Troy Hunt, creator of HaveIBeenPwned and Varonis partner – testified before the US Congress to talk about data breaches and cybersecurity: he gave context and recommendations about the recent spate of massive data breaches, and what Congress can do to help protect both the privacy and digital assets of its citizens.
This testimony couldn’t have come at a better time – just as it came to light that a previously undisclosed Uber data breach had leaked 57 million driver and rider accounts. It underscores that today, data breaches are an ever-present threat that even top tech companies struggle to contain.
You can read Troy’s full prepared statement here – https://www.troyhunt.com/heres-what-im-telling-us-congress-about-data-breaches/
The hearing (and Troy’s comments) focused on digital identity verification as a means of lessening the impact of a data breach – here’s a quick rundown of some of the highlights:
- Are caused by a variety of configuration and malicious factors.
- Have become more of an issue as data storage prices have fallen, encouraging a “data hoarder” mentality.
- Often aren’t even known to have occurred until years after the fact.
- Are aggressively traded by groups wanting to use the credentials for purposes of identity theft, spam, and spear phishing attacks.
Data Breach Vectors
- There’s no agreed upon definition of what exactly constitutes a data breach – and “data breach” itself is a catch-all term for a variety of different types of incidents where an organization has lost control of the data they have been entrusted with.
- The rising ubiquity, low cost and inherent connectivity of cloud-based data storage services have contributed to more data breaches occurring. See How to Better Structure AWS S3 Security
- A single firewall rule or one relatively minor permissions change can inadvertently expose the entirety of an organization’s data to the Internet.
On Data Breach Timing
- Several breaches dominated the news at the same time as the hearing – Uber’s massive cover-up of a previously undisclosed leak, and the image sharing social network Imgur discovered evidence of a breach that had occurred back in 2014.
- There’s an important distinction between the timing of the data breach itself and the public disclosure of that breach.
- Data Breach disclosures often happen years after the fact – due to a mix of not knowing and deliberate choice.
The now growing banality of data breaches and their (relatively) low outward cost to organizations is coming to a point with potential legislation like the upcoming EU General Data Protection Regulation (GDPR).
While there aren’t domestic general data privacy regulations (as opposed to class-based data protections like HIPPA), there is a mismatch of state by state data protection legislation that are already in effect.
Much of the focus of this legislation is around financial and identity data – a common clause is that if certain numbers records are released that Credit Card Reporting Agencies must be contacted, users notified by various means, etc.
In Europe, the – solutions.varonis.com/gdpr – GDPR is going to go into effect on May 25th 2018. The regulations cover EU citizen data held globally (affecting US organizations as well) and impose significant penalties for companies who violate those data protection provisions.
The GDPR is a huge step towards regulating data protection and making it law that organizations should implement a standard of data security. We even made a course with Troy Hunt to walk through everything you need to know about GDPR, the GDPR Attack Plan (use code ‘troy’ to unlock the course) at https://info.varonis.com/gdpr-attack-plan?unlock_code=troy
While the testimony of one lone Australian Infosec practitioner is not going to singlehandedly solve the data breach problems plaguing the world, it represents a solid and serious step towards better understanding the problem and taking action on the part of the US Congress.