top of page
Search

Record Breaking Breaches



When you think of ‘World Records’ and ‘Record Breaking’, what do you think of?

 

Perhaps it’s Usain Bolt and his 9.58 seconds 100m, or his 19.19 seconds 200m sprints.

 

Perhaps it’s Mo Farrar running two miles in just 8 minute and 3 seconds.

 

Or maybe it’s Wim Hoff, who has earned 18 Guinness World Records titles due to his remarkable ability to control his body and mind under intense freezing conditions.

 

All these are world records are impressive and give us something to inspire us, or aspire to.

 

But that’s not true of all world records.

 

Dark World Records

Yahoo has held the world record for the largest data breach in history since 2013, when they experienced a massive cyberattack that compromised all three billion user accounts. This breach included names, email addresses, phone numbers, birth dates, and security questions, both encrypted and unencrypted.

 

The record for the largest payout made to cyber criminals was made in 2021, following the Colonial Pipeline attack, where criminals were paid $4.4 million.

 

The most expensive and globally impactful malware attack occurred in 2017, with the ‘NotPetya’ malware attack. It is estimated that this caused over $10 billion in damages globally.  This broke the previous record set in the same year by ‘Wannacry’ which cost $4 billion.

 

These world records aren’t something to aspire to or something that you would ever want to be associated with, but they are there – and they are waiting to be broken.

 

2023 A Record Breaking Year

Unfortunately 2023 was a record breaking year for breaches, with companies like DarkBeam, breaching 3.8 billion accounts, the Real Estate Wealth Network breaching 1.5 billion records and X (formally Twitter) having 220 million records breached.

 

Keep in mind that this is what we are aware of NOW.  More may come to the surface, making 2023 a truly untouchable record breaking year. 

 

But there is a problem with statistics like this, and indeed with any world record.


Firstly, world records are waiting to be broken. By their very nature they are a ‘line in the sand’ that speaks to us “This is where we are today. But tomorrow…”

 

The second and possibly most challenging issue we have with statistics and world records is that they are difficult to contextualise and therefore they ‘feel’ remote to us.

 

Why is this a problem?

Let’s look at Mo Farrar for a moment.  His two mile run in 8 minutes and 3 seconds is obviously impressive, but unless you’ve ever tried to run two miles you’ll have no concept of how fast he was going to achieve this feat. More importantly you won’t know what this feels like. If you want to try to understand it, all you have to do is get on a treadmill and set the pace to 15 mile-per-hour (good luck!).

 

Although world records are clearly impressive, they feel remote from real life and are seen as an oddity. They are seen as events that we can’t be involved in because of their very nature of being extraordinary events.

 

This is the problem we have when we describe cyber attacks to our businesses. They hear numbers like 815 Million accounts compromised, and 3 billion records but can’t conceive what this means.  Yes, they know they are big numbers, just like they know that Mo Farrar is a fast runner, but it doesn’t feel impactful.

 

A Record Breaking Solution?

Ok, this is not a record breaking solution. Getting people to engage with cybersecurity can be said to be a complex topic, but there are two very simple steps we can take that will help.

 

First we need to remind people that when we talk about X million, billion records being breached, we are talking about real people.  In sales we often hear people talking about creating a customer ‘avatar’. This is a picture of what your ideal customer looks like.  But how widely understood is this ‘avatar’? Have you given them a name? If not, why not?

 

Give your team a picture of the person whose data they are working with.  Give them an identity to identify with and they are more likely to take care of that persons data.  If you think this doesn’t work, let me ask if you saw a sign on the back of a tanker saying “Please drive carefuly” would it make you change your behaviour around it? Perhaps it would, Perhaps not.

 

But if that oil tanker included a picture of a child on the back saying “My Daddy drives this truck. Please drive carefully.” .  You are likely to drive more carefully because you identify with both the driver and the child.

 

The next thing we can do is help people understand what a breach looks like in the real world.

 

For example, “3 billion user records breached” is too abstract. What does a ‘billion’ people look like?  You might describe this in terms of population, so you might say “3 billion user records is double the population of China!” Most people know that China is highly populated, so that’s a good start.

 

But a lot people haven’t been to China, so it’s still a little abstract. So we need to bring it closer to home. For example, in a recent newsletter, this is how I described the breach;

 

“The 2013 breach of Yahoo impacted over 3 billion lives.  To visualise how big this is, I want you to imagine Wembley Stadium. If Taylor Swift was to play to all 3 billion people affected, she would need to play every day for 91 years!”

 

I’m turning 3 billion records into 3 billion people. I’m asking people to imagine something they have seen many times on TV, or may have even visited. I’m linking it to a cultural icon who they’ve heard of or seen.  Perhaps the person reading the newsletter actually saw Taylor Swift in Wembley stadium, making the message even more impactful.

 

Let’s get real

When it comes to explaining cyber attacks and data breaches, we need to get real. We need to make them feel real.  Record Breakers great, but they are anomalies, and something that other people do, or are involved in.  But 3 Billion customers are part of a World Record for data breaches!

 

Remember; World Records are there to be broken. It will be interesting to see how long Yahoo can hold onto the dubious honour of being the worlds biggest breach. We can only hope this is one record that sticks around for a while.

 

More questions?

If you found this topic of interest and want to know how you can improve your security, please get in touch.  We utilise various security frameworks like ISO27001, ISO27701, NIST and Cyber Essentials to ensure information security and data protection are considered in all that you do. If this is something you need help with, then please get in touch.

9 views

Comments


bottom of page