It's amusing to me how the economic and cultural incentives at so many companies is to lie as much as possible when it comes to breach disclosures while pretending that you're still technically telling the truth.
I think that in all of these cases it would have been no worse for the companies in question if they just sent out a dry, "just the facts, ma'am" report of what actually happened, without any of the BS "the security of our customer data is our primary priority!" statements to begin with that always accompany these kinds of breach disclosures. E.g. something like:
On <date>, due to a vulnerability in the third party vendor SolarWinds which provides network security services for us, we detected the following breaches of customer data:
1. xxx
2. yyy
The steps we are currently taking, and what you should do: zzz.
----
Perhaps one good thing that can come out of this is that some sort of "standard" format for breach disclosures comes about (think the "Nutrition Facts" labels on food boxes in the US). All I do when I see companies trying to minimize breach disclosures is assume they're bullshitting anyway.
kmeisthax 37 minutes ago [-]
If companies were mere profit-seeking entities, these breach notices would be minimally disruptive to the business. Most people do not immediately jump ship just because a breach happened.
But most companies are not just that. They're barely-legal Ponzi schemes. The board and their appointed CxOs are selected specifically on the basis of how much they can get the stock price up. This results in companies making lots of terribly short-sighted decisions.
In the specific case of breach disclosures, any bad news about a company tends to create uncertainty, which makes short-term investors and speculators close their positions, which drops the price. This drop tends to be short-term, but it imperils the liquidity of the investment, and liquid investments tend to be more valuable, so...
MattSteelblade 2 hours ago [-]
> Unisys will pay a $4 million civil penalty;
> Avaya. will pay a $1 million civil penalty;
> Check Point will pay a $995,000 civil penalty; and
> Mimecast will pay a $990,000 civil penalty.
With the exception of Mimecast, these are companies that are bringing in billions of dollars in revenue annually. How is this supposed to deter them?
Hilift 25 minutes ago [-]
The fines are symbolic. Even if you look at the fine for the hotel data breach in 2018, that was only $52 million (US) and $23 million (UK), total of $75 million. And the Equifax breach? An executive VP of IT sold $584k of shares right after the breach and before the press release. Nothing happened to him, he said he was unaware of the breach. https://www.npr.org/sections/thetwo-way/2017/09/08/549434187...
The SW supply chain attack is one of the most brilliant cyber attacks in recent history. They hit a train load of gold bars, and had a much as 14 months of dwell time with potentially 18,000 customers. Discovery must have been disappointing for the attackers.
If you follow the most important rule, secrecy, you get plausible deniability and small-er fines.
SpicyLemonZest 23 seconds ago [-]
[delayed]
ensignavenger 2 hours ago [-]
Unisys and Avaya are both reporting losses. This fine makes it even more of a loss. Further, if they don't mend their ways, the SEC will give them an even bigger fine.
0xffff2 2 hours ago [-]
They pay the penalty and they are expected fix the issue. If they don't, there will be additional enforcement actions.
Mistletoe 2 hours ago [-]
Doing anything at all probably costs more than $1M.
alephnerd 58 minutes ago [-]
Not that much more.
Furthermore, security vendors like Avaya and Unisys could arguably be in breach of contract with customers because it could be argued that they misrepresented their internal security protocols to customers.
teeray 40 minutes ago [-]
The law should be written to require a mandatory percentage of revenue. That will wake them up.
kmeisthax 15 minutes ago [-]
It will not.
The reason why companies get breached is because the systems being breached are all legacy. Company A buys company B who bought company C, which merged with company D. C fires D's old IT department, because it's redundant, so now D's billing system is being managed by C's IT department. C then sells itself to B, who has a much more robust billing system. At this point, it'd make sense to replace the billing system from D, but everyone who knew how it worked got fired in the C/D merger. So it sits around because nobody wants to break that part of the business. Then A buys B and does another round of layoffs, so anyone who even knew about this is gone.
Ten years and hundreds of iterations of this exact cycle later, you get an e-mail from a stranger saying they found all your customer records being sold on a cybercrime forum. Your IT department scrambles to remediate a breach in a system they've never heard of that nobody remembers installing or maintaining. It's just always been there. Corporate amnesia runs deep. People are finding forgotten old servers running unpatched versions of Windows Server 2003 that were so ritualistically overlooked you'd need to be high on Class Z mnestics just to perceive them.
Every enterprise IT department is like this. That's why companies get breached so damned often. There is never enough time in the budget to properly document legacy systems, nor are the decision-makers at the top even aware of the fact that they exist. Their job is to eat things, and they eat voraciously. If you want to stop this from happening, you need to make M&A illegal, not just inflict more pain to the invisible arms the corporate body cannot perceive pain from.
philipov 4 minutes ago [-]
Well, you've convinced me. M&A should be illegal.
alephnerd 1 hours ago [-]
> How is this supposed to deter them
Unisys and Avaya are both security vendors. This absolutely is a bad look for them, as almost every Security RFP asks about internal controls and how a vendor has remediated against these issues, and this is ammunition for any competitor to ask a prospect to re-evaluate purchases from either due to misrepresenting their security procedures.
