#EpicFail: Rethinking Data Collection to Avoid a Digital Vesuvius

Originally Published on SDI Cyber on December 5th, 2018

At the end of November 2018, we learned that Marriott International suffered an incredible breach. Five hundred million customers are thought to have been affected. With numbers like that, this breach falls well within the #EpicFail category (think Equifax and Yahoo! as examples).

It’s not only the size of this breach that puts it in the #EpicFail category. Look at this snippet from the Marriott statement of November 30th:

“…the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

That’s a whole lot of valuable “what” which was exfiltrated.

And then this beauty: the breach likely happened over four years. Yes, years! But rest assured if you are a customer of this hotel chain as it looks as though only the Starwood network, and not the Marriott network, was affected.

Feel better now?

I fully expect the usual forensics, free web monitoring, mea culpas, some GDPR talk, possible political investigations all to be rolled out (as they have). This has become standard cyber crisis response these days, but I can tell you as someone who has done a cybersecurity deep dive, none of these actions make me feel safer. Nor do they address many of my underlying cybersecurity concerns.

I’ll be honest: I’m one voice in a sea of millions talking cybersecurity and will be in the minority to say this: we need to move where data sits on the balance sheet. Traditionally, data is viewed as an asset and that is where the majority of the voices are (main reasons below).

But I am really beginning to think we need to move data to the liability side of the balance sheet if we are going to implement any real change. You’ll find “data is a liability” commentary from lawyers or those well immersed in risk management, but rarely from any others.

If you go back to a piece from April 2018, you’ll understand why I believe the majority of voices see data as an asset. As I stated then, raw data is amassed for usually one or all of these reasons:

1) To understand something;

2) To develop something; and

3) To sell something.

It all sounds so benign, but we’ve reached looney tune levels of data collection. Even typing out this blog piece has resulted in some sort of data collection, for example the “total editing time” written into the file’s metadata. It’s become all so ridiculous that we cannot perform an action on a device without some behavioral data being collected.

And of course, this is all in addition to the data organizations collect on us, voluntarily or involuntarily.

Ultimately, what this means is that we have been increasing our risk profiles and are likely not even taking notice of how bad the situation has become.

The pragmatist in me tells me this Marriott breach, however devastating, will change little on how we approach our cybersecurity challenges. We’ll get the usual new vendor solutions, better education talk, increased control measures, AI, use of encryption, and so on. I’ve even talked about many of these issues in the hope some people change their behavior and alter their views on how they treat their data.

Unfortunately, here’s what I’m seeing: people are genuinely becoming normalized to theft, just as I wrote last year in a piece here, because the costs of data theft do not outweigh the benefits of the conveniences data collection bring people and organizations.

Put another way, if the costs of data collection did indeed outweigh the conveniences, then we may see a behavior change. But I don’t think we’re there yet.

Here’s the funny part though … and you’re really going to love this. I don’t have enough data to know if this cost/benefit relationship is real or perceived. But my intuition tells me this:

1) People accept risks associated to data collection because of the conveniences offered, which are also real or perceived; and

2) People – both producers and consumers of data – don’t know the actual costs associated with data collection.

Here’s how to really twist your noodle into a pretzel: you won’t get consensus on this issue. Everybody is going to have a different view point on the cost factor.

Side bar: I still cringe when people say to me “Why do you care if your device is collecting this information on you?” Perhaps I’ll write a book on that issue, as a blog post won’t do when talking about liberty and privacy issues. You know. Small things.

But I digress. For those of you who have an entrepreneurial spirit, you fully appreciate why so many businesses fail: they flunk Business 101 when it comes to costing. If your costing numbers are out of whack, you may get lucky and do some cruisin’ before the bruisin’ comes, but generally speaking, you’re feeding a volcano.

And that’s my cybersecurity feeling coming into 2019: we’re feeding a digital Vesuvius and I don’t have the slightest clue when we’re going to become Pompeii. I just have a feeling we will.

I have a hypothesis – no theory yet, as I haven’t tested this out – as to why this normalization has happened and it’s based on two factors, both of which are related to bias.

We have normalized data theft because there is an underlying belief that:

1) Data is an asset; and

2) Increased data collection will lead to greater conveniences.

You see, it’s a natural continuum: we have normalized mass data collection, assumed data collection is an asset, and accepted that this process will lead to greater conveniences, whether it is how we book a hotel room or the catch all “enhancing the user experience.” Almost always, that data collection is designed for some sort of behavioral response. Some would even call that manipulation, but let’s keep that can of worms closed for 2018.

In closing, to avoid another #EpicFail we may want to consider the following:

1) Perhaps it’s time to start treating data as a liability; and

2) Dispel with the canon that greater data collection will always lead to greater conveniences.

If we can do those two things, I believe we’ll do a much better job figuring out the true cost of data collection, on both sides, producer (you) and consumer (whoever we give our data to, whatever the reason). That step alone will help us better manage our risk and in doing so, we’ll have a much better sense of whether the costs of data collection (including data theft) really do outweigh the benefits and conveniences.

If we continue to think about data as we have, don’t expect changes. That’s why we need to rethink data collection.

Also available on SDI Cyber