To what extent is an organisation liable when they get security wrong?

I was amused (and frankly a little bewildered) the other day to see this bloke in the paper:

936597-047d93c4-737d-11e3-82a9-fbdd3ae7c5df

What he’s holding there is a fine… for leaving his car windows down a little. You see, the police down here took a view that in doing so he was inviting criminals to break into his car by very clearly leaving his security in a compromised state. This, in turn, deserved a $44 fine.

So here we have a case where a bit of security negligence (and I think we can all agree that’s what it is, regardless of how minor the situation may be) has led to the law stepping in and taking some affirmative action. Now, if the vehicle had have been broken into and ransacked or stolen, clearly the perpetrator would have faced the stiff arm of the law and rightly so. But any reasonable person would also look at this after a break-in and say – “Mate, you left your window open, what did you think was going to happen?!”

Which brings me to Snapchat and more specifically, their defence following last week’s breach of 4.6 million accounts:

In an interview last week, a top company executive blamed abuse by hackers — not the company’s own software.

Ah, so not their fault at all, it was those pesky hackers! Obviously they weren’t aware that they’d proverbially left their windows down, right? Well that’s the interesting bit because after the risks were well-documented publicly in August, Snapchat responded… four months later. So they knew about the risks. Then the risks were further detailed just before Xmas and Snapchat responded again:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.

“Theoretically”, if you were able to stick your arm through an open window you could open a car door. That’s just theoretical, of course.

Anyway, next thing you know we have 4.6 million phone numbers and usernames out in the wild yet somehow, Snapchat is not to blame. This isn’t just leaving your windows down a bit on one occasion, this is leaving them down and the keys in the ignition for months on end and being warned multiple times about the risk and still thinking you’re not to blame.

The article about their innocence in the whole affair goes on to quote their co-founder and CEO:

We call it abuse. A tool that we developed to help Snapchatters find their friends was used by someone to find the usernames of people that weren’t their friends

Holy crap – someone would do that?! This is like Trust, but verify only without the “verify” bit; you simply cannot create software that sits out there on the web facing billions of people and assume that every one of them will only use it the way you would like them to. That’s the whole premise of why we have application security and indeed it’s precisely what they were warned about – people will try to do unkind things with your software. Expect it.

Getting back to liability though, we have multiple precedents where organisations have built shoddy software and then been held liable – legally liable – for some amount of damages as a result. For example, Sony was fined £250K by the ICO in the UK after the Playstation Network breach. They also investigated Tesco after my expose 18 months ago. Over in the US, Target is now facing a class action following the breach of 40 million customer credit cards. From that video:

If Target is not using the latest and greatest technology to combat these hackers – to combat these security breaches – then they’re going to be held liable.

Arguably, there is some subjectivity around “latest and greatest” just as there is in terms of whether an organisation implements “reasonable” measures to protect their data. But one thing is crystal clear – organisations have a responsibility to protect their data. Just because someone else needs to commit a crime in order to breach it in no way absolves the organisation of all responsibility.

Now, with the benefit of hindsight, Snapchat has decided that in fact their security is deficient:

We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.

It’s just not their fault, that’s all.

Security
Tweet Post Share Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals