Many companies in the US have been reporting their breaches since the early 2010’s. All 50 states have some sort of breach notification law on the books.
I have no hard data, but from being in the industry + reading the news, my impression has been that the number of known data breaches went up significantly, even for US companies. Is the punishment maybe just completely laughable in those US laws?
That was the case here in Germany. The GDPR is heavily inspired by our data protection law (BDSG), that we had in place since the 90s. With a significant amendment, which is that punishment went up from at most 300,000€ to 20 billion € (and even more for big companies).
For many companies, this was when they realized, they actually have to adhere to data protection laws. Suddenly, we had non-IT companies reporting data breaches, which was essentially not a thing beforehand.
Statista has an interesting break down of US breaches over the past two decades. Unfortunately I’m having a hard time finding this type of break down for other nations.
My personal opinion: those hackers are probably not that clever nor smart, it’s just that companies doesn’t often properly follows security best practices despite storing plenty amount of sensitive information.
Some companies have found that leaks create hype, especially for games. League of Legends is infamously known to get everything leaked, probably on purpose. Until players get fed up with it, at least.
Still a very small subset of the data breaches out there.
Think about it.
Start with the total amount of data breaches. Narrow that further to the data beaches that someone noticed. Narrow that further to the data breaches they reported. Narrow further to the ones that you have heard about.
What you know about it is a trailing indicator of the total incidences.
Yes, breaches have always happened. There have been some very high profile ones in the past like Sony and Adobe that caused governments to create laws forcing registered businesses to disclose breaches where Personal Identifiable Information is accessed. So you are hearing more because they are forced to disclose more.
The other side is hacking tools have become far more powerful with a much lower barrier to entry.
Previously you needed to find and build your own tools for exploits. A considerable amount of private hacking groups will sell access to their tools for others to use leading to the rise of Ransomware as a Service (RaaS). Hackers poking fun at the current XaaS naming (SaaS, IaaS, etc.)
IMHO, the biggest recent change is visibility to breach notifications. The notifications have been going out in many places for over a decade, but now there are lots of products that easily expose that information to people and the media.
In addition, I don’t have data to back it up, but I feel like social engineering plays at least a part in many if not most of the big hacks we see happening
Social Engineering is absolutely the lions share of how things get done. Remember: Never work the system if you can work the people running it.
This is true of hacking, yes, but also just navigating all the bullshit bureaucracy that surrounds modern life. For hackers, cracking good passwords is almost impossible (this is to say, it is possible but it takes… a very long time. Longer than they have.) So they rely on people having terrible password discipline- they’re using phishing schemes to get passwords and guess similar passwords at other places.
They’re also using social engineering to convince your cell phone company they’re you… at which point the cell phone CS rep becomes extremely helpful in bypassing any security that normally routes through your phone. (Like, say SMS 2fa. Or phone call 2fa,)
It does. And also just plain old bribing. I work for a big Tech Company, and while I‘m only a Retail employee, I have been offered quite some money throughout the years to share my logins (which honestly wouldn’t get you very far). People with more acces than me (Managment or Support employees) apparently received offers in upper 5 Digit territories. If you ask enough people, I‘m not 100% confident that all would say no to that. But to be fair, there’s a lot of hurdles now in between those things with acces being restricted to internal networks, multi factor and trusted device policies a real crackdown on who has access to what. Passwords allone don’t get you very far anymore.
Yeah, it’s a struggle with there are a dozen zero days a year for multiple brands/applications. I have at least 4 people always doing some sort of upgrade or patch being reported by infosec.
Or companies do hire security, but the security team is incompetent and unable/unwilling to adapt to new challenges. Then it devolves into security theater, until either someone new comes who cleans house or a breach happens.
Company experiences a breach > Hire an expensive internal security team > wait 3 financial quarters > new suits wonder why they spend $$$ on security if nothing has happened > lighten security team
In my experience, it’s always been this bad. However, as the world becomes more connected, it becomes easier to find systems to break into and easier to find ways to break in. It’s only recently that most countries have enacted legislation to enforce mandatory reporting of data breaches, and so we hear more about them.
Cyber security has always been (and probably always will be) an arms race between those who want to secure data and those who want to steal it. As the value and usefulness of data goes up, so does the desire of the bad guys to steal it. Identity theft and just plain ransoming of data are only ever going to increase.
Use:
a password manager
a different random password or pass phrase for every site
a different random email address for each site (Apple’s “Hide my Email”; Firefox Relay; DuckDuckGo mail; 33mail, for example)
different false details as much as possible for every site
Don’t:
Use the same details (name, password, email address) on every site
use your real details if you can possibly avoid it. If you must, misspell your details (“Johhn Smith”, “1 Maiin Street”) so that you can track the misuse of your data.
Funny thing is when you have a catchall you can tell your friends your email is whatever the fuck you want. One of my buddies deadset thought my email address that everyone got was “Ifuckcats@email.com” for years.
Yes—it’s why you should use a password manager to generate a unique password for each and every site you sign up for, and think long and hard before trusting any site (or any org for that matter) with your personal information.
Haveibeenpwned.com is a website for checking which sites have leaked your data.
Add comment