Very conservatively estimated, there are more than three data breaches a day1 with a high aggregate cost. One recent study puts the average cost per business of a breach at $3.86 million.2 Such estimates are controversial,3 but it is clear that breaches impose significant losses on society. Security experts have long explained how to better defend against hackers. Why don’t we defend better? Why instead does society tolerate a significant loss that it has the means to avoid? There is more than one reason, but we focus on what we will argue is the most important one: the lack of sufficient information about the cost of breaches and about the probability of their occurrence. That lack of information can cause organizations to spend the wrong amount on defending themselves against breaches, typically underspending.
Our focus may surprise some. Why concentrate on defense? Isn’t a good offense an important part of the solution? Why not propose better ways for law enforcement to identify and shut down hackers? It would of course be foolish to deny law enforcement an important role, but it is far from a complete solution. There will always be some people who will engage in illegal behavior as long as they see a positive risk-reward calculation, and a significant snumber of people will see a positive reward since it can be hard to locate and prosecute hackers, especially in foreign jurisdictions.
Law enforcement is in the business of locating and shutting down hackers, not in preventing them from being able to hack in the first place. Law enforcement will always make decisions about where to spend their limited resources based partially on the likelihood that they can attribute a breach to a particular criminal or group of criminals, and then locate and successfully prosecute those criminals. Each attribution, location, and prosecution can be quite difficult. So defenses are critical. Defenses benefit the defender by reducing losses, and they benefit law enforcement by reducing the amount of successful hacking it needs to investigate.
We begin by explaining what we mean by a data breach.
What Is a Data Breach?
We characterize data breaches by using the traditional division of information security into confidentiality, integrity, and availability—sometimes referred to as CIA, or as the CIA triad. Confidentiality consists of keeping information away from those not authorized to possess it. We expect confidentiality for telephone conversations, financial transactions, and medical records. Integrity consists of preventing information from being altered by those not authorized to alter it. We need integrity for financial instruments, and both integrity and confidentiality for texts and emails. Availability consists of making computer systems available to authorized users. It’s easy to maintain the confidentiality and integrity of information if you don’t need availability. Simply put the information on one computer and permanently turn off that computer, or put it in a bank vault and leave it there.
From the point of view of the organizations breached and the consumers affected, data breaches are primarily a matter of confidentiality. In many breaches, hackers obtain credit card data that should have remained confidential. Examples include the Wyndham Hotel, Target, and Equifax breaches (which we discuss below), as well as the Home Depot, Macy’s, and Sears breaches of 2018, and many others. In addition, in many breaches, including the Wyndham Hotel, Target, and Equifax, as well as the Anthem and U.S. Office of Personnel Management breaches, other personal information, such as Social Security numbers, emails, and phone numbers that should have stayed confidential, was breached.
From the point of view of the information security defenders, there are also massive integrity violations at play. Software that should not have been allowed to run on a computer ran, violating the integrity of those computer systems. We return to the integrity prong of the CIA triad when we discuss the Internet of Things (IoT) in Chapter 5. Compromised integrity on the IoT can have serious consequences—car accidents, malfunctioning medical devices, failing power grids, and so on.
A narrow use of the label “data breach” restricts it to breaches of confidentiality along with the compromised integrity they involve. When data breaches in this sense involve unauthorized access to sensitive information, they constitute invasions of privacy. A broader use applies the label to events that corrupt, destroy, or block access to information. Data breaches then include denial of service attacks, ransomware attacks, and destructive hacking that corrupts or destroys data. These are not instances of unauthorized possession or viewing of data, but they do interfere with data in ways that can be highly disruptive. The table summarizes the typology.
| Data Taken/Viewed | Site Access Denied | Data Hidden | Data Corrupted/Destroyed |
Confidentiality | Data breach | | | |
Integrity | Data breacha | Denial of service | Ransomware | Destructive hacking |
Availability | | Denial of service | Ransomware | Destructive hacking |
We focus primarily on data breaches in the narrow “data taken/viewed” sense until we turn to the IoT in Chapter 5, where we consider the “data hidden” ransomware cases and the breaches of integrity involved in destructive hacking.
Four Examples
Before we go any further, let’s take a look at four among the thousands of significant data breaches in the past 15 years or so. For many data breaches, only a limited amount of information is publicly available. For our first two breaches, however, a fair amount is known, which is one reason we are discussing them. The late 2013 Target breach received a great deal of coverage by the news media and was also the subject of a detailed report by the U.S. Senate Committee on Commerce, Science, and Transportation. The Wyndham Hotels breach, or rather, the series of three breaches of Wyndham hotels between 2008 and late 2009, was the subject of legal action by the U.S. Federal Trade Commission (FTC), creating a public record. We will also discuss two more recent breaches where less is publicly known: Equifax, the biggest breach of 2017, and Marriott, the biggest breach of 2018.
Target
On December 19, 2013, Americans learned that Target stores had suffered a massive breach and that tens of millions of credit card numbers had been stolen. This was headline news, and it eventually became clear that about 40 million Target customers had credit card information stolen, and another 70 million had other personal information, such as addresses and phone numbers, stolen.4 In the fullness of time, Target’s CIO and CEO would both lose their jobs,5 banks would reissue about 21 million credit cards to vast numbers of Americans (including one of the authors of this monograph) at a cost of about $200 million,6 and Target’s expenses would total $291 million.7
How could such a thing happen? What went wrong? The short answer is, many things went wrong. A fairly common pattern in disasters in both real life and fiction is that several different things go wrong, and the sum total of those occurrences causes the disaster. This is the...