
Let's Stop Giving Retailers a Free Pass on Data Breaches - gok
https://www.bloomberg.com/gadfly/articles/2018-04-06/retailer-data-breaches-stop-giving-them-a-free-pass
======
akkartik
It's data breaches all the way down, and there's only so many hours in the
day. I choose to worry about just two:

* The OPM breach: [https://www.opm.gov/cybersecurity/cybersecurity-incidents](https://www.opm.gov/cybersecurity/cybersecurity-incidents)

* Equifax: [https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breac...](https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do)

In both cases the amount of data leaked per person is huge, way more than just
an email address or credit card number. And in both cases there was no way for
customers to opt out of their data being gathered. Those two characteristics
seem related. The most valuable data isn't going to be somewhere that is
subject to regulations like GDPR. And it's going to be running on the same
insecure stacks and practices as everything else we see. If we want to plug
holes, these are the sorts of places where we need to begin. Facebook is a
child's bagatelle in comparison. MyFitnessPal doesn't even register.

~~~
caseysoftware
Good call. Those are the most devastating by far because the first is
effectively a bad mail database while the second destroys most forms of
identity proofing for all time.

Though it's unfair calling the OPM incident a "breach" as management of the
database was outsourced to an outsourcer to an outsourcer so the final party
had full read/write access over it for potentially years. As I noted at the
time, every clearance granted or denied during that period must be
reviewed.[0]

0 - [http://caseysoftware.com/blog/opm-background-check-hack-a-
di...](http://caseysoftware.com/blog/opm-background-check-hack-a-different-
angle) (I had a clearance previously so I was included in this one.)

------
Digital-Citizen
"Let's Stop Giving Retailers a Free Pass on Data Breaches"? What a joke; the
very headline conveys a sentiment that frames the debate around how out of
touch corporate media (and thus any blind repeater site) is.

Corporate media has been giving passes with one-off coverage that often
neglects to mention any proposals for remedying long-term public
ramifications. But the public's interest isn't well served by corporate media
nor is public interest properly evaluated by corporate media.

Let's also stop thinking the stock market is a proper means of evaluating
something applicable to most people's interests, because that's never been
true. The stock market has more to do with wealthy people than most people.

The corporate death penalty seems right and proper for very egregious offenses
like credit rating agencies because the public will suffer the most and for
the longest time (possibly the rest of their lives) when these records are
insecure. Organizations will continue to lazily make evaluations based on
these records but the records could have been tampered with. And judging by
Equifax's successful lobbying, the ratings agencies get away with scarce
punishment and therefore have little reason to care about fixing what they
broke. Relatedly, it's time we stopped trusting so few organizations with
something so precious. The market just isn't designed to handle truly
important things, so we should stop trusting it to do so.

No, let's not give them or any other organization passes, but let's also
realize that most of these organizations use proprietary software
(untrustworthy by default) to keep that data secure where nobody (including
the organization) simply can't do effective audits. How proprietary software
works is a secret, so such software is structurally incapable of ever being
reasonably considered a sound choice for data safety. And organization's
choices affect user's data safety, so users have an interest in this but not
enough control over how their data is stored.

~~~
midev
> let's also realize that most of these organizations use proprietary software
> (untrustworthy by default)

This is completely incorrect. The only example of a data breach you gave was a
result of open source software (Apache Struts for Equifax). Open source
software has contributed to plenty of data breaches, and I seriously doubt
you've ever audited the millions of open source packages and dependencies
you're using.

 __This __is bad corporate security, by believing this type of nonsense. Then
you 'd inadequately assign risk, and fail to protect against real threats,
instead focusing on 1990's "M$" risk.

> How proprietary software works is a secret

I don't need to know how exactly software works to make calculated decisions
about risk. We sign vendor service agreements with other companies, that give
us assurances about their data handling practices, their audit/compliance
history, etc. I can look at how vendors manage their PSA process, how
transparent they are with security disclosures, things like that.

------
Khaine
It is very easy to stop data breaches. Make C-Suite executives and the board
of directors personally liable for any breaches caused by failing to have
appropriate security controls in place. I bet once a few of these executives
were bankrupted for failing to implement adequate security controls, things
would change pretty quick.

