In a seemingly never-ending row of news on hacks of websites now this one in which 2.3 million individual cases of privacy sensitive data were accessible through a leak in the websites of most public broadcasting stations in the Netherlands. To make the news more cheerful, the accessible data was, if compiled, sufficient to successfully steal a complete identity. What were thoughts that came to my mind after hearing this news on Friday?

Unbelief

The 8 o’clock news item ended with the soothing words that everything possible was being done to secure the websites. What?, I thought. After all the items in the past year on the public broadcast news on hacks, phishing, hacked companies and websites, you guys never bothered to check your own? Apparently this is a thought that doesn’t spring up in anyone’s mind till it’s too late. Or is it?

Ignorance or not caring?

So either the level of ignorance on security at the IT side of companies and organisations is disconcertingly high. Are these people so ignorant or incompetent security wise? If this was the year 2000, I’d answer yes, but not in 2011.

Or the situation is much worse. Do people not care because losing privacy sensitive data is of no concern to them? Nothing is lost that damages an organisation. Some reputation at most, but nothing that seems to ring much longer than the news item. Is this a reason why no money is spent on preserving the data in a secure way? That there is no incentive to do so, because there is no consequence attached to losing the data? In the end no one seems to be held accountable.

Well, there’s Diginotar, isn’t there?

Only in a situation like Diginotar the consequence was ultimate, bankruptcy, but in most other cases there is no alternative for the persons whose data was lost. The voters of Radio 2’s “Top 2000”, who were the hardest hit by the hack, will vote again next year. The same goes for most other hacks. Does anyone switch from Sony or Visa, Ticket.nl, etc., to another company because of a hack? Usually not. Also there is no legal consequence from an enforcement point of view as privacy commissioners are not focussing on commercial companies and may not have the teeth to really bite.

Why do they need all this data?/What do they use it for?

When I’m filling in an online form, I usually wonder what they need all this data for. There is absolutely no need for me to fill all this in in order to participate or order something. Still it’s asked, obligatory fields too and subsequently lost through hacks, as apparently it’s also stored for about forever. So, I’m only guessing here, they either ask far too much or they use it for other (commercial?) purposes. Maybe it’s a good thing when companies and organisations start asking themselves whether they need all this data, if they can’t protect it. Maybe for a government to think about rulings?

Privacy debate

Journalist Brenno de Winter on Twitter stated that it’s about time we had a national privacy debate. A good idea, but not something we should all wait for as the answer, because in the meantime there will not be a website left to hack.

It’s also time for a debate with organisations and companies that are responsible for hosting, creating, maintaining, etc. websites on what the quick wins could be. Like in right now.

What could be a good result? I guess, to progress to a situation in which all major organisations in the Netherlands, whether public or private, that store data on a grand scale:

• are aware of threats;
• comply to socially wanted and needed levels of security;
• have and maintain secure websites, including older versions and have their passwords to a higher level.
• (160 times the same password for public broadcast websites maintenance!);
• and on a voluntarily basis;
• built new websites from now on that are automatically secured.

How to achieve that? I can think of a few ways, but then so can you, right?

The debate could tackle enforcement of non-complying organisations and if the privacy commissioner isn’t able to do so, give it to OPTA (in The Netherlands. Elsewhere an agency with like enforcement powers). I’m thinking along the lines of a “duty to care” (“zorgplicht”) which is already in the Telecommunication Act.

Or we can decide that we don’t care, so we can stop publishing about it. Let’s not forget that that is also an option. Not one that I’d favour by the way. Apparently self-regulation isn’t working, so do something about it.

Let’s make 2012 the year of securing websites!