The Weekly Breach Breakdown Podcast by ITRC - Shooting The Messenger - S5E29

Show Transcript

Welcome back to the Identity Theft Resource Center's (ITRC) Weekly Breach Breakdown, supported by Sentilink. I'm James Lee, the ITRC's COO. This is the episode for Friday the 13th of September, 2024. Each week on this podcast, we look at the most recent events and trends related to data security and privacy. Today, we will look at a cybersecurity researcher being sued by the City of Columbus after pointing out a cyberattack. 

Let's start this episode with an apology to all of you who suffer from Triskaidekaphobia. That's the fear of the number 13. That's also why we think of Friday the 13th as a bad luck day. It's a notion that goes all the way back to the Middle Ages in Europe. However, we're here today to discuss another long-followed practice: Don't shoot the messenger.

The ancient Greek playwright Sophocles was among the first to include a reference to the concept when he wrote, "No one loves the messenger who brings bad news" in Antigone. Shakespeare picked on the theme twice – in Henry the IV and Antony & Cleopatra, when the Egyptian Queen threatened to use the messenger's eyes as sports balls.

In the days of Town Criers who delivered official news on behalf of the Crown, harming the Crier was even considered treason. Today, we don't throw people in the stocks. We generally abide by the rule that the person who delivers the bad news is not accused of being the person who caused it. When it comes to cybersecurity, though, that is not always the case. 

A cybersecurity researcher was sued by the City of Columbus after he pointed out a cyberattack against the City, which resulted in the personal information of residents and employees being breached. The problem was the City had said the information was encrypted and, therefore, useless to the criminals who stole it.

The researcher contacted the local news media to say, "Au contraire, mes amis." The cyber expert provided evidence that the stolen data was, in fact, unencrypted and useful. He noted that the exposed personal information included names, Social Security numbers, and other types of sensitive data. A large amount of information pertained to police officers and crime victims.

Instead of thanking the local cyber sleuth for determining the residents of Columbus were still at risk – after City leaders had given the all-clear – officials in the capitol of Ohio took aim and sued the cybersecurity expert. 

In the city's view, in removing the data from the Dark Web site of the criminals that stole the information and then sharing the proof with the news media that the information was not encrypted and not useless as city officials claimed, he had violated the privacy of the city's residents and caused irreparable harm.

This is now a matter for the courts and for the judicial process to decide who, if anyone, is wrong. But, and you knew there would be one, this is a great illustration of why it is so important that we increase transparency in cybersecurity. Sharing – not hiding – details is vital to building trust and confidence in our digital economy as well as combating the bad actors who would steal our resources and our identities.

Can it be embarrassing to be called out as premature or wrong when declaring, "There is nothing here to see; move along" after a breach? Sure. However, it's so much worse to fail to disclose the real risks people face when personal information is stolen – and then shoot the messenger. 

If you want to learn how to secure your personal or business information, or if you think you have already been the victim of an identity crime like a data breach, speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. ET). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for supporting this podcast and the ITRC. Be sure to check out our sister podcast, the Fraudian Slip, wherever you listen to your podcasts. We will return next week with another episode of the Weekly Breach Breakdown. Until then, thanks for listening.