These executives get paid a large sum of money, and then skirt all
responsibility when these things happen. They get fired and move onto the next
gig like nothing ever happened. There is no accountability for these failings.

In Ancient Rome the builder/designer of an arch was required to stand under it
as the wooden scaffolding was removed (the most dangerous time).

It is high time we re-introduced accountability into our governance systems.

------
jacquesm
Why make an exception for retailers? Let's not give _any_ institution a free
pass on Data Breaches, including governments, the Equifaxes of this world and
so on.

------
drchiu
Data breaches are definitely not ideal. If there were legislations where
penalties, enforcement, and audits added a large cost of the underlying goods
I purchase, however, I’m not sure I would like that either. There’s an
inherent risk in online businesses, no matter what policies are in place. I
would say that whatever progress is made shouldn’t impede new businesses to
come in and challenge incumbents or make the overall cost a barrier for less
affluent users.

~~~
lilott8
I would envision this system to be something such as:

We have a set of standards that define what negligence looks like for data
breaches, security, etc. If a company is found to not adhere to these
standards they would be found negligent and assessed some financial penalty.

If a company is found to be adhering to the standards, and is hit by a 0-day,
the financial penalty would be negligible or 0.

~~~
libdjml
This is a huge unsolved problem in journalism: reporting whether a company was
wildly negligible and deserved to be punished, or did the right things and
fell victim to “no org can be bulletproof”

Some standards like PCI attempt to do this, but to date they have no real
teeth. GDPR may be the change we need.

I have deep concern that C-levels will learn that breaches don’t matter, just
have a CISO you can behead and replace when it does.

~~~
lilott8
There are certain things that are, collectively, patently negligent: storing
passwords in plain text, not salting passwords, not using, at a minimum,
software firewalls, etc. Those are fairly boolean. It's also fair to assume
that any company that is hit with a 0-day is not negligent; even the best
prepared companies are susceptible to them. So there is some decent guidelines
to rely upon to demonstrate negligence or not on the extremes. Of course, in
the middle it does, admittedly a bit gray. But the teeth that come into play
would look exactly like GDPR.

Yes, I agree completely, that C-levels will see that the CISO is a replaceable
widget that is nothing more than a scapegoat.

------
abalone
One the huuuugely under-appreciated benefits of Apple Pay is that _it is
immune to these retailer hacks._

It never transmits your card number or name to the retailer. Instead it uses a
token (substitute number) that is tied to iPhone-based authentication. Even if
stolen, it's useless.

So I don't think we should give retailers a pass, but the bigger issue here is
the whole PCI compliance architecture was a security nightmare to begin with.
We should usher in modern methods like Apple and Samsung Pay ASAP that remove
that retailer vulnerability altogether.

~~~
delecti
As far as I understand it, Samsung Pay essentially replicates swiping your
standard magnetic strip card. I don't see that as being in the same camp as
Apple Pay for protecting your information.

~~~
abalone
No, they tokenize.[1]

[1]
[https://www.samsung.com/us/support/answer/ANS00043932/](https://www.samsung.com/us/support/answer/ANS00043932/)

------
otakucode
If one single judge would not give them a free pass, I think we would see a
sea change in how computer security is handled across the industry. Put one
CEO in prison for criminal negligence after a breach when it is found that
they hired cheap, inexperienced, tiny staffs, overloaded them with work, and
then ignored absolutely every warning they gave about insecure practices.
Every company does this. It's how IT works in the modern world. Hire
"engineers" as inexperienced and cheap as possible, give an MBA all the actual
say in scheduling and release dates, and constantly complain about the
technology that makes their business possible is too expensive.

It's amazing the effect a CEO locked in a cage for a few years like an animal
has on the population of CEOs as a whole. Treat digital infrastructure like we
treat real infrastructure. If people built bridges the way we build software
infrastructure, rafts of executives would be rotting in prison.

~~~
zdragnar
Honest question here- why is it that rage is always directed at the CEO? I
mean, there's usually a CTO and / or a COO, plus a director and some other
levels of management who actually make the decisions that lead to these
scenarios.

~~~
stijnstijn
I'm not sure whether I really agree with the singular focus on the CEO or C*O,
but often one of the reasons that is given for their large paychecks is that
they carry a lot of responsibilities. Following that, it would seem prudent to
actually hold them responsible when something goes wrong, especially something
with as much impact as a large-scale data breach.

