Communication and terminology is important. So why can’t we get it right?
I recently saw a poll on Twitter asking if the Cambridge Analytica situation was a breach. and saw people argue both ways. Definitely a gray area. On the other hand, the Panera situation is different. Nobody breached anything, yet Checkpoint even is calling it a breach. The information was put out on the net for all to see. Same thing with any of these misconfigured S3 buckets that give out data, unless of course the data was not suppose to go to the bucket in the first place.
We want to secure things, and we hate FUD, yet we go around throwing words like breach out there when it should not be. Talk about confusing people and sowing FUD! So how do we fix this? It has to start with us coming up with a proper, universally accepted definition for a word like breach. Most of the time we seem to use it to indicate a willing ex-filtration of data that should have been kept private. The keyword there is WILLING. That means someone who was either unauthorized to access the data did (and possible copied/removed it) or someone who had rights to the data intentionally removed it (and possibly put it out for others to access). Going by this simple and basic definition It would indicate that while Facebook was a breach, Panera definitely is not a breach. Panera would be more along the lines of a site misconfiguration, or a permissions issue. The open S3 buckets that have happened would vary depending on if the data in those buckets was permitted to be there or not. If the data was not supposed to be in an S3 bucket, it would be a breach, otherwise it would be just a security misconfiguation or a permssions issue that allowed private data access. The term breach sound so much scarier, but if everything is a breach, then nothing is, and you start to get to an area of desensitizing people to the term, and then have ot come up with a scarier word.
Personally, I think not using the term breach and instead showing that a company screwed up on a configuration is a bigger deal than a breach itself. At least with a breach someone actively had to target the data and take it. We all know there is no perfect security and breaches will happen. On the other hand, setting up a website to show PII about anyone to anyone is a bigger trust issue, as it should have been caught in the QA phase before a site goes live. Mistakes happen, and the response of the company to either a configuration issue or a breach is important, and that is the even bigger fail in Panera’s case.
Leave a Reply