2.9 billion people. That’s the estimate for how many were affected by the recent NPD data breach.
After reading this Time article about the hack, I had more questions than answers. Which is par for the course when you’re tallking about media coverage of anything regarding politics, health care, science, or data breeches.
After the gazillionth data breach in a few short years, with the same experts and agencies always weighing in, I wanted to write a little something about where things stand from a layperson’s point of view. Translation: most of us living in the actual world.
How Cybersecurity firms and credit agencies profit from breaches
Cybersecurity firms profit anytime there’s a breach by providing their expertise to the media. It’s free advertising, but it does nothing for the average person.
Cybersecurity firms are hired by companies to do damage control, or by companies who haven’t yet been breached to prevent it from happening. Every time there’s a breach, the media trots out a cybersecurity expert to tell us “what it all means.” Aside from some free advertising for their agency, they never really tell us anything we don’t already know. Use multi-factor authentication. Don’t click on “suspicious links” that may not really be from your bank. Meanwhile, our banks continue sending us emails with a big blue button so we can conveniently log in and see our statement. Hmm. Maybe the banks can start doing better, instead of leaving it for us to decipher the good links from the phishing ones.
To cybersecurity experts and media wonks, it’s all perfectly reasonable. To the rest of us, it all feels like bullshit.
Credit agencies profit by selling us “identity theft protection,” which really does nothing for the average person.
After the recent Ticketmaster hack, I learned that I was affected. They sent me a letter to tell me that my data was compromised, and assured me that everything was just fine. They told me that I probably have nothing to worry about, but they suggested I sign up for Trans Union’s credit monitoring/identity theft protection service. It would be free for a year with a code included in the letter. Except the code didn’t work. But I was offered the opportunity to pay for the service.
Also, as long as we’re talking about cybersecurity, I need to mention that the service linked to in the handy QR code took me to something called “TrueIdentity.” Which sounded a bit scammy to me. And wait — I thought this was a Trans Union service? And before you can even get started with anything, you first have to enter all your information. You know, identity information like name, address, email, phone, and last four of your social security number. I’m sure it’s pefectly safe.
It turns out that the service really is provided by Trans Union, they just call it something else and use a different website. I have to wonder, with all the phishing scams out there, wouldn’t an agency who claims to protect your identity want to go out of their way to make sure it looks legit? Leaving no question as to who is asking for your data?
Yet here’s another opportunity to upload your private info to a mysterious online database that in all likelihood will be hacked sooner or later.
There’s nothing we can do to prevent our data from being stolen
Our data is going to be hacked. Period. No matter how many multi-authentication systems we put in place and how vigilant we are about phishing scams, our data is still not under our control. When someone else holds our data, there is nothing we can do to make sure their servers are locked down, their employees are trusted, and their systems are up to date. It is out of our hands.
In February of 2023, the Los Angeles Unified School District was hacked, affecting about 2,000 people. Social Security numbers, Driver’s License numbers, student IDs and emails were among the types of data stolen. They suspect that hackers gained access when an employee fell victim to a phishing scam.
There is nothing we can do to protect our own data when it’s held by a third party. Not because of how bad computers are, but because of humans. No matter how hard we try to educate people about online scams, someone at some point is going to click a link in their email that opens them up to hackers. And when you work in a large organization like the LAUSD, it’s not just your data — it’s potentially everyone else’s, too.
Speaking of humans, I’ve experienced the same scary scenario multiple times. It goes like this. I’m sitting in a public space; a library, an airport, or a mall food court. There is an elderly gentleman speaking loudly into his mobile phone on speaker. He’s trying to get access to an online account and the tech is helping him. In the process, he shouts his name, address, social security number, the name of the website he’s on, his secret security answers, and in one instance an entire bank account number. If I was evil, I would have written down everything while I listened. But I am not evil, so in two instances, I gently alerted them to the fact that everyone could hear their conversation. One of them said, “Wha? Oh? Okay.” and sallied forth with their loud call.
Humans. We are a big part of the problem. But ultimately it’s the responsibility of the companies holding our data to secure it. But when they reassure us that they’re doing everything they can to address security, it feels like bullshit.
Is it all bullshit?
For many of us, reading articles in the news about the latest data breech is kind of like reading about the astronauts being stranded at the space station. “Ok, interesting… so now what?” Just as we can’t rescue the astronauts ourselves, we have no power to control how our data is stored by companies and government agencies. So telling us about a breech is just another way to get us worried about something we have no control over.
No matter how many experts weight in on the matter, we’re ultimately not sailing under own power. It just feels like bullshit.
I don’t mean to hack on (pardon the pun) cybersecurity professionals. They do provide a valuable service to companies and individuals, helping us understand how to better secure our own data. As a SysAdmin myself, I realize that sometimes the advice I give people about securing their data and accounts can sound like a bunch of crazy, magical bullshit.
Most of us can follow simple advice about not giving out our credit card to an unknown caller. If we get a text from our bank reporting suspicious activity, I believe the majority of people will not click the link and instead check their account safely. We can use encrypted email services and cloud drives. Very few of us conduct private account business in the middle of a crowded airport. Many of us use random password generators. Once we’ve done all the obvious things we can to protect ourselves, that’s it. There’s nothing else.
The rest is bullshit.
Photo by Markus Spiske on Unsplash
Leave a Reply