~~~
zdragnar
Why would we hold them responsible for something going wrong if what went
wrong wasn't their responsibility?

I've known a few CEOs (not personally) and not one of them was in charge of
anyone who had these types of responsibilities, directly or indirectly.

Plenty of C-level and director types have large paychecks. To randomly place
blame because of that would only make matters worse. Those responsible would
have a convenient scapegoat, and CEOs would just demand higher salaries as
compensation for taking on risks outside of their control.

Honestly, the whole "get the CEO" movement has always smacked of intellectual
dishonesty to me, as though catharsis were in any way a decent value to base
public policy on.

------
notatoad
It's not the price this article is asking for, but if you think that those
companies who have had big public credit card data breaches recently haven't
seen their credit card processing fees shoot up, you're crazy. that's not the
sort of thing that the payment industry lets slide.

~~~
dsacco
Interesting, do you have more information to read about this?

~~~
ioman
In higher ed, at least, the cost of having the credit card number of one of
your students stolen from you is $245 each.

[https://www.educationdive.com/news/cost-of-education-data-
br...](https://www.educationdive.com/news/cost-of-education-data-breaches-
averages-245-per-record/447376/)

------
pasbesoin
I've very mixed feelings about Amazon, but one reason they continue to get my
business is that they appear to keep payment information secure.

This is going to be the long term "no free pass" effect of such neglect. Or,
if we actually have a "marketplace" with consumer choice, it will be. People
will avoid the threat and hassle, and show elsewhere.

Only so far, the larger retailers -- and their incompetent management -- seem
to be getting away with their neglect.

P.S. I'm not arguing against better regulation and effective penalties.
Rather, I guess, while pointing out the "risk" of poorly serving the market,
I'm saying that it doesn't really seem to be working, so far.

------
dickbasedregex
Brutal fines needed.

If you can't keep data secure you don't need to be in business.

~~~
drspacemonkey
If I were a gambling man, I'd bet that would just lead to "data warehouse"
subsidiaries that would hold the liability. In case of a leak, they'd "go
broke", and another would be spun up in its place. Same thing is happening
with temp agencies to shield employers from workplace injury liability.

[http://projects.thestar.com/temp-employment-
agencies/](http://projects.thestar.com/temp-employment-agencies/)

I completely agree with you. Shit security should cost money. I just think it
has to be something like data leak liability insurance. The costs of having
shitty security would be reflected in higher insurance premiums. That way,
financial math would be firmly on the side of keeping data secure, instead of
limiting exposure via corporate shell games.

~~~
eberkund
There must be a way to carefully craft the law to prevent those sorts of
workarounds, no? For example, the business who is making the transaction with
the person whose data is leaked is liable. So the consumers in the case of a
retailer, or the businesses who use Equifax for background checks in that
scenario.

~~~
athenot
That's how it works with HIPAA. Patients interact with Covered Entities, and
they can contract out to a third-party and sign a BAA. The third-party is then
on the hook because if they fail at protecting data, the Covered Entity gets
the sanction.

------
closeparen
Data security _should not_ be a concern for retailers. This is only an issue
because the architecture of the credit card payment network is fundamentally
incorrect. If consumers could push payments to merchants, sign transactions
using captive private keys, etc. then merchants would have nothing of value to
leak. Creating ever more responsibility to protect our insane shared-secret-
number scheme is deck chairs on the Titanic.

~~~
mindslight
Bingo. Let's stop giving retailers a free pass on _collecting_ our data. They
can leak their own statistics all day long and only undermine their own
competitiveness.

All this talk of "breaches" is a disingenuous framing to deflect from the root
of the problem, similar to that continually-pushed nonsense of "identity
theft". As if all the surveillance in the world is completely acceptable, just
as long as some vague weird _other_ doesn't gain access to that same
capability!

Equifax shouldn't be put out of business for having leaked their trove, but
for having collected all that surveillance data in the first place.

------
jrnichols
Who's giving them a free pass to begin with? I'm still upset about Equifax and
OPM/etc, but there's _nothing_ that I can do about it. I don't really have
choice but to participate in the credit bureau game. :/

------
tytytytytytytyt
And governments and utility companies, too, please.

