Are We Suffering from ‘Data Leak Fatigue’

When people are frequently exposed to something, they learn how to adapt to it. This is why immersion therapy is so effective for treating phobias in some people: if you are afraid of spiders, then reaching into a box full of arachnids and letting them crawl all over your arm without any negative consequences can help alleviate your fears. However, this isn’t always a positive thing. You only need to look at any news story about Donald Trump (that doesn’t come from Fox News) and then imagine showing it to someone in 2015 to understand how becoming numb from exposure can cause us to normalize and accept things that we normally wouldn’t.

This effect might go some way to explaining why so many businesses have got away with being unacceptably careless with our personal data (e.g. scraping it and then monetizing). A decade or so ago, a major data breach that exposed hundreds of thousands, maybe even millions, of peoples’ data to an attacker would have made headlines around the world. Fast-forward to 2020, and data leaks are now so common that we routinely shrug them off when they occur.

Data Breaches In 2020

With the coronavirus pandemic already upending business operations across the globe, denting consumer confidence, and putting many businesses into precarious financial positions, now is the worst possible time for most of those businesses to be suffering data leaks. But coronavirus hasn’t slowed down the pace that cybercriminals operate at, they are just as eager as ever to get their hands on people’s data.

Data breaches are a global phenomenon. Criminals aren’t at all fussy about where they get their data from. Let’s take a look at some of the breaches that have occurred around the world within the last month.

Tesco Clubcard Database Breach

Tesco is the largest supermarket chain in the UK. It is an enormous business with a yearly-turnover that would make most people’s eyes water. With the resources at its disposal, you would expect Tesco to have invested accordingly in its cybersecurity. You would definitely think that having been fined £16.4 million in 2018 over IT failings at its banking division, Tesco would have learned their lesson and beefed up security appropriately.

However, all the money in the world and the best cybersecurity systems that money can buy won’t help you if your users aren’t going to do their bit. It seems as if the data breach that Tesco suffered at the beginning of March was, at least in part, due to a credential stuffing attack. In other words, attackers took usernames and passwords from another data breach and tried them out.

The result is that the supermarket has now issued 600,000 new store cards to customers and advised users to change their passwords. This attack perfectly illustrates why we are all told not to reuse passwords across multiple services.

Princes Cruises And Holland America Line

Within the last month, two of America’s biggest cruise lines announced that they had been hit by data breaches that may have exposed the personal data of both employees and guests. We should clarify: the actual breach, in this case, has been traced back to a series of suspicious emails received by the businesses in May 2019, but it is only this month that they have acknowledged the scale of the breach.

This is common when it comes to data leaks. In some countries, which now encompasses all of the EU and UK thanks to GDPR, businesses have a legal obligation to report any data breaches in a timely manner. Sometimes there is an inevitable lag between a breach and a report. This isn’t always due to incompetence or malice or giving key people time to dump their stocks (which is far too illegal for us to accuse anyone of), although all too often it is.

While both cruise lines have said that they have no indication the data stolen has been misused, among the nuggets of data that the attackers got their hands on were names, credit card numbers and other financial information, health-related information, government ID numbers, passport numbers and, to top it all off, social security numbers. Basically, everything you need to steal someone’s identity in an afternoon.

What Can We Do?

All too often, consumers feel powerless against the whims of big corporations. As corporate consolidation continues unabated in the US, consumers are increasingly finding themselves with no alternative but to keep giving their money and their custom to businesses, even though they don’t want to.

Perhaps the best example of this is Facebook. No one, and I mean no one, thinks that Facebook is good business. Don’t ever forget that the largest and most egregious data breach in history – the Cambridge Analytica scandal – was conducted entirely using Facebook’s own tools and API. There was no circumventing security or breaking into sensitive systems. Instead, Cambridge Analytica simply used the tools that Facebook provided to harvest data and potentially undermine the legitimacy of two of the most important democratic votes of the last century. Even at the best of times, Facebook is a privacy nightmare and proof-positive that once a business reaches a certain critical mass, it can basically do whatever it wants.

And yet, people continue to use Facebook regardless. The same is true for the myriad of other businesses that have been careless with their users’ data. Why is this the case? There are a number of reasons, but a big part of the problem is a general sense of hopelessness and apathy amongst consumers. Data leaks are so common now that we have become fatigued.

Even people who genuinely do care about data leaks and are actively involved in lobbying for change are suffering from data leak fatigue. These leaks are now so common that they aren’t registering with us the way that they should.

The only solution to this problem is for those of us who refuse to accept the current situation to make our voices heard. GDPR isn’t perfect, but it has been a game-changer as far as privacy in the EU is concerned. GDPR normalizes a healthy attitude towards data privacy and threatens serious financial consequences for businesses that ignore it. A similar federal law in the US seems inevitable, especially now that California has set the blueprint with CCPA.