Does Size Matter?

This last month I spent some time conducting a very unscientific experiment to see how social media responds to data breaches and cybercrime, and this past couple of weeks I noticed something that made me decide to finally write this blog.

I will start by saying that LinkedIn hasn’t disappointed me, and my industry hasn’t let me down… but it was with a wry smile that I began to write this blog this morning because it’s just so apparent what an interesting (and prudish) lot we are! Allow me to explain…

Capital One and others

In recent months we’ve heard about Capital One and their Data breach which has the potential of affecting 100 million customers. We also heard about how Oyster Card systems were hacked, resulting in 1,200 account details being stolen, and this came shortly after it was revealed that a care service on the Isle of Man had lost personal details of almost 100 people either in its care or working for them. These and other Data breaches, large and small have been reported with a varying degree of focus over the last thirty-or-so days.

But of these three mentioned here you’ll most likely have seen a lot of activity on social media focused on Capital one, but perhaps not on the others. Of course this could be simply down to the size of the breach; Neither the Oyster card nor Manx attacks came close to the 1 million mark, so perhaps like an earthquake that doesn’t register higher then 2 on the Richter scale – it’s not important!?

I believe this is worrying trend for a number of reasons. The first is that people seem to be coming blasé to data breaches and attacks, unless the number is reaching the multiple of millions. Like the lives of 1,200 people aren’t quite as important. Of course this could also be because they’re not as widely reported as the larger breaches, which brings me to my second point. As professionals in this industry shouldn’t we being taking as much notice of smaller breaches as the larger ones? Or are we also becoming blasé to smaller breaches, and simply chasing the bigger and sexier stories that are ‘trending’.

But if you want sexy…

Given my thoughts above it was really interesting to note that 14 days ago a breach occurred which has the potential of affecting 1.2 million users, yet it barely caused a ripple on LinkedIn (at least not amongst my 4k contacts and followers). How could this be? Admittedly it wasn't as big as the Capital One data breach, but at 1.2 million records I was surprised to see it barely commented on by the industry luminary! What was going on?!

The answer was simple… The company in question is classified as an ‘Adult-content sharing site’ (because apparently uttering the word ‘Porn’ can see you go straight to hell, do not pass GO, do not collect ￡200!?). ‘Luscious’ exposed the personal details of almost 1.2 million users on an unsecured database, which was discovered by researchers. It isn’t yet known if this information is now in the wild or if the information is being used to carry out sextortion (a form of blackmail carried out on individuals who are linked to some sexual act/imagery). But still... 1.2 million people affected - potentially.

Ashley Madison 2.0 (AM2.0)

Of course many people will have heard about the other big data breach which occurred in 2015, which affected 37 million users. When ‘Team Impact’ carried out the attack on the 'Alternative dating site', Ashley Madison. Here they threatened to release the details of people who had provided detailed personal information about themsleves and their sexual preferences, unless the site was shut down. It wasn’t. So they did.

To date we know that thousands received demands for money in return for 'silence' from the Cybrcriminals, thousands more most likely paid (we have no way of knowing). But we do know that for some, the shame, embarrassment and fear was just too much to handle, resulting in eight people sadly taking their own lives. All as a direct result of that breach.

And now we have AM2.0. Slightly smaller in size, but the issues are no less worrying, and I can only hope that any one of the 1.2 million affected seeks professional advice should they fear the worse.

So does size matter?

The size of the breach shouldn’t dictate if or how we respond to it. We should learn from those who suffer a breach and ask “What does this teach us?”, “What can I learn from this?”, and “How can I ensure WE are not the next headline?” We need to have these conversations irrespective of the company who is the victim of the attack or cause of the breach.

Data breaches come and go… but the lessons are there for us all to learn from, if we are paying attention.

Cybercriminals know that they can pray on fear, uncertainty and doubt and there is nothing (it would appear) that we humans fear more than having our personal sexual preferences and details exposed to the world. Cybercriminals know this… and I hope that those running ‘Adult-sharing-content’ sites(!) know this too and are taking every available precaution available. But then again, we all need to be thinking more about personal protection, shouldn’t we?