[Interview] The Long-Term Consequences of Data Breaches, Enterprise Information Security, and More: An Interview with Troy Hunt
Troy Hunt is a prolific web security expert with his hands in many different projects. He’s best known for the website HaveIBeenPwned.com (HIBP), a free data breach service that allows visitors to check if their email address is linked to a breach and sign up for an alert if a future breach compromises their email address. He is also a contributing author to PluralSight, an online training services for technology and creative professionals, offering a wide range of beginner and intermediate courses on web security. Troy is a Microsoft Regional Director and MVP and offers private workshops for technology professionals.
We interviewed Troy to get his perspective on some recent developments in the cybersecurity world.
SSC – You’ve published a blog post on the recent update of the 2012 LinkedIn’s data breach where over 100 million user account data and passwords were released after the initial dataset in 2012. Another blog post on Windows IT Pro looks into the fact that lead times between a company being hacked and data being exposed is sometimes long. Why do you think this is the case and should we be expecting follow-ups to large data breaches such as Target, Home Depot, or most recently Wendy’s?
TH – It appears as though a couple of data traders have been hoarding breaches for some years and they’re just now going public with them. It’s not clear why the long lead time, but it’s likely there’s been a catalyst which has caused them to begin publicly monetizing the data after years of it remaining a “quiet” breach.
SSC – How do you think companies should be reacting to the fact that they have been breached but consequences may be ongoing over a long period of time?
TH – They need to investigate the legitimacy of a claimed breach (some are fake – the Twitter one did not come from Twitter) and then communicate with impacted members accordingly.
SSC – Why would someone falsely claim a data breach and what do you think could be the negative implications of doing so for the ‘breached’ company?
TH – Various reasons including the fact that there’s a financial upside for those selling the data or simply because it’s kids having a laugh. We see each frequently.
SSC – Relatedly, you own the site HaveIBeenPwned.com (HIBP). Do you think that service has changed the way individuals and companies view data breaches knowing that you’re providing an easy way for individuals to know if their email address has been compromised?
TH – I think it’s brought the issue of data breaches more into the public awareness. It’s made the discovery of individuals’ personal exposure far more accessible and certainly that’s a positive thing for all of us who’ve been impacted by breaches.
SSC – Recently, you had your first self-submission of a data breach, coincidentally as the 100th data breach for HIBP. Do you think more companies will self submit or admit to having been breached as time passes or are the consequences too high? What do you think can incentivize companies to own up sooner rather than later?
TH – I don’t think we’ll see many self-submissions. This was a small community site and most corporate entities are in defense mode after a breach. They want to minimize exposure of the issue and certainly don’t want to redistribute their customer data.
SSC – What do you think companies need to keep in mind or balance when it comes to being in defense mode but also in letting their customers know their information might be compromised, even if that risks the breach coming to light publicly?
TH – It’s primarily about being honest, transparent, and keeping the customers’ best interests in mind. Avoiding corporate spin and focusing on facts plus giving the customer actionable info (i.e. telling them what was actually compromised) is important.
SSC – What do you think are common or easy-to-implement processes lacking in enterprise security practices?
TH – More than anything, developer education. These breaches are almost always caused by easily avoidable flaws in the software design.
SSC – How different is that from a smaller company without a large system infrastructure?
TH – It’s the same issue – properly train the people building the systems
SSC – That seems like a simple solution, why don’t you think businesses engage in the education needed to mitigate risk?
TH – Because many of them are simply not aware they have security blind-spots to begin with!
SSC – We posted on the Bangladesh Bank Hack a few months ago when it was first reported. Since then, there has been a number of updates – more banks may have been compromised and SWIFT has taken a number of actions in response. With ransomware and hackers continuing to target financial institutions with more fervent effort, what type of consequences could banks, consumers, or regulatory bodies expect? What mitigating tactics should those organizations employ?
TH – The consequences for a bank are financial loss and in the SWIFT case, there’s one or more fundamental flaws in their implementation that has been enabling adversaries to take advantage of the weaknesses. How they mitigate this will obviously depend on the underlying flaws, but particularly in banking they’re frequently beholden to legacy systems designed in a much simpler time.
SSC – The 2016 Verizon Data Breach had a really interesting data point noting that vulnerabilities are being exploited faster and faster. If companies don’t increase the speed at which they patch vulnerabilities, what do you think is in store for cybersecurity in the next few years?
TH – I think the answer is pretty obvious! If you’re unable to stay ahead – or even keep pace with – adversaries, it’s not a very bright outlook.
SSC – What do you think is preventing companies from keeping up?
TH – A lack of willingness to invest in security, often due to a myopic focus on shipping features without looking at the long-term, bigger picture of technology sustainability.
SSC – In many of your posts, you focus on the moral and ethical implications of cybersecurity (a famous example being your decision to delete the VTech data breach information from HIBP). Why are you interested in the cross-section between cybersecurity and ethics and how much does that inspire or impact the projects you’re involved in?
TH – Because too often we tend to just look at the technical or legal issues without considering the real impact on people. Technology people in particular, are very good at dehumanizing people and considering them as mere “users”. We need to remember that users are real people that can suffer serious adverse impacts from incidents such as data breaches.