Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Are we becoming desensitized to data breaches? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Are we becoming desensitized to data breaches?

Maybe it's just me, but are all of the mass media reports of data compromises causing us to become desensitized to the dangers of poor security practices or are they helping?  This question lately became significantly more valid to me personally. 

First, the breach of Heartland late last year was instrumental in allowing budget money to be released for security projects.  Should I be grateful that Heartland had a potentially larger breach than possibly TJX?  Timing is everything when working on a security project and the release of that breach notification helped mature in the InfoSec process for many organizations. 

Second, having spent the better part of last year diligently working on writing ISO standard policies and the resulting agonizing process of IT governance development, I have found these breach notifications to be extremely helpful to my cause.  As part of the ISO 27001 ISMS (Information System Management System) policy development, I included a listing of US state breach notification law.  (This also helps with remembering to update the policy quarterly.)  Any organizations who deal with credit card information from diverse geographic locations are required to understand the breach notification requirements of their customers locations, including internationally.

Last month, I received a well-worded letter from Wyndam Hotels informing me that my personal information had been compromised by a "very sophisticated hacker".  Well, that very carefully chosen wording did get a chuckle from me, but then reality hit me.  I am officially a victim of the war we fight every day.  I'm not privy to the details of the hack, (although I tried)  but it did feel entirely different being a victim. As a result, I spent quite a few hours protecting my personal data.  Thank goodness they notified me and offered the free credit reporting services before my information was actually stolen.  According to the law, they had no choice but to let me know. 


Mari Nichols  iMarSolutions




Mari Nichols

76 Posts
I don't think it's causing "us" to be desensitized. I think that notifications need to be beefed up.

For example, someone close to me recently received a notification letter from their bank that their card was going to be deactivated and replaced by a certain date.

I tried to help get more information (spent an hour on hold before giving up). The basic question that came to mind was:

Was this related to Heartland. If not, which merchant did it involve.

On the flip side (providing security in the context of PCI compliance), it's my belief (and experience in evaluating vendors) that compliance is simply given lip service by many. Some merchants and vendors simply don't understand the difference between compliance and valdiation ("I'm a level 3 and passed my vulnerability scans so I'm compliant!"). Others intentionally lie about their status.

One simple solution would be to put people on the hook for not providing accurate information regarding their compliance status.

Just a few thoughts.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!