Whenever a major company suffers a breach, an uncomfortable amount of time – weeks, sometimes months, or even a year – seems to pass until the victims are informed that their personal data might be in the hands of a group of mischief makers.
To provide some context, Uber, a company that offers an alternative to taxis around the world, has known about a breach since October 2016 that it didn’t reveal until Bloomberg reported it in November 2017! Even worse, they even paid a ransom to the hackers who attacked it, hoping that it wouldn’t make the front page of the news (a plan that apparently backfired horribly).
What’s the big deal? Why do companies like Uber, Equifax, and Yahoo hide their breaches for such a long time?
Don’t Want Their Customers to Lose Trust
This sounds kind of counter-productive, but some executives imagine that if they sweep their breaches under the rug, their customers will somehow continue to trust them. Their fingers are crossed, hoping the breach won’t be that damaging to everyone. Once the dust settles, then they could make an announcement without as much impact.
In some way, it’s kind of like a kid who gets poor grades and hesitates to show his mother his report card. She knows it has to arrive, but he is hoping she will forget, that he will get better grades in the next semester, and then he can show her the better grades next to the worse ones. “See, it’s not really that bad!” he would say.
Unfortunately, this practice is just as counter-productive as it sounds. Customers tend to feel betrayed when they find out that their personal data has run amok for months without their knowledge. This is especially true when social security numbers, credit card numbers, or other sensitive pieces of data are involved.
Don’t Want Their Stock to Drop
Going by the same logic, companies whose shares are traded on a major stock exchange might hide their data breaches for the same exact reason. The difference here is that they do not want their shareholders to be alarmed. If the breach isn’t viewed as extraordinarily harmful, their stock prices won’t plummet down to the bottom of an abyss.
Shareholders might be a bit more forgiving. For example, when Equifax announced its breach on September 7, 2017, it was trading at somewhere around $464 per share. Immediately afterward, on September 11, the share price hit $474. Equifax was unaffected. As the month progressed, it experienced a downward slope, finally trading at $434 on September 26.
Then, when the news cycle died down a bit, it never again hit that low number. By November it was trading higher than the September 11th figure, hitting a peak of $492 per share.
Imagine yourself in the position of a CEO: You’re leading a company with n-thousand employees, billions of dollars in assets, tens of millions of users/customers, the whole nine yards. Suddenly, a lazy hacker finds a vulnerability in your servers that your IT department forgot to patch months ago. It only took one college dropout in his studio apartment to bring you to your knees.
That’s quite a hit to the ego! What do you think most people with a bit of an inflated sense of self esteem would do?
Sometimes, even executives with the best sense of integrity will choose just to ride out the storm and see if it all just goes away. Then it comes to bite them, and they turn out to regret this decision, as now it’s too late. They had a responsibility and failed to muster the courage to admit they made a mistake to the very people the attack victimized.
In most of the developed world, there are cybersecurity laws in place within commerce codes that do not allow too much time to pass between the discovery of a breach and its announcement. Coverups like Uber’s in November 2017 bear heavy penalties by the United States Federal Trade Commission (FTC), to name one example.
There’s even a bill running through the U.S. Congress that will give prison sentences to executives who hide breaches for an extended and unreasonable period of time.
At this point, there’s nothing you personally can do about these breaches except be prudent with your personal data, but governments have laws in place that penalize these companies. The United States is just taking this a step further by adding jail time to the possible penalties.
It bears repeating once more that you should not put too much of your sensitive stuff on the Internet – regardless of how trustworthy the entity you’re entrusting it to is – unless you absolutely must do this.
What do you think? Should executives go to prison for hiding data breaches that affect the customers of the businesses they represent? Tell us what you think in a comment!