Uber is the latest company to have personal data stolen. 57,000,000 users data. To complicate the problem, they paid the hackers $100,000 to delete the data and keep it quiet. Obviously it is not quiet, does anybody believe that the hackers deleted the data? Security problems have affected many companies such as Equifax, Sony, Instagram, Yahoo, the DNC and many others, resulting in a never ending sequence of confession, damage control and promises to do better in the future. For many, like Uber it is not the first time. Uber had another incident in 2014, and was fined for not disclosing it.
There is a persistent belief that large companies are somehow safer or more reliable. That they must have teams of experts to deal with attacks, and so faith is placed in them. The reality is that a large company also has a large attack surface. Thousands of employees inside, and a huge profile outside. Security issues are often set aside for user convenience, cost, or out of ignorance. There are many opportunities to make mistakes, and it can be something small that nobody thought would matter. You even see it in the store when the cashier insists that you swipe your card instead of using the chip, making you vulnerable to card skimmers.
In the collective imagination these are “sophisticated” attacks done by some corrupt genius, in a dark room surrounded by computers. More often these are done by insiders who had access and passwords, or by tricking someone inside to “Click on the link”. Add to this, weak or shared passwords, open wireless nodes, and companies that delay or do not follow security standards. The problem is not the “sophisticated” attack carried out by “Russian Hackers”, it is people persistently looking for a weakness like a thief looking for an unlocked door. The simple phishing attack is often the beginning. An email, which looks important, with some click bait.
Like the data breaches themselves, it is also common to conceal them. Nobody want to tell all their customers that someone took their data. The first response is often to try and prove nothing was taken. Next, if nobody knows that something happened, the temptation to not say anything is huge.
Accompanied with each of these incidents is the tone of surprise, yet most companies don’t have a security response policy. We have located problems in small businesses and large around the Los Angeles area and can’t get people to respond to fix it. The same is true of government offices, schools, and internet providers.
These incidents will trigger discussions of new security regulations, software, and procedures. They will look for ways to regain trust, but to quote x-files “Trust no one”. It can’t be assumed that someone, somewhere will fix all this, so the first thing to do is to attend to your personal security. After that, question the security practices of businesses you use, and those where you work. The security holes are not always someone attacking the firewall, but someone going around it, through a forgotten computer, WiFi access point, or tricking a user in to an action that shouldn’t be done.