> Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public
Certainly, calling out poor security practices is a good thing, however this level of scrutiny is going to require a major shift in mentality for a large portion of the industry. "Move fast and break things" just isn't going to cut it anymore.
When 339 million guest records are involved, anything less shouldn't cut it anymore.
That motivational quote should never have made it out into corporate communication. It was embraced by everyone[1] because it seemed edgy and hey that company is successful in spite of itself.
That should never have been embraced by anyone especially outside specific contexts.
[1]Just about everyone embraced it because it was a kind of punk attitude in the face of stodgy enterprise development schedules. Everyone wanted to seem cool, so they went whole hog.
>that company is successful in spite of itself
That's a pretty strong opinion. Some would argue that FB is successful because of stuff like that.
A bit of a sidenote, but after all, I remember how badly Zuck was clowned everywhere (including by FB shareholders and people here on HN) immediately after the purchase of Instagram and WhatsApp. People were saying that FB is dying and Zuck is trying to buy companies that are hyped but irrelevant to the core business out of desperation. These days, it is a pretty universal sentiment that those acquisitions were some of the smartest purchase decisions he could have made at the time.
I think it's 10,000% more likely to be due to so much post-2008 ZIRP money floating around, so why give a shit about quality or consequences? As long as advertising and copyright industries are able to establish themselves as the fundamental arbiters of all content, anything else that happens to us or the companies are broken eggs for the proverbial omelet.
The people embracing MFaBT exhibit nothing resembling "punk attitude."
Good.
Yes, the cutting edge can cut both ways. But alas is kinda needed in IT security. So easy for a security update to come out, yet the process in some companies rightly dictates that it is tested so that the update does not break anything else. So you get a delay. So even then, that small window could see that security issue exploited and the powers that be will see you didn't apply the update instantly and you're lambasted - even for following best practices and going by the book of testing. After all, any update could have an impact upon the applications and infrastructure in ways above and beyond the issue the update is addressing. We have all encountered such issues as well.
So the phrase "move fast and break things" has a younger brother now "move slow and be broken".
Be nice if the powers that be (Governments) proactively audited companies IT security proactively instead of being event driven - after the horse has always bolted. I would love to see companies fined for security issues before such security issues are exploited and abused. After all, the customer always pays. Until that happens, the same mentalities in how security is treated as a priority will carry on playing out. But the other old IT saying of "if it works, don't touch it" whilst true, equally is the source of so many security issues that it just can not carry on being leaned upon.
This motivation is asinine. Record leaks don't do anything to harm the original records and it's not like Marriott's secret sauce is a list of customer records. Companies don't protect assets from things that don't cause the assets harm.
Personal data does not have value to the company in that regard. It's a liability more than an asset.
Move fast and break things used to be the way that bridges were designed (i.e., build it, test it, see if it breaks, improve it if it does). I don't think anyone would tolerate that as a way to conduct other fields of engineering anymore.
That's the point. "A major shift in mentality for a large portion of the industry" is basically GDPR's success criteria.
> It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016
Those who said EU regulations had no teeth last year might need to readjust their expectations. This follows on from BA's large fine a few days ago.
I see this violated so often with full-screen popups requiring you disable adblock or exit private mode. The EU really needs to fine these companies into oblivion, I should not have to create an account just to look and see if they have a disabled tracking toggle (and they usually don't, so the only way to prevent tracking is private mode/adblock).
That's not true in the slightest. One bank (ING) in The Netherlands implemented an opt-out for analyzing customers data. Quite a bit of outrage. PR spokeperson said: "all is fine, this is all good, we follow the GDPR".
Local privacy authority sent a general letter informing that such behaviour is very likely not according to the GDPR. ING quickly backtracked. Other banks said they'd obviously comply with GDPR.
No fine was given.. it was not needed. I don't particularly care if companies are fined. I do care that they take my privacy into account. The latter is what (slowly) is happening.
Sounds like teeth to me.
(1) https://www.gdprtoday.org/gdpr-in-numbers-4/ (2) https://www.reuters.com/article/us-google-privacy-france/fra... (3) https://blogs.dlapiper.com/privacymatters/
The user consent parts of gdpr, are, imo, not good. Any wins though are better than nothing.
Indeed, this seems to be really lacking as far as I've seen.
Compliance with article 7 section 4 in particular (provision of service must not be conditional on consent for processing of personal data not necessary for provision of that service) is blatantly ignored by many actors, with a message of "accept our tracking or we won't let you see our content". Others pretend to be in compliance by having an opt-out which never completes, or other dark patterns.
So far, fines have been pretty reasonable and for clear offenses.
EDIT: source: https://www.statista.com/statistics/266279/revenue-of-the-ma...
The board should be planning some proper security. A £50m capital budget and £5m a year revenue should be good enough.
If this is under the 2% then it's 25% of the max for that tier.
In either case explaining 99 million quid to the board isn't a conversation you'd want to have.
What's your source for that? Marriott International only reported $5.2B in 2018[1].
The solution is to have security controls that cross cut entire enterprises and give operators a place to control them, however what we have today is just a jumble of different solutions that consist more of blocking access rather than allowing the business to run securely.
