Data Breaches That Will Haunt You

This year has been filled with some of the biggest data breaches in history, which is a truly horrific thought.

• By Tyler Reguly
• Oct 31, 2017

Halloween is a ghoulish time of year. AMC’s Fearfest is in full swing, Hollywood’s latest terror-inducing features open in theatres, and parties like “A Nightmare on Queen Street” and “Halloween Freakout” are organized. While Jason, Chucky, and Freddy were the nightmares of our childhood, these shriek coaxing monsters seem almost cuddly compared to the shackles of our identity, personal information, and credit rating. Whether you were a Boomer, horrified by Psycho and Rosemary’s Baby; A Gen X’er, terrified by The Shining and A Nightmare on Elm Street; or A Millennial kept up by Scream and Saw, none of those could have prepared you for the horrors of the modern data breach.

This year has been filled with some of the biggest data breaches in history, which is a truly horrific thought. It’s a nightmare for everyone involved, and it feels like we’re living in a horror movie. Maybe it’s more than a feeling, maybe we are living in a horror movie. If that’s the case, then tying these breaches back to common horror tropes (from TVTropes.org) should be relatively easy.

The Ominously Open Door
The open door, lurking just down the corridor is a common scene in movies, but, in horror movies, it always comes with a jump-scare. That door at the far end of the room is just slightly ajar but we all know it should be closed. Our protagonist approaches the door, the music intensifies, she pushes the door open and we all jump as we get a full view of the monster. Repeat after me, ‘Nothing good ever comes of open doors.’  This same trope can be applied to the Verizon breach in July. An open AWS S3 bucket contained data on somewhere between 6 and 14 million customers. It’s a reasonable assumption that this open “door” scared the Verizon customers whose data was leaked. Much like slasher films, where the same story is told dozens of times, this method of gaining access is not unique. Open AWS S3 buckets also led to the loss of 1.3 million student records from data warehousing company Schoolzilla and more than 9,400 resumes from applicants to the security firm TigerSwan.

Anyone Can Die

You never know who is next in the movies. It could be any character at any time. Not only people but animals are also a possibility, so you have to expect the unexpected. Whether you have one scene with no lines or appear in the entire movie with a 15-minute monologue, no one is safe. Just as you think that the last of the heroes will make it out of the haunted house, a glint of an axe on the camera reminds you, “No One Is Safe!” The same is true in the data breach world, just ask the victims of the Edmodo breach. The data of 77 million users was exposed, which is considered to be the largest breach of K-12 student data in history. Data breaches don’t just impact adults, everyone’s data is fair game to malicious actors.

Absurdly Ineffective Barricade

We’ve all seen this. Running from the monster, our hero ducks into a room and slams the door. He wedges a small chair under the door handle and breathes a sign of relief. Moments later, the door and chair fly across the room as the monster smashes its way in. The more applicable instance, however, is the bumbling band of misfits that pile every item in the room against the door, step back, proud of their accomplishment, only to turn around and see the monster enter the open door at the opposite end of the room. You can have all the security you want in place, but one opening anywhere is enough for our horror movie villain – and hackers – to get in. Take Equifax, for example, where a single overlooked vulnerability resulted in the exposure of the personal data of 143 million people and more lost sleep than the entire Nightmare on Elm Street franchise.

The Calls Are Coming from Inside the House

From 1979’s ‘When a Stranger Calls’ to Drew Barrymore’s iconic opening scene in Scream (1996), this is a well-known and oft-used trope. In the days of cell phones, this doesn’t quite have the same scare factor but many of us remember how scary the idea of picking up the phone and finding out someone was calling from inside the house was. In the days following the release of Scream, babysitters were more vigilant than ever before. While not tied to a specific media worthy breach, the risk from insiders permeates enterprises. According to Verizon’s “2017 Data Breach Investigations Report” more than 14% of breaches involved insiders or privilege misuse. That number is frighteningly high.

Camp Unsafe Isn’t Safe Anymore

Relax! We’re safe here… at least until we aren’t. You find a room, you take refuge, knowing that the movie’s killer can’t catch you here and then, suddenly, someone realizes that he can. It was never safe, even when you thought it was. This feels like an overarching theme in the security world. Vulnerabilities always exist, even before they are discovered and every safeguard we make is ultimately flawed in some way. This year, we saw multiple breaches where the aftermath involved MD5 hashes of user passwords being released. This involved both 715K members of PoliceOne, a LEO community, and 700K members of DaFont.com, a font sharing website. MD5 was never really safe, it just took many years for someone to say “Hey, this doesn’t feel very safe,” and many more before anyone demonstrated just how unsafe. At least in the movies, our protagonists know to run when this is said but, in this case, these sites continued on with the broken and insecure hashing algorithms.

So, maybe we are living in a horror movie, maybe nightmares are haunting us every day. Statistics for the first half of 2017 put the breach count at 5 breaches daily[1]. If you aren’t scared, you should be. Unlike horror movies, we can’t turn on the lights at the end of the show and remind ourselves that it’s a work of fiction. This is real life and the numbers are scarier than anything Hollywood has ever dreamed up.