Fire Dance, Paul Gaughin 1891
Wishing everyone in the U.S. a meaningful and relaxing Memorial Day Weekend.
Everyone except First American Financial Corp.
On Friday night before everyone took off for the holiday, security researcher Brian Krebs teased with a tweet that there would be a huge data breach that he was working on confirming:
It turns out that the breach, buried entirely by the Memorial Day weekend news lull, was enormous. Brian Krebs revealed that First American had:
leaked hundreds of millions of documents related to mortgage deals going back to 2003. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.
There have been similar horrifying leaks over the past several years, but most of them have involved open S3 buckets, an issue that Amazon has worked to resolve by making S3 buckets default-closed over the past couple years:
and open MongoDB instances. (In researching for this post, I realized that Mongo does not enforce authentication by default, which means it’s possible to put a completely open DB into production unless you have rigorous checks. After reading this, I had to take 10 Alka Seltzers and debated leaving tech forever, but I still really like my Python laptop stickers so I’m staying for now.)
What happened with First American was potentially even worse: all of the documents were uploaded without any authentication mechanism (i.e. log-in) to the website and incremented by 1 in the URL ID, so that anyone who knew a single document ID could view any other one using a URL similar to https://www.firstam.com/docid1023923982.
The earliest document number available on the site – 000000075 — referenced a real estate transaction from 2003. From there, the dates on the documents get closer to real time with each forward increment in the record number.
This seems horrifying until you realize that some of our most important security infrastructure hinges on incrementing numbers and wide-open databases:
The problem here is that there is no incentive for companies to do better. What happened after the enormous Equifax breach? Two years later, it’s just now starting to feel the legal repercussions, but the company is clearly not out of business, and no executives (as far as I know) have been jailed.
All of these companies, however, are Taking It Seriously. Taking it seriously is a phrase that the great website The Consumerist (RIP) really honed in on when it reported on companies “apologizing” for their mess-ups. And amazingly enough, ever since I noticed it, it’s become apparent that every company is Taking It Seriously. What that means is that the company never gave any second thought to the issue at hand and has been caught out in public. Witness First American,
At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.
Which means they never had any clue or intention.
As someone concerned with privacy, this makes my hair turn gray. As an average consumer, I’ve become so overwhelmed with the amount of data breaches happening and the amount of companies who have vowed to Take My Data Seriously.
There is no way for consumers to hold these companies accountable. We can’t monitor every unintentional (or, in some cases, intentional) collection of data. The only thing that genuinely does make companies Take It Seriously is the fear of fines and regulation.
To that end, GDPR, and its nascent beginnings under CCPA in the United States, have been a godsend.
So far, there have been mixed emotions on the potential measurement for success. For example, Leo Polovets recently tweeted that GDPR is not working from the perspective of the open market.
But, from my perspective in the data industry, companies, including large companies with extremely large sets of data, are extremely concerned about CCPA coming down the pike. They’re having meetings, gathering opinions, and discussing in industry venues what the impact of this will be on their operations. This has never, ever been the case before.
And that, to me, is a very big measure of success that will trickle down to the rest of the population, including smaller companies. Tooling will be built to delete data or, as already exists in the case of differential privacy, anonymize it.
Companies will not actually start Taking It Seriously until there are real dollars attached, and now, finally, there are starting to be.