Betting on a Breach

Written by

In February of this year, the University of North Carolina-Charlotte issued a statement that a breach had occurred. It now seems to have been a serious one.  As of the statement on May 9th (.pdf), it looks as though more than 350,000 social security numbers (along with other personal details) had been exposed in two failures of security.

The exposure of this information occurred as the result of incorrectly configured systems (again, according to the university) and may have lasted over a decade. Frankly, this seems like a very long time for a system to be left misconfigured (at the very least usually due to not running basic auditing and logging, and not being patched for known vulnerabilities), especially when the exposure allows access to information like social security numbers. 

We’ve seen this kind of thing before, though. Back in early 2009, the FAA reported (.pdf) a large breach which affected over 45,000 individuals resulting from incorrect configurations of systems storing sensitive information
Clearly organizations like UNC Charlotte will face public and probably painful criticism for their failure and I’m sure we haven’t heard the last of it. But the question we should be asking is why are organizations still failing to correctly protect systems that house sensitive data?
 
It's due, I believe, in part because of a lack of investment both in the tools and the time to do the job properly. While 15 years ago (which is when, apparently this may have all begun) best practices for system configuration and security may not have what they are today, a lot has changed since then.
 
When systems are left open, and worse, data on them is left unprotected (presumably unencrypted), what’s left is a ticking time bomb of risk.  It’s like playing roulette and letting the bet ride and ride. Sooner or later you’re going to lose – and the cost of that long-term risk bet can be high in both dollars and public humiliation.
 
But here’s the question – is the aggregate cost to society, and in this case the 350,000 people whose personal information was left exposed, more or less than the penalty to the organization that caused the breach? In the end, what’s the risk cost to us of someone else’s security failure? As a society, we have to to decide how much security is actually worth to us, and then ensure that we can pass on the cost of failure to institutions who have, one way or another, chosen to double down and let that bet ride.
 

What’s hot on Infosecurity Magazine?