I previously wrote about how data breaches are like diamonds:
- They’re not as rare as you think
- They’re worth far more to you than to a thief
- They last forever
And the recent debacle over the Astro data breach epitomizes all of these characteristics.
First off, Lowyat has already reported 3 big data breaches (at least by my count), and rest assured these won’t be the last. Data breaches will continue to happen, and just like diamonds, they’re not as rare people think they are — they happen all the time, get used to it.
Secondly, the Astro breach is reportedly being sold for 30-45 cents per record. Almost any victim would be willing to pay 100 times more to keep that data private, yet on the ‘market’ these things sell for pennies. Honestly, I’d be surprised if anyone paid the sticker price on this, because even 30 cents per record sounds high to me.
Finally, (and most importantly), data breaches are forever!
It’s like pee-ing in the pool, once you do it, there’s no reversing the process. There is no such thing as ‘un-breaching’. Astro (and Lowyat) thought that the breach was “contained” when the links were taken down — but there is no containing data breaches.
If there were a way to contain digital data on the internet, illegal downloaders wouldn’t be an issue!
Once a breach happens, we expect the authorities and data owners to try to limit the damage inflicted on victims. Part of that is trying to ‘contain’ the breach — but most of it, is simply informing the victims with specific details of what data of theirs was breached.
It gives victims visibility of what data was lost, and allows them to take at least some measures to protect themselves.
Sure, Astro lodge a police report, and roped in MCMC, but what’s the point of telling the regulator, if the regulator won’t inform the customers it’s duty bound to protect.