Furthermore, Unisys only has an operating profit of around $200M a year, so a $4M fine is fairly brutal (that's an entire security team's operating budget for a company at Unisys' size).
Avaya's is smaller still, so that $1M is fairly brutal for them
mise_en_place 1 hours ago [-]
Probably not the case here, but the issue is with how some of the NIST standards around cybersecurity are certified. API endpoints are manually tested and then screenshots are provided. Completely manual and very inefficient and prone to human error. This is an issue of US national security, we need more skilled hackers in this space.
librasteve 2 hours ago [-]
I feel that it is time to criminalise corporate fraud - ie executives presiding over businesses or state organizations that lie, deliberately obscure or suppress any relevant facts should expect jail time. This ought to be at similar levels of time and standards of “should know” as health and safety law.
Several recent examples would have fallen foul of this … Grenfell tower, Tesla FSD, Boeing 737max, Thames Water, United Utilities and the EA.
Etheryte 1 hours ago [-]
I agree, we already see this in the financial industry, if you don't do your part to prevent money laundering, you can be facing real jail time. It's long overdue that similar liability came to other industries, the examples you brought up show it's clearly necessary. The free market and its financial incentives alone are not cutting it.
Rendered at 20:28:25 GMT+0000 (Coordinated Universal Time) with Vercel.
I think that in all of these cases it would have been no worse for the companies in question if they just sent out a dry, "just the facts, ma'am" report of what actually happened, without any of the BS "the security of our customer data is our primary priority!" statements to begin with that always accompany these kinds of breach disclosures. E.g. something like:
On <date>, due to a vulnerability in the third party vendor SolarWinds which provides network security services for us, we detected the following breaches of customer data:
1. xxx
2. yyy
The steps we are currently taking, and what you should do: zzz.
----
Perhaps one good thing that can come out of this is that some sort of "standard" format for breach disclosures comes about (think the "Nutrition Facts" labels on food boxes in the US). All I do when I see companies trying to minimize breach disclosures is assume they're bullshitting anyway.
But most companies are not just that. They're barely-legal Ponzi schemes. The board and their appointed CxOs are selected specifically on the basis of how much they can get the stock price up. This results in companies making lots of terribly short-sighted decisions.
In the specific case of breach disclosures, any bad news about a company tends to create uncertainty, which makes short-term investors and speculators close their positions, which drops the price. This drop tends to be short-term, but it imperils the liquidity of the investment, and liquid investments tend to be more valuable, so...
> Avaya. will pay a $1 million civil penalty;
> Check Point will pay a $995,000 civil penalty; and
> Mimecast will pay a $990,000 civil penalty.
With the exception of Mimecast, these are companies that are bringing in billions of dollars in revenue annually. How is this supposed to deter them?
The SW supply chain attack is one of the most brilliant cyber attacks in recent history. They hit a train load of gold bars, and had a much as 14 months of dwell time with potentially 18,000 customers. Discovery must have been disappointing for the attackers.
If you follow the most important rule, secrecy, you get plausible deniability and small-er fines.
Furthermore, security vendors like Avaya and Unisys could arguably be in breach of contract with customers because it could be argued that they misrepresented their internal security protocols to customers.
The reason why companies get breached is because the systems being breached are all legacy. Company A buys company B who bought company C, which merged with company D. C fires D's old IT department, because it's redundant, so now D's billing system is being managed by C's IT department. C then sells itself to B, who has a much more robust billing system. At this point, it'd make sense to replace the billing system from D, but everyone who knew how it worked got fired in the C/D merger. So it sits around because nobody wants to break that part of the business. Then A buys B and does another round of layoffs, so anyone who even knew about this is gone.
Ten years and hundreds of iterations of this exact cycle later, you get an e-mail from a stranger saying they found all your customer records being sold on a cybercrime forum. Your IT department scrambles to remediate a breach in a system they've never heard of that nobody remembers installing or maintaining. It's just always been there. Corporate amnesia runs deep. People are finding forgotten old servers running unpatched versions of Windows Server 2003 that were so ritualistically overlooked you'd need to be high on Class Z mnestics just to perceive them.
Every enterprise IT department is like this. That's why companies get breached so damned often. There is never enough time in the budget to properly document legacy systems, nor are the decision-makers at the top even aware of the fact that they exist. Their job is to eat things, and they eat voraciously. If you want to stop this from happening, you need to make M&A illegal, not just inflict more pain to the invisible arms the corporate body cannot perceive pain from.
Unisys and Avaya are both security vendors. This absolutely is a bad look for them, as almost every Security RFP asks about internal controls and how a vendor has remediated against these issues, and this is ammunition for any competitor to ask a prospect to re-evaluate purchases from either due to misrepresenting their security procedures.
Furthermore, Unisys only has an operating profit of around $200M a year, so a $4M fine is fairly brutal (that's an entire security team's operating budget for a company at Unisys' size).
Avaya's is smaller still, so that $1M is fairly brutal for them
Several recent examples would have fallen foul of this … Grenfell tower, Tesla FSD, Boeing 737max, Thames Water, United Utilities and the EA.