FUD Watch: Sometimes, Data Breach Hype Is Justified

Here’s something different: An anti-FUD column that tells you to believe the hype. When it comes to the data breach epidemic, hype may be the only thing forcing organizations to take security seriously.

But along the way, the media has a responsibility to make sure all the facts are in place before pouncing. There’s one case in which that doesn’t seem to have happened.

The headline stack is ablaze again with fresh data breach reports, each new case further proving how much organizations still have to learn about security. Three examples:

• From Silicon.com: “Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored.”
• From The Associated Press: “Personal information including Social Security numbers and home addresses of more than 2,500 Prince William County students, employees and volunteers was accidentally released on the Internet this summer. Officials said Tuesday that the information was disclosed by a school employee. It was on the Internet for five weeks.”
• From The Mail Online: “Government probe launched after details of one million bank customers are found on a computer sold on eBay.”

We’ve written plenty about the need for companies to keep close tabs on network activity logs, build a layered security program with such basics as firewalls, antivirus and data encryption; and foster workplace awareness on the importance of complex passwords and responsible e-mail use.

Though many organizations are starting to understand these things, each new breach shows that many more remain clueless.

In most of the cases we’ve seen in the headlines recently, the damage to customer and company alike could have been significantly blunted through simple security basics. It’s common knowledge that letting contractors keep unencrypted data on USB sticks is a bad idea, yet it’s still happening. It’s obvious that organizations should keep an eye on the Internet to make sure someone hasn’t posted their private data for public consumption, but it’s still happening.

This may be one of those cases where media hype is the only way to coax companies into doing the right thing. My observation is that companies only address their security shortcomings after they’re forced to disclose the breach and end up as a headline. It took massive media scrutiny (and plenty of pressure from investigators and lawyers) to help TJX get the message.

But nothing does more to smash that notion to smithereens than a media machine that blasts away before all the facts are in hand. That may have happened in the case of Best Western.

Glasgow’s Sunday Herald reported Sunday that hackers accessed the data of every single customer who had stayed at one of Best Western’s 1,312 European hotels this year and in 2007. The article had “exclusive” stamped high up on the page, and was quickly slammed by Best Western as “grossly unsubstantiated.”

In subsequent days, reports have flowed in – largely from Best Western itself – that the report was indeed a huge exaggeration. While the hotel chain did suffer a breach, it appears that only 10 guests were affected.

Which number is closer to the truth? Time will tell.

In the final analysis, I’m for keeping the media pressure on companies that ignore security at the peril of millions of people. Given the damage that can be done when someone’s personal information falls into sinister hands, a little FUD might be necessary.

But when that’s the case, the FUD had better be based on undeniably solid evidence.

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to bbrenner@cxo.com.