CNET Releases '2019 Data Breach Hall of Shame' Dishonoring This Year's Biggest Data Breaches

schwit1 quotes CNET's report on their newly-released "2019 Data Breach Hall of Shame." The biggest recurrent motif among the major data breaches of 2019 wasn't the black-hooded hacker in a dark room, digging into a screen full of green text. It was a faceless set of executives and security professionals under the fluorescent lights of an office somewhere, frantically dialing their attorneys and drafting public relations apologies after leaving the front doors of their servers unlocked in public.

The words "unsecured database" seemed to run on repeat through security journalism in 2019. Every month, another company was asking its customers to change their passwords and report any damage. Cloud-based storage companies like Amazon Web Services and ElasticSearch repeatedly saw their names surface in stories of negligent companies -- in the fields of health care, hospitality, government and elsewhere -- which left sensitive customer data unprotected in the open wilds of the internet, to be bought and sold by hackers who barely had to lift a finger to find it.

And it's not just manic media coverage. The total number of breaches was up 33% over last year, according to research from Risk Based Security, with medical services, retailers and public entities most affected. That's a whopping 5,183 data breaches for a total of 7.9 billion exposed records.

In November, the research firm called 2019 the "worst year on record" for breaches.

Re: I blame

[Ronin Developer]

You wonâ(TM)t attract the over 40 crowd either if the app is too difficult to use.

Case in point - My 88 yo mom panicked when she saw âoeEmergency Contactâ underneath a contactâ(TM)s name on her iPhone. She thought that meant the phone was calling them and didnâ(TM)t want to do that.

Imagine her trying to understand TFA and having to use an Authenticator app.

I, personally, have had my info breached 4x in as many years. People who are entrusted with this information for legitimate purposes take the responsibility lightly. Iâ(TM)ve gone credit monitoring on top of credit monitor...it looks like a virtual cancerous toad.

If governments were as worried about data breaches

[bobstreo]

as they are about copyright or HIPAA violations, and there were similar fines, most of the breaches would never happen.

It's a risk management decision to cheap out on security, because what's the worse that could happen? You have to pay for a year or so of credit monitoring (which is probably greatly discounted for large numbers impacted) for the people who bother to join in a class action suit.

2019 the "worst year on record" for breaches.

[grep -v '.*' *]

So? There's usually only a monetary penalty for the company. it's a cost of doing business. (Ford Pinto vs gas tank fix prices vs monetary lawsuit outlay. Pick the cheapest one.)

Companies want to be treated like people, then so be it. But you can't actually put companies in jail while you CAN people. So let's rectify that: the CEO, who in effect IS the company (in name even if not in practice) gets held personally responsible for evils the company does. It's not like he shouldn't / didn't / can't know about it -- he's the LEADER, they can find out absolutely ANYTHING they want, there should be absolutely no doors closed, NOTHING is off limits to them.

Oh, but they're busy, they can't know everything, etc, etc. Fine then -- they'd better have immediate underlings who they *completely* trust. After all, it's his (and maybe their) necks on the line.

If large company CEOs personally started putting in jail time for the company mis-deeds I imaging there'd be more checking.

Oh, but don't make them actually pay the fines -- that's what the company (and shareholders) are for With enough fines the shareholders will balk, with enough cell time the CEOs will balk.

I think you're on to something

[Voyager529]

I think that the idea of jailing the CEO is a bit extreme - not because I have any great love for CEOs in general, but because if 'security issues' mean jail time for them, then so will other things like safety violations and accounting malice and so on, to the point where we'll end up with CEO-less companies who make end runs around these things on paper.

No, where I think you're on to something is the idea of making shareholders liable. If there's a security breach whereby PII is exposed, fine shareholders 10% of their stock in that company. That amount won't cause investors to lose massive sums of money, but it will eliminate years of earnings, making the stock less valuable overall. Maybe limit the fines to voting stock only, or make stocks tied to 401k accounts only 5%...but it's both a big enough number to hurt, to the point where companies can't say "we are sorry for this inconvenience and are reviewing things internally", and have absolutely nothing change.

The Experians of the world won't get off scott free, and the CEOs don't have to be worried about government intervention that legal can shield them from, they are instead worried that their shareholders will be calling for blood. Finally, government intervention means that a CEO who gets fired can end up being the CEO of some other company, while a CEO of a company who caused the shareholders to lose a decade's worth of investment revenue is going to be radioactive, and far less likely to be hired elsewhere.

Everyone wins.

Re:

[k6mfw]

I'd love to see a presidential candidate present your idea to deal with security breaches. Drives me crazy reading about major breaches all the time, and many become "alarm fatigued" by it all.

Re:

[Ronin Developer]

CEOs and other C-level executives have a fiduciary responsibility to the company and stake/shareholders.

If they commit a crime on behalf of the company, the corporate veil won't protect them. But, you need deep pockets and big "guns" to blast a hole through the corporate veil. That's why so many get away with the misdeeds of the company.

Having underlings taking the fall for C-level execs? Look at Saudi Arabia. The peons get their head chopped off for committing murder. Royalty walks away for ordering i

Re:

[twocows]

Smaller shareholders have almost no say in the day-to-day operations of the company. Holding them accountable makes no sense. I can maybe get behind fining any shareholder that has more than, say, a 5% stake in the company, but I don't really see how that would be meaningfully different than just fining the company itself. The problem isn't who is getting fined, the problem is the fines are too small in comparison to the crime committed.

A big part of the problem is the way courts determine damages. They

"Hacks" or stolen credentials?

[theurge14]

Seems like most of the "hacks" are just stolen user/password credentials. I wonder how that could be resolved.

Re:

[CaptainDork]

Seems like most of the "hacks" are just stolen user/password credentials. I wonder how that could be resolved.

That's like saying, "We didn't lose the football game -- our score was just a smaller number than theirs was."

Require insurance

[joe_frisch]

Set compensation for various information exposure. Say minimum $10 / person for any loss, to say 1k$ for any financial medical data to 10k for sufficient for identity theft.
Require companies to insure against the full value of the data that they have.

They can negotiate rates with insurers based on security policies.

Would have the added benefit of discouraging companies from storing lots of personal data.

A company with a billion records is going to have a LOT of motivation to protect them.

Failure to insure would be criminal

The Internet is getting to be ...

[CaptainDork]

... too big for its breaches.

Who still reads

[xushi]

Any garbage that comes out of CNET?

This is why...

[slick7]

a cashless society really sucks. You are forced to use poorly designed security systems containing all your personal data with no thought of accountability or compensation for breaches. The response to 1984 is 1776.