Last time we discussed how the internet has become increasingly dangerous. So how well is the IT industry doing to protect against these threats? Not very well I’m afraid. And to discuss this, I need to share a bit more bad news before we get to solutions. Please hang with me here. I swear it’ll get better but we need to know what we’re dealing with first.
So we have many examples of organized crime seeking economic gain, companies seeking economic damage, and nation-states seeking privacy, economic, and military intelligence or attacks on critical infrastructure. More recently we’ve seen interference in American news and elections.
Each of these is very damaging, each for their own reasons. The Target breach caused not only millions in financial losses for Target, but also motivated every credit or debit card in the US to be upgraded to chip technology. This change was a long time coming and I’m personally happy to see it, but this was a substantial disruption to anybody that processes credit cards.
The OPM breach disclosed personal information on almost everybody who is or has worked for the US Federal Government, including people with classified clearances. My understanding is that there is no recovery from this breach. It’s possible to leverage this information for numerous purposes that hurt the US and the impact to the intelligence community is devastating.
The impact to Deloitte appears to be unknown, at least publicly, but I see consultancies as a rich targets for gaining intelligence on their clients. This shows bad guys have multiple ways to attack organizations. It’s necessary for companies to trust consultants with their information much as patients trust their doctors, which is why this one hits me hard as a consultant. To be clear, I’ve never worked for or with Deloitte but I feel we all hold this responsibility as a consulting community. Sadly, but very commonly, the hack went on for months.
Frankly, each of these hacks are indescribably bad in different ways. But if I had to pick, Equifax is worst of all since the breach disclosed the most critical identity information for US residents: name, birthdate, and Social Security Number (SSN). This is all the data a person needs to steal a person’s identity, which has ruined many people’s lives. It leaves people vulnerable to many problems including falsified tax filing, medical fraud, and ruined credit for children before they’ve grown up. It’s so bad the government is talking about removing SSNs from these identity transactions. Similar to the Target breach motivating issuance of chip-based credit cards, I think this is long overdue. But it’s going to be very expensive, not only to replace SSNs themselves, but also to protect against the fraud that’s likely to come. How sad that we had to be hurt to start paying attention.
This is a litany of high profile breaches and there are many more. Each of these highlight how dependent the global economy has become on information technology and how brittle the protection is.