Still we see databases with no password made accessible on the internet, maybe it is time that you don't employ someone that has no training at all, or offer a training program, say if your developer needs to use TodaysCoolDb then have him trained on how to use it instead of him copy pasting the hello world from a webpage.
The amount of money you invest in your data security should be proportional to the data you collect, so collecting less will help you or investing more into security training and auditing your own systems.
And? Many things are tricky for many companies, doesn't mean you don't do them.
> Security is tricky for many companies ... The solution is to have security controls that cross cut entire enterprises and give operators a place to control them
This is definitely an area worth tackling, and one where multiple companies are recently growing. That's not the only issue though.
Security has many levels and the landscape is historically filled with opaque practices and prices. That does not entice people to go forward with security audits or solutions.
We've seen improvements on tooling with SAST but active security is largely pattern-based WAF or at the network level. This has poor signal/noise ratio and can't protect against more advanced attacks that target above the network layer (including HTTP).
Recent developments target more knowledge of the application and the business logic itself. Facebook itself for example has internal tools to detect data leaks. Being inside the application is much more useful because they don't just see data flying by but have knowledge of context and call sites, which allows to register malicious calls on the spot, protect just in time (even against zero days because you hinge on behaviour), and show the exact line of code (including the call stack) where the vulnerability lies, allowing to surface and fix it, or even virtual patch the vulnerability live.
> however what we have today is just a jumble of different solutions that consist more of blocking access rather than allowing the business to run securely.
The goal of ASMs is precisely to solve that: those tools are kind of APMs like New Relic or Datadog, only geared towards security. Big names like Facebook or Google have their own internal tools, but a couple of independent solutions have emerged already, and I think that having those companies around is going to be a shift that will benefit everyone's security in the long run, due to their accessibility and ease of use compared to previously existing solutions.
Yes, Marriot failed to conduct proper due diligence. Yes, they should have been able to detect the breach earlier and block the attackers' access. And yes, the attackers managed to stay in their system for a very, very long time.
But this breach was conducted by a nation state adversary. An attacker with unlimited resources and the best technical knowledge on the planet. If inability to protect yourself from such a threat becomes an offense, I am not sure the net effect is positive.
It's not the inability to protect yourself that's the offence, it's not doing the right thing in the event of a breach that's the offence.
It's _annoyingly_ common for those who are subject to fairly ordinary attacks to blame a powerful adversary based on very thin evidence, because "The state of Russia attacked my business" sounds like you couldn't be expected to resist whereas "A bored 14 year old attacked my business" sounds like you're useless.
The attackers were inside the system for several years. Marriott is a high-end hotel chain, whose establishments are used by state level travelers. Having ongoing access to politicians' and high-ranking corporate executives' itineraries, and especially their hotel room bookings, is an incredible avenue for espionage.
A financially motivated attacker would have tried to exfiltrate otherwise valuable data. But if the main target is the travel information data itself, and if the scope does not particularly expand over time, I am going to call it advanced espionage.
You can't, for instance, call yourself a structural engineer unless you are registered with the regulatory authority as such. Nor can you offer engineering services to the public without registration. And you are bound by a code of ethics, subject to a formal complaint process, undergo somewhat regular practice reviews, and can face disciplinary actions when you fail to comply.
Right now, it seems like software engineering is the wild west, complete with tales of fortune to be had attracting code-slingin' cowboys without regard for the public's safety. I predict the lawman is coming for you.
Especially given the origin cultures of regulators think that just banning Cryptography is a remotely reasonable idea instead of barking mad.
Standards may make some sense but they should be deliberately open ended like "encrypt customer data sufficiently or don't gather it" not "use single DES to encrypt - if you use large key RSA you will be in deep shit in spite of it being better".
At least, it puts a ceiling on the price a hacker can extort.
>If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO;
https://ico.org.uk/for-organisations/report-a-breach/
> The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
https://ico.org.uk/for-organisations/guide-to-data-protectio...
The lack of discovery/disclosure also covered an acquisition, companies not disclosing breaches during acquisitions is something I bet the SEC would be interested in.
Not saying that we should adopt such a system, potentially terrible idea but it amusingly is better than other "do something" legislation in that it would actually help the target problem even if there are clear downsides.
And, regardless, if a company violates the GDPR then quickly sells it itself, should the relevant data protection commission just drop it? After all, they sold the company!
I could see someone like Elizabeth Warren or Ron Wyden getting behind it, but not really the rest of the pack (it's not a popular enough issue when you weigh it against things like student loan forgiveness, or universal healthcare).
I do wish it would become law here. It would make my professional life a bit harder (mostly on the security front, we already steadfastly refuse to "monetize the data" or even give it to any third party, to the point we've rejected those questions from investors) but it's definitely the right thing to do since the benefit for consumers is much more important.
But when you fine a company the customers end up paying, same customers who ended up being the victims of whatever reason the fine was needed in the first place. Sadly I don't see a way of fixing that enpass.
i think the applications of fines of this sort will further empower those who extort and blackmail.
