There is a growing trend among organizations and companies to simply deny that live production data is real. As a security researcher I often hear that everyone is a small start-up and all data is test data, or it was some 3rd party and not us. More than once I have found my own name and personal details in a “test database”. Here at Security Discovery it is our belief that companies have a duty and responsibility to protect all data that is collected or stored. Our mission is to educate and raise awareness and our goal is always to help not harm, but it can be challenging when you feel like someone is not being honest with you. Claiming that you are a small start up with many millions of dollars in funding and revenue is not a free pass for exposing data, but yet we hear this far too often.
By simply claiming that any data exposure was internal test data is dishonest and unfair to the customers, employees or partners who trusted an organization to safeguard the data they collect. Now that there are regulations such as GDPR (EU) and California’s Consumer Privacy Act (01/2020) companies are more likely to be held accountable for exposing data. This includes fines and civil damages for organizations who do not act fast to protect the privacy and data of their users.
This is a double edged sword because before where a data leak was a black eye on a company’s reputation and a valuable learning experience, now it can cost real money to ignore data privacy. So, there is an increased incentive to downplay a data leak, deny that it was production data, or have a lawyer threaten lawsuits over “test data” discoveries :).
Unfortunately, these tactics to avoid accountability can potentially harm innocent people at the expense of protecting an organization’s reputation over all else. In a previous article I covered the financial cost of a data breach to a small to medium size business. Although $3.7 million may seem like a large amount of money, most organizations don’t actually think about the damage done to the real people who have their data exposed.
If someone’s identity is stolen because of a data breach it can actually ruin their life. It can affect their credit score, employment opportunities, credit availability and much more. All because they trusted a company or organization with their data that was exploited. In 2018, the Federal Trade Commission processed 1.4 million fraud reports totaling $1.48 billion in losses in the US alone. How many data breaches go unreported because organizations falsely claim it was test data or threaten litigation if the data breach is exposed publicly?
We believe that any exposure is still a backdoor into an organization’s network that could potentially allow cybercriminals access deeper inside the infrastructure. – Security Discovery
The term “Sensitive” is subjective and there is debate in the security community over whether or not log files are considered a data leak. Even log data can expose IP addresses, security tokens, patch or OS data, and a wide range of information that should not be exposed online. Just because a data exposure was not medical records, credit cards or banking details does not mean that they have no value or risk.
We believe that all data should be protected and some organizations get it and some obviously don’t. Some care about their users while others appear to care only about themselves, reputation or stock prices. The ones who get it are honest and transparent during and after an incident. They welcome legitimate members of the security community to identify vulnerabilities in their system, and most of them have a bug bounty process in place. Having a bug bounty or discovery reward program is common practice that is almost standard for data driven companies who are serious in their commitment to data security.
As a journalist and researcher, I report what I see in an unbiased way to educate and raise awareness of data protection. Our ethical reporting is about journalistic integrity and we focus more on the privacy rights of individuals who may have had their information exposed and less on the reputation of an organization who had a legitimate data leak on the public internet.
My advice to any organization or company who experiences a data exposure would be to embrace honesty and transparency. Do not go silent then put your head in the sand and hope that everyone forgets as if nothing happened. Remember that nearly every exposure is an opportunity to strengthen your security procedures and policies. Organizations owe it to their customers, employees, and partners to value their data the same way they value their reputations. Finally, do not under any circumstances claim that data is “Test Data” when it is clearly not.