Data Breach Spam Mail

Dear reader,
We are writing to inform you that your personal data may have been inappropriately accessed and you’re already setting this into the junk mail pile aren’t you?

This year more than any, data breaches are becoming more and more common. I’ve heard countless conversations between peers comparing how many breach notifications they have received, and joking about how many cumulative years of credit monitoring services that they have. Personally, I have racked up 3 years of monitoring in the past 6 months, and one of those letter was from a company I haven’t done business with in over 4 years.

Here are some questions… when you receive another breach notifications in the mail, do you care? Do you think less of the company that sent it? Do you even have a choice?

Will you stop using Ticketmaster because of their recent data breach? No, because they are a monopoly in the event space, and you if you want to see your favorite artist or sporting event, you’ll need to use them. What if the government has a data breach, as it has many times? No matter how hard many have tried, you do need the services of your government(s).

As far as I’m aware, there is no legislation with penalties or fines in the United States in the event of a data breach. The only penalty is a company’s brand damage. With data breaches becoming so common, I question if the impact to a company’s brand hit is anywhere close to where it used to be.

Attackers know this as well, which is why ransomware is so prevalent. Ransoms can come in two flavors, typically at the same time: requiring payment both to unlock systems, and to “delete” the data that they stole.

Attackers sometimes find data unprotected in unprotected places, will download it, and attempt to gain payment to not release it, but this is less lucrative for the attackers as companies are less likely to pay to protect it once it was accessed by a third party.

The overlap between resiliency planning and cyber-security is growing. The tactics and techniques that attackers use to gain unauthorized access to systems is similar regardless of the intent, whether it is to exfiltrate data or to encrypt systems. Attackers look for an initial access vector, then move laterally, escalate privileges, look to gain access to the most impactful systems.

With this overlap of ransomware and system availability, a good cyber resiliency program is more important than ever. Companies should already follow SRE principles, and while these principles were designed with operational digital resiliency in mind, cyber resiliency now also plays an important part. Attackers are going after data, services, and the backups. They want it to hurt in order to increase the likelihood of payment.

The brand damage from your systems being unavailable, especially in the service industry, is now twice the brand hit of a data breach, and if companies aren’t there when their customers need them, that is when they will reconsider competitors. Without governments stepping in and creating legislation with punitive damages for data breaches we will see a shift from a focus on privacy, to a focus on resiliency.