the company's mass-missive assures you, "We take your security seriously."
Then you're given a choice to apply for credit monitoring with the fees waived for a limited amount of time. To do that, you need to entrust your most sensitive security information to a second company the freshly-breached one instructs you to use. A Google search informs you that the recommended company has also been in the news for having experienced a breach.
How this scene isn't ending in riots and burning cars is a mystery to me.
The reason is probably because we've been expecting this letter to arrive. The anticipation has been living in the back of our anxious minds, like a roommate that does a poor job of covertly smoking cigarettes in bed. Part of our brains are relieved when the house finally burns down, because the helplessness and anxiety have made us insane.
But in reality, none of us are buying it -- our fragile mind's sense of relief, or the one-sentence PR crumb about how much they care about security. Sure, watching the company that left your social security number on a server they neglected since 2008 get flayed in the media for a minute is deeply satisfying. But not having your identity stolen in the first place certainly beats having to explain to credit companies that you can't change your Social Security number every week.
I think anyone in this position would agree that there's a lot to be said about the therapeutic potential of flipping a few cars.
I'm not advocating violence. The letter that came to me didn't make me go "why me?" or get up from my desk and go dig out my flameproof balaclava. Yet it did piss me off, knowing how breaches and containment and forensics work, as well as attacks and exfiltration. Not to mention the way these companies (and the US government alike) seem to hand these disasters over to Zoolander PR for a too-little, too-late round of "we really care a super lot."
The "we take your security seriously" notification -- or press release, if you're classy like that -- is what's known as a Bullshit Moment.
The Bullshit Moment is a popular tactic for orgs dodging accountability. It's when smart people pretend not to understand the question. When companies say that doing harm to individuals is for the safety or security of its users. When a company sits on pentest reports and does nothing, then blames a country whose response won't be considered credible. It's when a company is publicly warned about a serious security issue, then goes silent and does nothing until a breach, and we get a letter informing us that we're actually The Biggest Loser(s).
Great Bullshit Moments in breach history go like this:
- After the IRS website "get transcript" tool was used to steal the tax forms of 330,000 people: It posted, "The IRS takes the security of taxpayer data extremely seriously ..."
- After health insurer Anthem's breached database saw the loss of 80 million sensitive customer and employee records: Anthem tweeted, "We take info security seriously." (The data wasn't encrypted. HIPAA recommends, but does not require, the data to be encrypted.)
- After 40 million accounts were exposed in a breach on hookup site Ashley Madison: It stated, "We have always had the confidentiality of our customers' information foremost in our minds, and have had stringent security measures in place ..."
- After 145 million records were compromised on eBay: The notification sent to users said, "We take security on eBay very seriously ...
- After an Experian/T-Mobile breach exposed 15 million people's personal information (T-Mobile uses Experian to check the credit of consumers applying for phone plans and financing for devices): In its press release, Experian said "We take privacy very seriously and we understand that this news is both stressful and frustrating."
I don't think "frustrating" is the exact word Experian's victims are thinking of.
Stay tuned, fellow unwilling participants of the Bullshit Moment. There will be many more to come.