Data Breaches and Why I’m Angry
This article at Salon had me seeing red. The title is “Americans Are Getting Apathetic About Huge Data Breaches.”
My first reaction was “Are you [expletive] KIDDING ME?
The context was the massive, massive breach of J.P. Morgan.
Articles here (Fast Company) and here (NY Times). Time downplays it here.
Thanks a lot Time, that’s some great advice about what we poor suckers can do once it’s too late. Did someone edit out the part where you blame the bank? Can we not ask why ALL the data isn’t encrypted? How about that?
Americans are getting apathetic. Right.
Let me ask you this: What can YOU, personally, do to prevent server hacks at companies where you do not work? Perhaps a polite inquiry to the teller to please take better care of your personal information? Or perhaps you should ask to inspect the card swiper at your local super-duper store before every purchase. Don’t swipe that card until you have received proof it’s hacker and malware free. Contact every company where you’ve ever done business or visited their website and ask them to please stop selling your data because the parts are easy to cobble together to personally identify you. I’m sure they’ll do that the minute you explain.
What’s the answer?
NOTHING
You can’t do anything. It’s your data. Your money. Your information. And you can’t do anything about it.
The strength of your password, whether or not you use two-factor authentication, whether you use a VPN, or even encrypt your hard drive is irrelevant when someone hacks into your bank’s server and takes data that includes yours.
If we’re apathetic it’s because it happens ALL THE TIME.
Why does it happen all the time?
Because nothing bad happens to a company when they don’t adequately protect customer data.
Because they have the money to lobby to gut consumer protections and that is exactly what they do.
This is utter BS.
Seriously. All you get is a stupid letter saying they’ll pay for credit monitoring for you for a year.
How about companies spend some real money securing their infrastructure?
How about the government steps up and says the fine is $100 per account stolen or hijacked off a server or sales system?
There’s some [expletive] incentive for you.
Rant over.
Preach!
Ditto
The consumers will never be protected as long as money moves the politicians.
Yes, thank you! The price of convenience shouldn’t be insecurity. If so, let’s just keep our assets under the mattress.
SO agree. It’s not apathy if the consumer has no ability to change anything in these scenarios.
And the immediate advice of “well, just don’t use those companies” only comes after the hack and it’s too late. The company you choose to replace it with can be just as vulnerable, and just hiding it better. For the moment.
Word, all you. Word.
Oh, finally someone saying this out loud!
Because it’s always, “well, you should do more to protect your data” which is fine and dandy for what’s in my hands, but once I give it to someone else–which I have to, in order to get paid or to pay mortgage, loans, etc–there’s effin’ nothing *I* can do, no matter how careful I have been to that point.
How about the government steps up and says the fine is $100 per account stolen or hijacked off a server or sales system?
This This This
@Amanda: I agree we need to regulate this. I think that every single account I’ve have has been hacked by someone in the past year or so. It’s so frustrating!
Thanks for saying this. Yes, it’s so frustrating to have so little power in these relationships with these companies.
Thank you, thank you. I’m bobbing and weaving, electronically, as fast as I can and will never be able to dodge every poorly-maintained database and Swiss cheese infrastructure. I’m all in favor of fines per stolen account, great idea.
I’ve been following the blog krebsonsecurity.com for about a year and it is pretty amazing how some of these are pulled off. But I have to admit, after reading about a new one of these every 4-5 days, it has been hard not to become somewhat numb.
One of the things Kreb’s recommends is using a Linux LiveCD at home whenever you access your online banking accounts – especially for small businesses who have fewer protections that individual consumers. (Yes, I know, that wouldn’t have stopped this kind of attack – just sharing something I never would have considered until I read it).
He’s also had a couple of interesting stories about small companies that are suing their banks because they didn’t offer certain kinds of security options (like 2 level authentication).
So sick of protect your data and have skin in the game for medical bills. It’s our fault for not being better consumers /sarcasm.
“You shouldn’t have been walking down that street, dressed like that.”
“You shouldn’t have allowed people to take nude pics of you.”
“You shouldn’t have banked with that company/given personal info/etc.”
I’d never realized how similar this all is. Reminds me of that insect photographer article on how companies infringe his copyright all the time.
And it’s only going to get worse before it gets better. Big banks are still gobbling up smaller, local ones, and that means you don’t have much choice if you want to keep your money somewhere “safer” than your mattress. My MIL won’t allow my husband to set up on-line access to her account, on which he’s the co-signer. She says that will allow for theft. He tries to explain to her that the theft can be occurring already. On-line access would allow for him to find it earlier than when the bank sends her a “Sorry, my bad”, letter.
The banks that were deemed “Too big to fail”, have gotten too big and arrogant. They screw the little guy and never have to pay anything back. But that’s the new American way, I guess.
Amen!
Thank god…your rant actually makes me feel better. I’m not the only one feeling powerless and pissed off.
The $100 fine creates some INCREDIBLY perverse incentives though…
1/ Companies who announce they’ve been hacked are saying “I admit to a crime the punishment for which is a fine of millions or billions of dollars”. They will immediately stop announcing/actively covering up hacks, and not telling you to change your password etc.
2/ Hackers now have an incredible incentive to commit large scale hacks – blackmail. Just hack the system and threaten to reveal it unless you get paid.
3/ anonymous and false “we’ve hacked company x” become the new denial of service / swatting prank of choice. Watch the companies try to prove they weren’t hacked without looking like they’re covering up an actual hack.
@Michael:
You are right, of course. I want to use the word nuance, but I don’t think my suggestion was in anyway nuanced. The problem though is that the current situation, in which banks have no incentive to do a better job, put the burden and risk on the people who can do nothing to remedy the problem.
Obviously, knee-jerk proposals like mine are not the correct solution. But that does not mean there is no solution.
Bruce Schneier observed years ago that the lack of any consequences for bad IT-Security in the financial sector was placing unfair risk on the consumer. It’s time that changed.