More specifically, are we seeing companies breached due to their (obvious?) security flaws, hackers getting better at what they do, or a combination of both?
What is the future of security for these large companies that we put our trust into that our data is safe?
Security is hard. Especially at the scale of those companies. Since they are big, they get a lot more hacking attempts. Makes more sense for bad actors to attack someone with millions of customers than your mom & pop store that might have hundreds, if everything being equal.
More and more people and compa ies wants to store things “in the cloud”, (read: someone else’s server). It is for the most part a good thing as it makes it easier to access, but it also opens up bigger and other attack vectors.
So, I think the number of breeches will only increase. Not always because the companies have bad security (though sometimes it is 100% that), but also because the attack vectors keep growing due to changed business decisions and user preferences.
Also, data governance is attrocious in most places. Some of the things I’ve seen ICT do with PII is mind-blowing. I’ve been a part of three large breaches (two ransomwware and one data theft/sale) and it’s always ironically been because of ICT managers.
I’ve caught a senior manager storing employee and device information for 17K staff in a Google Sheet on their personal account so they could distribute it to an external consultancy. I stumbled across the URL in an email chain, confirmed it was fully publicly accessible—anyone in the world could see it if they had the URL—and had been live for two months. This was apparently the safe workaround for emailing it as a file… They didn’t understand what was so wrong until I declared a formal breach internally. I can only assume that info got out but there was obviously no way of knowing. Names, addresses, genders, DOBs, etc. for employees. Then MAC addresses, IMEIs, network locations, serials, etc. for devices. Just sitting there…
It won’t become the norm, it is the norm. Security is incredibly hard and nothing is truly secure. If someone wants in badly enough they’ll get in.
Keep your sensitive data in house, encrypt and back it up off site.
it is the norm.
It always has been. I mean, super yachts are expensive, someone’s gotta pay for that in one way or another. There’s never been ‘enough’ with these people. They hide their greeds in something like ‘new opportunities’
Even now, the lawyers are working their butts off finding new loop holes so that they could sell your data even more without raising red-flags
This will keep on happening, just as how they try to shove ads to you in any way possible.
alert: they are invading the HDMI protocol :::
The reality is: security is often non-existent in larger corporations. It’s all about optics and insurance. Hardly any project I’ve been involved with actually did something for security. It’s a cobbled together mess with just enough security theater to not be legally liable. That’s it.
Case in point: I know of a database that holds data for pretty much all adult persons in Germany, Austria, Switzerland and some people from surrounding countries. The root password contains the company’s name and the year the DB was initially set up.
Most of the time it’s not even nefarious, I can tell you’ve worked big corpos. There just are too many intertwined things and no one overseeing the whole system. Every large company probably has hundreds of security flaws, but no one can see the giant entrance sign to the forest when all they can see are trees
Well, I would say it absolutely is possible, but it costs money directly, up front and in an accountable manner. Security incidents vanish in the fog of responsibility diffusion and nobody specifically can be blamed. That means for each individual responsible party, it is the rational choice to do just enough not to be blamed, pull off theater to seem engaged, but avoid anything that would actually cost money.
So, you’re kind of right, but for the wrong reasons. It’s a systemic issue, that almost inevitably happens in large organizations, but at the root is not inherent complexity, but a perverse incentive structure.
It was always happening and at a large scale, it’s just there are new reporting requirements now, which leads to more nonspecialized publications to cover it more often.
This will keep happening, no one knows how to make hardened IT infrastructure while also letting 65 year old Suzie in HR stay productive, so we’ll always have loopholes. The best thing you can do to protect yourself is to use fewer cloud services, but obviously that has limits, you can’t cancel your phone plan just because they may get hacked. You could use more encrypted services like Signal where a hacker wouldn’t get anything useful even if they broke in.
It already is. The fines if they ever get them become the cost of doing business and customers are helpless basically. There is no recourse for shitty security with peoples data.
