Imagine waking up one day to find a strange letter in your mailbox from a popular department store. Inside is a brand-new credit card, and a note which thanks you for signing up. Confused, you don't immediately suspect anything: but the next day, it happens again with a completely different store – and then again, and again. On and on it goes until you are in possession of fifteen different credit cards, none of which you ever signed up for.
One woman didn’t have to imagine: according to Katie Van Fleet of Seattle, this is exactly what happened to her in the aftermath of the Equifax data breach, which exposed the personal data – including social security and credit card numbers – of 143 million Americans, or 40% of the country in 2017.
How did this happen? Basically, the company failed to install a software update that would have patched a well-known vulnerability across its computers, and hackers took advantage. And yet for some reason – two years later – publications are still referring to Equifax as the “victim” of a data breach, and that’s a problem.
As George Orwell illustrated in his novel 1984, the words we use impact the way we think, and the way we think impacts the way we behave. At first blush, calling an organization the “victim of a data breach” may seem innocuous. But it’s no isolated incident: according to a recent Verizon report, “one in three organizations suffered” a data breach in 2019.
“Victim” “suffer”: we regularly talk about data breaches and malware attacks as if the organizations which allow them to happen are the parties we should feel most sorry for. While it goes too far to suggest that any conspiracy is involved in this choice of words, it plays right into a corporation-centered view of cybersecurity which diminishes real victims and hides the real culprits behind veiled references.
To be sure, some attackers target organizations to steal proprietary data like intellectual property or trade secrets. But these constitute a minority of the data breaches that occur, and an even smaller percentage of breaches that are publicly reported. In 69% of data breaches, attackers targeted the personal identity of consumers, which can be sold on the Dark Web or used for fraudulent purposes.
Here’s an experiment you can try at home: look-up the keywords “data breach” and “impact” in your search engine of choice and see what you find. On the first page, we found “financial loss” and “operational disruptions” among other things. But financial loss and operational disruptions for whom?
It’s no stretch to say that these adjectives apply to consumers even more than they apply to corporations. Consider the following:
For executives, the consequences of a breach are real but abstract: for consumers, they are perfectly concrete.
For proof of that, look at the Identity Theft Protection Services market which is projected to grow 17.6% between 2019 and 2024: consumers are literally paying to insure themselves against the incompetence of major corporations, and this is a good time to ask ourselves why they should have to.
The point isn’t to say that organizations don’t suffer in the aftermath of a data breach – they do. But calling them “victims” - saying that they "suffered" from it - obscures the real cause of data breaches, which isn't just hackers: it's the failure of organizations to correctly and proactively monitor digital code and online properties to ensure that they are free from vulnerability and intrusion.
Breaches can be prevented – it’s not rocket science. In fifteen years, we’ve learned a lot about malware, what it targets and how it propagates. We know how to detect anomalous code before it becomes overtly malicious, and how to fight it. If organizations aren’t doing anything, it’s not because they can’t: it’s because they don’t care enough about their customers.
It’s time for corporations to recognize that their negligence has rippling effects on society that go beyond their shareholders and bottom line. It’s time for them to step up.