Stop talking about “taking security and privacy seriously”

Original author: Zack Whittaker
  • Transfer


All the years that I write about cybersecurity, I have come across variations of the same lie that towers above the rest. “We take your privacy and security seriously.”

You might come across such a phrase here and there. This is a common speech turnover used by companies after some kind of data leakage - either in a letter of apology to customers or on the website page where the company tells how it values ​​your data, although the next sentence so often mentions how it leaked it or used incorrectly.

In fact, most companies do not care about the privacy and security of your data. They only worry when they have to explain to customers that their data has been stolen.

I could never understand what exactly the company’s statement that it appreciates my privacy means. If that were the case, then data-hungry companies like Google and Facebook selling your information to advertisers simply would not exist.

I wondered how often this expression is used. I collected all the notifications sent to the Attorney General of California that companies are required by law to send after every security issue I find, brought them together and turned them into machine-readable text.

Approximately 30% of all 285 notifications encountered similar expressions.

And this does not mean that companies are worried about our data. This suggests that they do not know what to do next.

A great example of a company that doesn't care. Last week, we reported that several users of the OkCupid service complained about hacking their accounts. Most likely, the hack was conducted through credential stuffing , when hackers take a list of usernames and passwords and try to log into the account using a simple brute force attack. Other companies were taught the experience of such attacks and spent time strengthening security , for example, by introducing two-factor authentication.

But instead, OkCupid took the approach of distraction, excuse and denial, which often happens when companies try to smooth out a negative impression. It looked like this:

Distraction: “All sites are periodically hacked,” the company said.
Justification: "There is nothing to talk about," the company said in another article .
Denial: “No comment,” in response to a question about what the company is going to do.

It would be nice to hear how OkCupid says that he is worried about this and what he is going to do about it.

All industries have long neglected safety. Most of today's hacks come as a result of base security support, which lasted for years, and sometimes decades. Today, every company has to deal with security - whether it's a bank, a toy manufacturer or an application developer.

You can start small: tell people how to tell the companyabout security flaws , to offer a reward for errors to encourage such messages and to promise bona fide researchers not to sue them. Founders of startups can take a person to the position of director of security from the very beginning. And then they will be in a better position than 95% of the richest companies in the world that did not take care of this .

But this does not happen. It is easier for companies to pay fines.

Target paid $ 18.5 million for the hack, which led to the leak of information on 41 million credit cards, despite the fact that the company's revenue for the year amounted to $ 72 billion. Anthem paid$ 115 after a hack that compromised the data of 79 million insurance owners, and earned $ 79 billion that year. Remember Equifax? The largest data leak of 2017 did not lead to anything other than talk.

Without motivation for change, companies will continue to recklessly repeat their empty promises. Instead, they should have done something about it.

Also popular now: