Exposure of your sensitive data isn’t a bug, it’s a feature


Surveillance camera
Image Credits: Bryce Durbin

Joel Wallenstrom


Joel Wallenstrom is president and chief executive of Wickr, a secure communications company. Before Wickr, Joel co-founded iSEC Partners, one of the world’s leading information security research teams, later acquired by NCC Group, and served as Director for Strategic Alliances at @stake, one of the very first computer security companies in the industry.

More posts from Joel Wallenstrom

Another day, another breach. Equifax, SEC, Deloitte and the next one is coming soon. Nothing surprising there anymore, not for customers, not for the breached companies. So why does this keep happening and why isn’t there a change in how we treat our own information, personal or business?

Understanding the real significance of Equifax and other incidents requires thoughtful analysis — and some math. This is typically where eyes glaze over and the conversation shifts to ridiculing the use of “fax” in the brand of a 21st century company, relying on an antiquated technology or to the academic background of the now unemployed Equifax CISO.

While a headline story for a few days, ultimately, every breach has very little impact on the protection of consumer data. Here’s why.

Your Social Security number is breached… again

We know that 143 million people have had their Social Security numbers, birth dates, address histories, legal names and, in some cases, driver license numbers exposed by Equifax. What we don’t know is how many were exposed for the first time. Consider that 4.2 BILLION personal records were breached last year alone. Yahoo lost more than 1 billion user accounts (but no SSNs or driver licenses), Anthem lost 80 million of our SSNs in 2015 and OPM breach resulted in a loss of personal background reports on more than 21 million individuals. These are just a few identified and reported incidents.

It is reasonable to calculate that the Equifax breach did not introduce much fresh value for cybercriminals nor fresh risk for consumers. The real impact of this specific incident is tied to the freshest data breached — the driver license numbers. However, it is unlikely that the Equifax information is new to those who mine personally identifiable information (PII) for financial gain. The bottom line is: we are in the unfortunate state where the exposure of 143 million records is pedestrian. Or as I explained to my neighbor, “Equifax failed to patch their systems, now the bad guys probably have your Social Security number… again.”

What’s the incentive to protect PII?

In October, we will celebrate the 14-year anniversary of Microsoft’s launch of Patch Tuesday. In 2003, we all thought that we were headed down a path where patching would become the least of our worries. We were wrong. WannaCry and Equifax have made it clear that simple patching of known systems remains dark art for many large organizations. Most companies struggle to simply build a reliable inventory of their externally facing assets — not to mention orchestrating processes to protect them.

Some voiced optimism that in the wake of Sony, Home Depot, Target, Slack, WebEx, Atlassian and Yahoo, the C-Suite will take notice and act to protect their systems. And they had already taken notice and acted. Just not to protect consumers. In 2015, researches at Columbia University’s School of International and Public Affairs concluded that the actual expenses reported by companies victimized by large breaches amounted to less than 1 percent of each company’s annual revenue and that “after reimbursement from insurance and minus tax deductions, the losses are even less.”

If exposing consumer information in the largest breaches in the history of computing results in losses that are immaterial, why do we expect investments in protecting consumer information?

The C-Suite has always been driven by risk and profitability, not patching vulnerabilities. So it is not surprising that companies turn to underwriting when they can’t reliably protect — or even identify — their digital assets and liabilities. Unfortunately, this means that your personal information will be collected, stored, mined and monetized at risk levels acceptable only to data processors and ideal for cybercriminals.

An easy and tangible way to understand how these decisions are made by many corporations sitting on massive databases is to think of this in terms of the way sales teams use customer information. They buy lists of prospects that include the name, email, title and phone number to qualify targets for outreach. They understand that their competitors have access to much of the same information.

These basic data points are helpful, but it is more specific and unique information that makes the sale. Same goes for a cybercriminal. There are only so many times they can get your name and Social Security number before it just becomes a tool to qualify accuracy. As a result, data processors and cybercriminals value the data less. The processors see less need to protect the information and criminals look for fresh data points that will make the existing data more valuable through targeted campaigns.

Not a consumer problem only

The freshness and accuracy of data is what drives value in terms of both monetization and disruption. A savvy cybercriminal or nation-state is much more interested in the data found in executive communications, previews of earnings reports, acquisition strategies and deal rooms than in accessing a trove of SSNs.

According to the chairman of the US Securities and Exchange Commission, in the latest breach, PII wasn’t stolen, but the non-public information obtained from missing laptops and non-secure personal email accounts may have been exploited for stock trading.

Judging by the recent high-profile incidents, including the 2016 elections and the recent SEC compromise, the strategic use of valuable information is the new target area for advanced adversaries. And that is what corporations and institutions care most to protect.

However, while an exposure of consumer data by Equifax is the biggest headline this time, the chances for success are as miniscule for securing individuals’ PII as they are for protecting corporate sensitive data. Both PII and proprietary enterprise information are processed by services built on the same fundamentally flawed business and risk models designed to collect and store your data indefinitely so it can be searched and monetized. That is not a system fail, but its feature.

This, in combination with a mathematical impossibility to protect high-target information when we as consumers have no way of controlling who has access to our data and corporations understanding that protecting customers’ PII is not a financially sound investment explains why we will continue to see more incidents and increasingly sensitive data exposed. In this race to the bottom, there are no winners. When information exists with undefined access points, it will be compromised.

Trading convenience back for data privacy

So how do we protect our critical and fresh information that drives shareholder value and impacts our personal identities? Finding our collective way out of this requires more than a new consumer data protection policy and increased fines, although long overdue. The answer lies not in defense but hygiene and customers taking control of their valuable information. The system has to change and we, as ultimate owners of our information, have to be willing to take responsibility, trade convenience for control and do some work.

Moving your proprietary communications to systems protected by sound math and encryption and controlled by you is a strong start. It is no longer responsible to trust a service provider to protect your IP and high-target acquisition strategies from an unauthorized access when its whole business model is built on retaining visibility into your information.

When we all understand that it is impossible to be successful configuring and managing products built to provide easy access to information, it becomes reasonable to use these tools for stale and non-critical communications only. When the exposure of your strategic data results in business disruption and shareholder dilution, math is a strategy and configuration is a hope.

Today’s risks dictate that companies and governments rethink how they treat sensitive and fresh information. Rather than starting with a failing strategy to save and protect it all, it is critical that we all have well-thought-out data classification to determine what conversations need to be put on the record and stored and what data must remain off-the-record and only accessible for a finite period of time to ensure it cannot be compromised.

Today, our digital economy is propped up on communications that are processed, stored, mined and monetized, but not protected. Another massive data breach is coming soon, but only if we do nothing.

More TechCrunch

“When I heard the released demo, I was shocked, angered and in disbelief that Mr. Altman would pursue a voice that sounded so eerily similar to mine.”

Scarlett Johansson says that OpenAI approached her to use her voice

A new self-driving truck — manufactured by Volvo and loaded with autonomous vehicle tech developed by Aurora Innovation — could be on public highways as early as this summer.  The…

Aurora and Volvo unveil self-driving truck designed for a driverless future

The European venture capital firm raised its fourth fund as fund as climate tech “comes of age.”

ETF Partners raises €284M for climate startups that will be effective quickly — not 20 years down the road

Copilot, Microsoft’s brand of generative AI, will soon be far more deeply integrated into the Windows 11 experience.

Microsoft wants to make Windows an AI operating system, launches Copilot+ PCs

Hello and welcome back to TechCrunch Space. For those who haven’t heard, the first crewed launch of Boeing’s Starliner capsule has been pushed back yet again to no earlier than…

TechCrunch Space: Star(side)liner

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions