How much customers care about data breaches is often dependent on the type of customer data obtained by attackers.
If it’s username and password information for a specific site, the potential damage is less than loss of social security numbers, or financial and medical data.
If your organization has been breached, prepare to answer a variety of questions, some relating to ancestral origins of security staff and other more pertinent ones relating to the breach cause and remedies taken to lessen or remove the damage caused. Before delving further into this, let’s look at the official line, based on surveys and observations from security professionals.
- Brand engagement is impacted – 78% would stop online engagement while 38% would cease all interaction with the brand.
- Younger generations place higher trust in brands – 53% of the under 35s are more trusting, being confident that their personal info is protected. By comparison, 27% of the over 55s feel the same way.
- Americans are twice as likely to share sensitive data with brands – The example given, social security numbers indicate that 16% of Americans will share this data compared to 9% in France, six in Germany and four in the UK. Coincidentally, UK respondents are less like to experience a breach (15%) than Americans (27%).
From the last, it would seem a good rule of thumb not to share sensitive info with brands as it lessens your chances of a breach.
The survey also asked the question, “How much would you be willing to pay to protect your data?”
Once I’d finished gnawing my keyboard, I had to chime in. If a company cannot protect my data, why would I do business with them?
If I buy a Black & Decker grinder, I don’t have to pay more to ensure it won’t overload and take my head off. If I have an operation to remove the part of my brain that blindly trusts third parties with my data, will I pay the surgeon extra to ensure I survive the process? I don’t think so.
If a company gathers customer data, from mundane to critical, it is their responsibility to protect it. If it wasn’t, class action suits would not take place, i.e. Equifax.
Data breaches are not limited to eCommerce, brands or service providers but also include membership of any website, group or online forum. If you need a username or password to log in, this and other information is fair game to hackers. If you use the same username and password for multiple sites, one breach will have more impact. The best practice is not to, but instead use password managers and generators to harden security with complex passwords.
Of course, the website owner (whether individual, brand, or organization) will store this info for all users, generally in a database. If they are hacked, via a third party they share data with, via phishing, ransomware, etc. suddenly, all user data is compromised. This is pure BS, in my opinion.
Take the 2014 Target hack, traced back to an HVAC vendor. While these were high-profile, breaches take place almost daily, and 2019 quite the year. Personally, I’m sick and tired of reading about security awareness training and human error when the primary cause is lax security on data. We will never get rid of some users’ tendency to click on URLs from unknown contacts.
Gaining access to a network should not mean automatic access to important data, especially if stored in a database. Is it impossible to add another layer of security to customer information? I don’t believe so.
Let the thieves make off with usernames and passwords (all that’s necessary to sign in) if it makes them happy, but any other info should be stored in another encrypted location that required 2FA or other authentication to access. It won’t remove all threats, but at least it gives the illusion of increased security.
Commercialization of Data
I believe the rise in targeted attacks by industry is based on companies seeking to leverage all our data for their own ends, additional profit, with healthcare and financial institutions falling victim to many attacks. It’s not enough that we pay for banking services or medical care, but our ‘anonymized’ data is shared with preferred partners, affiliates, and marketing companies under the guise of data analytics or personalization of services. So-called anonymous data is reverse engineered by hackers to identify users. The full scientific study is only for the mathematically inclined but concludes that 99.98% of Americans are correctly reidentified, even from incomplete datasets. It also points out the GDPR standard in Europe will not allow EU citizens’ privacy to be invaded in this manner.
I Care And So Should You
Many other techies and I believe that online privacy is an illusion; we should be careful what goes online and what you share with brands, service providers, websites and social media. If I sign up for a site or wish to make a purchase, I provide the info necessary to do so, and that’s it.
When I buy a piece of software, it’s available for download. Therefore, why would I provide a shipping address or any other information? I choose my preferred method of payment (typically a payment gateway), and the transaction is processed there rather than by the seller. At a push, I may use a visa debit card, specifically for online action. In this manner, I control who has my data, and all the seller has to work with is an email account. Similarly, I don’t provide telephone numbers or email addresses in brick-and-mortar stores or hospitals. No thanks, keep your VIP cards…
The key lesson is that we shouldn’t expect companies (regardless of size) to treat our data in an ethical manner or make any special effort to protect it. Facebook and Cambridge Analytica is just one example. In cases other than product or service purchase, and sometimes even then, it is us that become products.
In conclusion, data breaches will continue, and it’s up to all of us to regulate our own data, given that third parties can’t seem to protect it as a regular part of business operations. If you want to buy something, all the retailer needs to know is that you want it and can pay for it. If shipping is necessary then a physical address is useful.
This in mind, it is worth checking if you’ve been already compromised. Visit Have I Been Pwned? and check your commonly used email addresses. Alternatively, if you’re a Mozilla supporter like I am, sign up for Firefox Monitor (it also uses Have I Been Pwned? as a source) and receive alerts if your email is part of a new breach.
Bear in mind that ‘new breaches’ reflects time of discovery rather than when they happened. Some are often discovered months or even years after the event. My emails were compromised (LinkedIn and Canva and a few others but only usernames and passwords), so it’s likely you too will discover a few surprises. What do you think? Should companies protect our data, in the same manner, they would their own IP (with preferential access and other domains, etc.)? I think so.