I’m more and more convinced every day that as a user of the internet, this is just inevitable. Being exposed via a data breach, that is. The thing is there’s absolutely nothing any of us as consumers can really do about it either, at least short of going all “caveman” on this whole internet thing and simply tuning out altogether.
This time it was Patreon, the crowdfunding site which other than the whole data breach situation, is really quite excellent. Yet that’s where I find myself yet again, as one of millions of email addresses in another mega breach. The frustrating thing about it from my perspective is that there’s nothing I could have done differently to avoid it short of not having an account in the first place. Oh sure, I had a strong password that was unique, but my activities on the site are now public including the donations I’d made using the system.
Somewhat ironically, the entire reason I’d signed up to Patreon was to throw some money to the Risky Business podcast each month. The irony in this case is that the podcast does a fantastic job of breaking down what’s hot in the infosec world each week and that usually means a healthy dose of what’s happening in the world of data breaches. Now, by virtue of my wanting to support the show, I find myself as a victim of yet another incident.
Unfortunately, this isn’t my first rodeo. I was in the big Adobe breach of 2013 and indeed that’s what first prompted me to build out the Have I been pwned? service in which I now make multiple personal appearances. That’s not the extent of it either – there are various other data breaches I’ve appeared in that have never seen the (public) light of day. My data – almost certainly just like your data – is now floating around in all sorts of places I never intended it to be.
It’s not like Patreon has been the only breach of note this week either. Down under here in Australia we had Kmart a couple of days ago then David Jones just today. In other international news, there was also T-Mobile and frankly, so many others that they just begin to become a blur. Clearly even in the wake of the devastating Ashley Madison data breach in August, there simply hasn’t been the impetus yet to effect real change. I sincerely wonder how many of these organisations looked at that event and thought “Wow, vulnerabilities in our online assets could be really bad news, perhaps we should make sure our shop is in order?”
And that’s really the point – the constant flood of data breaches is making them the new norm. It’s actually beginning to worry me that we’re becoming desensitised to the whole thing to the point where the latest data breach sits down there somewhere after page three along with what that local sporting team did last weekend. We just don’t seem to be getting on top of this and at the current rate, it worries me where this might all be leading…