Whatever you choose to do, though, the next step needs to be doing everything possible to make sure it doesn’t happen again instead of breathing a sigh of relief that you got your data back and continuing business as usual. That would seem to be the common mistake here.
Don’t make that mistake.
Security pros, where do you fall on the debate on paying or not paying, and does this report change your thinking?
In this case, we have an emergency process. There are good reasons to have that process, if someone is threatening violence to themselves on social media, it’s useful for the tech company to share some information with law enforcement so they can be reached. But, having the ability to get that kind of response from tech companies is also an invitation to hackers. If they can create a fake emergency request they can collect personal information about any user. They can then use that information to target that individual.
When you create that kind of system, the request needs to be coming from a safe, verified, source. When the source is compromised, and the receiver doesn’t have an excellent validation process, bad things are going to happen.
Because when you have that kind of data, people will try and do bad things with it.
This is the crux of the problem. Personal information is going to be breached, eventually. There is no 100% secure data. None. No business, government entity, non-profit, or any other place that collects and stores data is completely secure. The only true security for personal information is to not have it. To have not collected it or delete it once it’s no longer needed.
That is the radical re-think that is necessary. It’s also the complete opposite of everything these organizations have been taught and incentivized to do. If we are going to pass federal privacy laws, this should be the central theme.