Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Much has been written about the processes, technologies and overheads of handling data breach notifications from the point of view of the organisations that may suffer breaches. Less has been mentioned on effects of these notifications on data subjects or on other, seemingly unaffected organisations.
The introduction of data breach reporting/notification is one of the big leaps in GDPR and is echoed in other parts of the world that are tightening privacy rules, like Australia.
There are really two aspects to this. The first is notifying the Regulator or the Authority. In GDPR speak, Article 33 requires:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
However, for data subjects, Article 34 requires:
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay … in clear and plain language the nature of the personal data breach and contain at least the information and the recommendations.
So if you follow the logic, an organisation suffers a data breach howsoever caused, they tell the Authority (in the UK for example this is the ICO) and then (very soon afterwards) they send a communication out to the affected people to inform them and tell them what to do.
What could possibly go wrong?
Put simply, there could be unintended consequences that are, at present, hard to quantify or measure – much like the so called butterfly effect; where the flapping wings of a butterfly cause changes to the weather somewhere else due to chaotic effects.
If you consider the result of a data breach notification from the data subject’s point of view, the person whose data or account has been breached, there are two possible effects.
One is that they get a notification, most likely by email, saying there has been a problem and what they should do about it. This could range from ‘contact a call centre’, or ‘log into your account and reset your password’, or await a recreated set of account credentials, or a link to register for credit/identity theft insurance etc. Something out of the ordinary and (depending on the media coverage) possibly unexpected.
The challenge here is that there is a massive phishing exposure, particularly when breaches have been widely publicised or if data breach notifications start to become very commonplace (see the issues around this here).
So let’s assume a bank customer gets an email today saying:
“Your account has been compromised, please fill in the details below to reset your credentials and unlock your account”
They would probably be suspicious and ignore it – as we are told to disregard those when they arrive out of the blue.
However, if there has been a widely publicised breach, or even if the frequency of breach notifications is quite high (people are getting them all the time), there is a potentially greater risk. Imagine the following headline/news story saying:
Followed by an email saying:
As you may have heard in the media we have suffered a security breach. We are very sorry and are working hard to make things right.
We have suspended accounts for your protection, please fill in the details below to reset your credentials and unlock your account”
There is a problem here. The content/process behind the phishing email is identical – however given a real situation and a plausible story to link the message to it, the credibility of the request is elevated and the chances of it working made much higher.
Potentially, to the point where more people will believe it and cause themselves even more problems by following what they believe are genuine instructions.
There are several potential attack scenarios:
So one prediction is that a rising frequency of data breaches being publicised and communicated to the public will make phishing emails harder to spot (hence more successful), or more common (hence more lucrative).
We see this already when data breaches occur – a database of email addresses, personal details and/or passwords is leaked from a site or company A – and sure enough the same credentials are either used to log into company B or they contain sufficient information to enable accounts on company B’s systems to be reset or unlocked.
If you are company B your customer accounts are accessed and money is transferred, data is stolen, purchases are made using stolen credentials.
How does the rise in publicised data breaches expand this risk? In short, if your customer details become more widely known through more frequent and more widely publicised breaches in other organisations, there is a greater risk that individual details will be available somewhere; that people will choose weaker passwords (if they have to change them much more often) or that facts they can’t change – like data of birth or mother’s maiden name – suddenly become less useful as identify validation; leaving companies with scant choices for asking security questions or verifying identity.
Ransomware is increasingly common, in some circles it is the cyber security threat that many fear most. Past cases have been geared around encrypting data and holding the key for a bitcoin ransom – often one that is modest enough that paying up is by far the best strategy (why pay thousands for expensive consultancy or data recovery if you can get your data back for $300?).
However with the increased pressure of larger regulatory fines and the need to disclose the nature of the breach, will ransomware demands get higher or will their focus be not on encrypting data but on avoiding a small breach becoming a large one?
“We have 1m records, but pay us $300 and we will only leak 1000 of them.”
Certainly there is an economic driver around minimising fines, and ransomware authors might look to exploit that through the creation of tiered-impacts where the size/severity/scale of a breach is reduced (and hence attracts a lesser fine) if a ransom is paid.
There are several factors compounding this – an increase in the number of publicised breaches is good to raise awareness and increase transparency. However the improvements in organisational security that we have sought for years are not going to come over-night.
We also don’t have an effective mechanism to replace passwords. Yes two-factor authentication solves a lot of the problems, and it is expected to become more widespread in its use – but for some systems, applications or businesses, challenges will remain in how to authenticate individuals and verify identity if there is a wider market for stolen credentials and personal data resulting from phishing attacks etc.
For us as data subjects, we may see our security answers being less useful as the data is known to be exposed and hence less reliable (it is almost surprising that security questions are still in use even now) and a growing overhead in logging into systems, that until now was relatively easy, in order to lessen the reliance on password protection alone for accounts.
We may also see a reduction in companies allowing us (or in some cases forcing or encouraging us) to create accounts at the point of checkout “to store our details” as the risk of that data being exposed is perceived to grow. For some people, that loss of convenience when they are buying running shoes, or books, or gifts might become a nuisance.
Mandatory data breach notifications are undoubtedly a good thing, but they could also have unintended consequences, akin to the chaotic effects of a flapping butterfly wing, as they change the dynamics of how breaches are reported and handled.
It is unlikely there will be a flood of notifications, but as transparency increases there could appear to be a higher number than are currently reported; and this could lead to more account resets, more reuse of passwords and reliance on security information being increasingly difficult. Also, the heightened fines might mean ransomware becomes more focused on fine avoidance or reduction; rather than just getting data decrypted as at present.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.