Can You Trust Companies That Have Experienced Data Breaches?
Personal data is one of the most valuable commodities you can collect, buy, and sell in the modern world. Despite this, very few of us spare as much as a thought about how a vendor is handling our names, email addresses, passwords, etc. when we're signing up for a service. When the said service gets breached, however, we are suddenly a bit more concerned.
It's an instinctive reaction: an organization was tasked with handling people's data securely, it failed to do so, and now the mob is angry. Many would say that this is just about the most natural thing in the world, but if you stop and actually put some thought into it before reaching for the pitchforks, you'll see that things are a bit more complex than that.
Accept the truth: data breaches are a fact of life
Part of the problem is rooted in a misconception that has been propagating for years. Inexperienced and ill-informed people think that there is such a thing as "perfect security." This myth fits the narrative of many marketing departments which is why users not only believe it exists, they expect vendors to provide it. The fact of the matter is, this is just not possible.
We have billions of terabytes of data that needs to be protected. We also have billions of users, some of which are armed with bad intentions, lots of skills, and plenty of free time. Last but not least, we have a piece of technology that evolves not every day, but every second. No matter how much time and money companies invest into securing a system, they have to accept the fact that someday, someone will attack it and might be able to break it. What's important is how they prepare themselves for the incident and how they react to it.
Companies must be prepared for the worst
Organizations have to accept the very real possibility of a data breach somewhere down the line, but that doesn't mean that they shouldn't bother with security because it's going to be broken anyway. On the contrary, they must make sure that they have done everything they can to stop the hackers from getting their hands on people's data. At the same time, however, every vendor should ensure that if the crooks do get in, they won't be able to walk away with all that much.
This is not as easy as it sounds, but there are some bases that every single online service provider must cover. The password storage policy is especially important. If passwords are stored in plaintext, there will be nothing to stop hackers from compromising thousands or even millions of accounts. If, on the other hand, the passwords are properly hashed and salted, the bad guys will have little more than a list of emails which, on its own, isn't much use.
This has been common knowledge for years now, but despite this, every now and again, we see that some online services fail to hash and salt users' passwords correctly. Sadly, there's no easy way of knowing what sort of password storage policy a service provider has upon signup. If the breach has already occurred and your plaintext password has been exposed, however, you can be pretty sure that the vendor has grossly underestimated the issue.
Transparency in the wake of a breach is key
You have to understand that if a service provider has done its homework, a data breach isn't necessarily the end of the world. Even so, leaks should never be overlooked. What's more, you should take a closer look at what the attacked company is doing in the aftermath of the incident in order to decide whether you want to continue doing business with it.
Not all companies respond with the required transparency. In 2016, for example, a hacker managed to steal a database containing data on about 57 million Uber users. The hacker then contacted the ride-sharing service and asked it what it's going to do about it. Instead of issuing a report detailing what had gone wrong and working towards preventing future incidents, Uber's former management team gave the hacker $100 thousand and acted as if nothing had happened. It wasn't until a year later that the truth finally came out.
This sort of sweep-under-the-carpet behavior should be completely unacceptable in this day and age, but unfortunately, we still see it every now and again. The fact that an organization is willing to withhold information on something that concerns its paying customers really does say a lot about the corporate attitude of the people running it. We should point out that Uber is far from the only company guilty of this, and we should also mention the fact that the people currently running the service have promised a lot more transparency.
Working with a company that has suffered a data breach doesn't necessarily mean that you are putting your information at risk. That said, the protection of your personal data is a serious task, and if you are entrusting it with an organization that has handled a breach poorly, you might be underestimating the issue.