This is precisely why breaches keep happening and will keep happening. It cost money to implement security. There's no cost benefit to spending that time and money since there are no consequences.
Businesses do not spend money unless it will make them money or save them money.
There needs to be a hefty federal fine on a per-affected-user basis for data breaches. Also a federal fine for each day a breach is unreported.
That money should go into a pool which can be accessed by people who have their identity stolen.
Or a lawsuit go through where someone can win quite a bit from from data leaks. If each person affected sued and won 100k or so, or even 1k, AT&T would definitely be spending money on security.
But it appears $5 or credit monitoring from an agency that also gets hacked is sufficient for class action lawsuits.
That requires people to be rich enough to sue. It takes a lot of money and time to sue. Almost no one has enough resources to do this. The courts are not an effective way to implement this policy. Unless you only want rich people to be able to get justice.
Class action suits regularly end up getting you "$5" worth of credit monitoring from the exact company who lost your data. It's a joke. Class action suits as they exist today in the US are an abject failure of justice.
Most companies now include clauses that force arbitration and prevent you from using a class action lawsuit. This type of sidestepping of the public justice system should be outlawed, retroactively, with retroactive lawsuits (by extending the statute of limitations), retroactive fines, and retroactive jail time.
Yes, but no amount of money will stop the data in a big database being stolen by someone sufficiently motivated to steal it. It's just bits on someone's disk.
The only true solution is to not create the database. But then what would all the data scientists and their MBA masters so with their time?
Its a interesting issue, its kinda of like software piracy, so what if someone steals the product, we will still make money on the product with the normal sale of the data in the first place. Its just making the news because it was a breach. It's not counted as a breach if the exact same party was to buy the data outright from ATT in the first place.
I don't see a reason as to recording who contacted who. If it's for billing, just record duration, if they're not an 'unlimited' customer and flags on whether it'd incur extra charges (i.e roaming, international call)
No two people are incompetent in exactly the same way. Hiring two developers to review each other's code leads to better code because they will often find problems that the other one didn't see. In a well managed organization (admittedly not a trivial caveat these days), more people working on security leads to better security.
Certainly, but for instance no sane developer should concatenate a string in a sql query unless there is absolutely certainty the string is safe. This should be reflex, not a matter of money or time.
People are alway going to make bad decisions. Sometimes that is out of a lack of experience or knowledge which can be fixed by better training (which also requires money). Other times it is out of apathy, laziness, or something else that can't be easily fixed. Either way, time and money can provide extra sets of eyes to find and fix those mistakes before they lead to a breach.
Also, our defaults are opposite of safe (most of the languages are still mutable by default, rigorous type systems wildly unpopular, there is a straightforward way to concatenate strings inside a query etc), our disaster prevention tools and practices seem most often to be targeted at symptoms instead of the causes (god forbid we rethink our collective ways and create/adopt tools that are much harder to use incorrectly), and all of this keeps happening because there is no pressure for it stop. What’s the incentive to?
I don’t think that there is a room for a meaningful and honest discussion about individuals in these circumstances.
This is precisely why breaches keep happening and will keep happening. It cost money to implement security. There's no cost benefit to spending that time and money since there are no consequences.
Businesses do not spend money unless it will make them money or save them money.
There needs to be a hefty federal fine on a per-affected-user basis for data breaches. Also a federal fine for each day a breach is unreported.
That money should go into a pool which can be accessed by people who have their identity stolen.