Later this week I'll be publishing an interview with Troy Hunt, the online security consultant who runs the website
Have I Been Pwned?, where you can
check if your email has been compromised in a data breach. He and I discussed the recently revealed National Public Data (NPD) hack, which exposed millions of social security numbers, names, email addresses and other personal information. We also talked about what to do after an event like this, plus the generally grim state of these breaches. Here's a bonus bit of that conversation. –
Ben
Over the summer, you wrote that victimized individuals can sometimes make things worse, specifically by pursuing class-action lawsuits against the companies that were breached. Could you explain your thinking there?
I feel as though that's a very American thing, class action lawsuits.
Sure! [
Hunt is based in Australia.]
The biggest sense I get from individuals is they want retribution and they want to punish the organization. I can understand that. Let's take the NPD thing: "You know, why in the hell do you have all of my data?"
The concern I have is I keep seeing lawyers drive the conversation very early on, because they're protecting the brand, they're protecting the shareholders, and inevitably they're protecting the executives. And a lot of it is because they get these spurious claims. …When you have these data breaches, if you start getting more spam, it's just spam. I hate spam with a passion, but it's not going to hurt me. (Second of all, the attribution of the source of spam is
extraordinarily hard. All the sorts of data that was seen exposed in NPD have come out from all these other places as well.)
So the breached companies lawyer up.
It will cause them to tick every box and dot every I and cross every T. And that takes time… What happens is we get these long lead times between the incident and the disclosure [to individuals, which is written in] very carefully caveated language. So we don't really understand what's happened. And the plaintiffs end up with a few dollars. Literally. Maybe you can get a coffee. It's not even worth the return on investment.
When Drizly (an alcohol delivering company) was hacked, my university email was exposed. If I recall, I got a check in the mail for a buck or two.
Not enough to buy a beer!
