Nobody likes to be embarrassed. That goes for company executives. This fact of human nature helps explain why the breach-disclosure laws that have been adopted by many states can be leveraged by data thieves for even more profit than they could realize before.
Companies have always been reluctant to admit to data breaches. A lot of that reluctance can be attributed to simple embarrassment: We’ve been telling our customers that our security would keep their sensitive data safe, even when we knew that no security system is perfect.
This is true even for companies that you wouldn’t think were capable of being embarrassed. After all, companies whose business has been facilitating extramarital affairs and offering porn on demand have been breached. They undoubtedly would have welcomed the resulting publicity, except that the circumstances made it clear to their customers that their names were in danger of being made public.
That reluctance to go public has led many jurisdictions to require companies to report data breaches. One problem with such laws is that they do not overcome the embarrassment that goes with public acknowledgment of a security failing. And so companies split hairs and come up with ways to rationalize not reporting breaches..
That, in turn, is giving the bad guys a new opening.
When a company’s executives decide to hide a breach, their action can morph from unsavory to illegal. But that decision can leave them vulnerable to the attackers behind the breach in the first place, who know that the company has not done what the law requires and can now threaten it with disclosure.
That is also a two-stage threat. An attacker breaking into your network and then bragging ab out it is embarrassing. But if the attacker breaks in and waits to see if you report it—and if you run out the clock and opt to not report it, the attacker’s disclosure could expose you and your colleagues to civil penalties. In short, it makes a bad situation far worse.
Who in the world would take such a risk? Quite a few people. When your job is to prevent break-ins and one happens anyway, it’s pretty easy to rationalize a cover-up.
The risks that such decisions give rise to were made dramatically clear on Thursday (March 31) when Reuters noted a new global crime trend of cyberthieves partnering with traditional organized crime syndicates to attack banks across the world. If the banks are hesitant to reveal that they were successfully attacked. Without disclosure, law enforcement is not informed.
, it’s a win-win-win for the bad guys: They get to keep the money and sell the data, and they don’t have to worry about evading law enforcement. And if they’re especially greedy, they can also extort more money from the bank in exchange for a promise to keep quiet. Put another way, the bank can get victimized in four ways via one breach. Even worse, unlike the typical cyberthief, these gangsters don’t mind getting physical in their threats. Cyberthieves are bad, but they rarely get into the kneecap-smashing end of things. With this arrangement, they now have partners who will.
Sign up for CIO Asia eNewsletters.