The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: There was another massive data breach. People will probably forget it in a week.

with Aaron Schaffer

A data breach that affected more than 40 million current, former and prospective T-Mobile customers is a massive cybersecurity incident that is bound to spark a public backlash. 

Or, then again, maybe it will be forgotten in a week.

The proliferation of ever-larger breaches during the past decade has left the public so inured to such news that it has become increasingly less likely that a breach will make any public splash at all, no matter how big it is. It’s an effect security researchers describe as “breach fatigue.” 

Put another way, 40 million would be a very big number if we were talking about people filing for unemployment, sick with a virus or displaced by a natural disaster. But when it’s people victimized by a data breach, it hardly registers. 

“I think the public is already at the point of seeing tens of millions of customer accounts compromised as a non-story,” Maurice Turner, cybersecurity fellow at the German Marshall Fund’s Alliance for Securing Democracy, told me. 

That breach fatigue has made it harder for any single data breach to galvanize action in Washington or state legislatures.

The sheer volume of this latest breach … can make it difficult to appreciate the tremendous damage being done to individuals when their information is seized by hackers,” Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, told me. 

It has also made it far more difficult for cyber educators to persuade people to adopt better behavior, such as adding extra authentication procedures to access accounts and not clicking on suspicious-looking links.

There’s a sense of learned helplessness, Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, which advocates for good cyber hygiene, told me. “There’s a sense that, ‘this is going to happen no matter what I do, so I’m not going to do anything because it’s out of my hands.’ ”

The apathy built slowly. 

“In 2012, there was one mega-breach reported, defined as 10 million identities affected. That is a slow news week now,” Peter Singer, a cyber and national security researcher at the New America think tank, told me. The reference is to a breach at the credit card payments processor Global Payments. 

The next year, in 2013, a breach at Target compromised the personal information of 40 million customers around the Christmas holidays. That was also a big deal, driving Target’s stock price down 10 percent and prompting a Senate hearing and the resignation of the retailer’s CEO. 

But then breaches got super-sized again and again. 

Here’s just a smattering:

More recently, the focus has been on ransomware attacks that can have significant effects on national and economic security. Notably, the Colonial Pipeline attack disrupted gas supplies to the southeastern United States and prompted panic buying, and the JBS hack threatened the global meat supply. 

With threats like that to worry about, it can be tough for the mere theft of people’s personal information to get much public attention. 

As the public has become numb to those big numbers, Washington has become far les likely to focus on breaches that affect only tens of millions of victims. 

Investors have also become less likely to abandon companies that suffer breaches, research suggests

Most importantly, the fact that nearly every American has been a data breach victim at this point doesn’t seem to have made the public take cybersecurity more seriously.  

One problem is that most people can spend years with troves of their personal information compromised by hackers but suffer only minor inconveniences such as hacked social media accounts. 

They don’t have to deal with the endless bureaucracy of recovering from identity theft or fraudsters pilfering from their bank and retirement accounts. 

Security people and the media relied on fear to talk about these security issues,” Plaggemier said. “And if it keeps happening and I don’t see any personal fallout then all you’ve done is cry wolf — until I’m personally affected.” 

Credit card and other companies also typically cover any losses from cyber fraud so the individual victims are inconvenienced but don’t lose great sums of money. 

The larger-than-life numbers of victims can also distract from some key details of the individual breaches. 

The T-Mobile breach was significant because the hacked information included Social Security numbers for many if not all of the 7.8 million victims who are current subscribers and the 40 million victims who previously applied for credit with the company, Hamza Shaban reported.

Account PINs were also compromised for about 850,000 active customers with prepaid phone plans. T-Mobile reset all PIN numbers for those accounts, the company said.

Such information can be especially damaging in the hands of identity thieves. 

The company has also suffered a string of breaches in recent years, including a breach disclosed in January and others back in 2018. The Federal Communications Commission will probe the most recent breach. 

The keys

Apple defended its system for finding child pornography after researchers spotted flaws.

A version of Apple’s system said two different images were the same image, raising questions about the tool’s efficacy, Motherboard’s Joseph Cox, Lorenzo Franceschi-Bicchierai and Samantha Cole report. The version of the system that researchers tested is generic and not the final one that will be used to check for child pornography, Apple told Motherboard.

The controversial system is designed to scan the digital footprints of customer photos uploaded to iCloud for indicators that match known child pornography images. Privacy advocates have blasted the system, which is set to roll out when Apple launches its new operating system. 

Apple says researchers can inspect the system for problems. Apple foe Corellium is offering researchers $5,000 grants to do just that.

More than 90 policy and digital rights groups around the world published an open letter this morning urging Apple to scrap the system, Reuters’s Joseph Menn reports

Hackers breached U.S. Census Bureau systems, a government watchdog said.

They used an easily available hack to get into agency servers, the Record’s Catalin Cimpanu reports. The Census Bureau didn’t patch the vulnerable systems, even after the vendor warned the agency that they were insecure, the Commerce Department’s inspector general said. The agency also took weeks to investigate the hack and to inform the Cybersecurity and Infrastructure Security Agency, the watchdog said.

The servers weren’t connected to data related to the 2020 Census and hackers weren’t able to change decennial census data, according to the agency. The hackers also weren’t able to set up a way to get long-term access to the servers, the watchdog said.

An Ohio man pleaded guilty to running a cryptocurrency-laundering service. 

Larry Harmon will cooperate with law enforcement officials as they crack down on services that “tumble” digital currencies to disguise their origins, Rachel Weiner reports. Harmon’s service, called Helix, helped vendors anonymize their proceeds from dark net marketplaces that sold illegal drugs, guns and other items, according to court records.

More than $300 million passed through Helix, according to prosecutors. Harmon could dispute that number when he is sentenced. The Treasury Department fined Harmon $60 million last year; he has also agreed to forfeit more than 4,400 bitcoin, the equivalent of $200 million in today’s money, according to the Justice Department.

Securing the ballot

FBI joins criminal probe in Colorado voting equipment breach (Associated Press)

Arizona county seeks reimbursement for new voting machines (Jonathan J. Cooper | AP)

Industry report

OK, so you stole $600m-plus from us, how about you be our Chief Security Advisor, Poly Network asks thief (The Register)

This Russian cyber mogul planned to take his company public. Then America accused the company of hacking for Putin’s spies. (Forbes)

9to5Mac writer paid source $500 in bitcoin for stolen Apple data (Motherboard)

Cyber insecurity

Apple’s double agent (Motherboard)

The new WikiLeaks (The New Republic)

Kushner friend Ken Kurson charged in N.Y. eavesdropping case after Trump pardon (Shayna Jacobs)


  • National cyber director Chris Inglis speaks at the CyberScape National Security event today at 11 a.m.
  • The National Democratic Training Committee hosts a training session with the Democratic National Committee and Defending Digital Campaigns today at 1 p.m.

Secure log off