Friday, June 1, 2018

When praise hides incompetence. How BMO and others are failing their “customers”




We all have to start realizing that we are not really their customers.  That we are their product.  We are an annoyance that is required for them to make money.

If we indeed where their customers, then they wouldn’t be handing over all our personal information to third parties like Equifax without actually doing a quality due diligence.

So this weeks blunder on the BMO and CIBC side shows us just how much big enterprises care, and how big enterprises are actually prepared to deal with major data breaches.  They aren't.

Several “customers” who happen to be friends of mine sent me the messages they received from the banks.  One friend who happens to be at the top of the “security” food chain actually called BMO after receiving the notice that his information had not been exposed and he requested a written confirmation that his information was all safe.  The response……. Sir we cannot do that, if you get a call from us, then your information is involved, if you don’t get a call then you are all good.

Awesome maturity!  Awesome process.   How proud they must all be.

This is unacceptable for many reasons.  The most important one is the fact that waiting for a call that may never come isn’t really a way to manage data breaches.  What if they call the wrong number.  What if I miss the call.  I may never officially know that my information has been exposed.

Then we have the warm feeling some of us got when they announced the breach publicly, it seems, hours after the breach was exposed.

Many (rightfully so) praised the quick “customer” notification.  The reality however is not as awesome.  Turns out I was right…. It was a hostage situation.   A sample set of customer data had been posted on PasteBin. 

Somehow the banks managed to shovel shit down our throats by telling us that they instantly put in place “enhanced security” and that the breach point was identified and closed and everything is now fine.

This alone for any security professional should cause concern.  If someone breaches your system and then asks for a ransom, chances are things aren’t fine.  It could be that they also put in a backdoor, but it is 100% certain that all 90,000 leaked accounts HAVE LOST THEIR INFORMATION TO CYBER CRIMINALS.  The 90,000 can’t change their dates of births or their social insurance numbers. 

So instructing your clients to change their passwords and offering credit watch services for one year is 100% BULLSHIT, 100% SECURITY THEATRE and 100% NOT TREATING YOUR CUSTOMERS LIKE VALUED CUSTOMERS.  After you loose all my shit, you should legally be forced to provide credit monitoring services until I drop dead.

Cyber criminals don’t use stolen personal information for identify theft immediately.  They assemble information into a higher value profile and then use it.  The repercussions of all these data breaches will be felt for many years, not just 12 months.

This is where I like GDPR.   Chances are out of the 90,000 people exposed, some may have dual citizenship (European citizens).  This would mean that BMO and CIBC have just been proven to be NON-COMPLIANT.  This means they are exposed to a significant penalty.  It’s basically 20 million euros or 4% of their numbers, which ever is bigger.  Guess what.... it's way more then 20 million!

But this won’t change anything.

Here is why.

Financial penalties impact the bottom line of the enterprise temporarily.  

Watch the stock fluctuations of any breached traded company and generally they bounce back really quick.

Heck, Equifax MADE MONEY selling their credit protection services!  
Talk about screwing the citizen!

The CEO’s and senior executives will come and go.  They all get paid LARGE sums regardless of their failures, and they never have any real penalties for non-compliance or major failures under their management.

Bottom line, they have NO REAL MOTIVATION to change anything and no real need to do so.

What we need, is a set of laws that includes personal liability for senior managers.

Hey…. We are all allowed to have a dream.

Or, alternatively, we need a NEW system that makes these personal pieced of information irrelevant.  Enter blockchain technologies perhaps.

Things must change because it is simply NOT TRUE that my name, address, DOB, and SIN are actually confidential.  These have all been breached numerous times and should NOT be personally identifiable information.

Something to think about....


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


No comments:

Post a Comment

Imagine a Vulnerability Testing tool that defaults to showing you partial results

Well, to my surprise, Tenable.IO has added a new setting that defaults to NOT showing you everything. So when creating a new scan, you are f...