CrankySec

Data protection for dummies.

Did you guys see we made it to Hacker News? What a fucking honor. To be featured on a website where people think you can end global poverty by "doing startups" is such a dream come true. Since I don't usually read HN, I know one of my posts made it there because of a very sudden increase on the number of people joining our Discord, and someone told me "we're coming from HN!" But I guess if you're joining a Discord dedicated to bitching and moaning about cybersecurity, you're a-ok in my book. Regardless of website of origin.

With that welcome out of the way, allow me to try and parse the only HN comment I read because it was sent to me:

Hacker News comment

Good buddy here took my suggestion of "maybe have data protection rules?" to mean "adopting PCI-DSS will solve every cybersecurity problem!" Which, let's be generous, might be a problem with reading comprehension and/or tunnel vision from someone who perhaps thinks that "breaking into" Bubba from marketing's laptop is the same as compromising payment card data and causing millions of dollars of fraud-related losses.

Here's the thing about PCI-DSS and the people who run the program: they don't give a flying fuck about your breaking into PCI compliant companies. They don't give a fuck about the companies themselves. What they do give a fuck about is this: If you fuck up the handling of the data that does not belong to you, they are going to make it your problem. Shifting liability, baby!

PCI-DSS ties up security and engineering teams by design. The costlier it is for you to keep that data around, the less inclined you'll be to collect it in the first place. So, what happened? A bunch of people miraculously realized that they don't really need that data, that tokens are just fine, that end-to-end encryption managed by the payment processors is doable, and that having this data flowing around is a pain in the ass.

It's not about the security of the PCI compliant companies, bud. Never been. It's about having the contractual means of holding those companies accountable if they fuck up. It's the card brands and banks saying "Here's the bare minimum you'll need to do if you want to handle cardholder data. You do everything here, you should be fine. If you don't, you're probably going to have to pay up." It's banks and card brands doing risk management on data that is critical to their business, not yours.

If you read that post carefully, and try and look beyond your little pentester world, you'll see what I meant: make it costly, unprofitable, and a pain in the ass to keep other people's data around. Tie up security and engineering teams. Develop data protection laws that will dissuade companies from collecting your fucking data in the first place. Why the fuck does a paint-by-numbers app on your phone need your precise location, access to your contacts, home address, and social security number? They don't, but they want it for other purposes. And, when they inevitably fuck that up, you need redress. You can't let them walk away with the only downside of their negligence being just the cost of sending some emails and offering some "identity monitoring" done by companies that also mishandle your data, while you need to go through the motions of cleaning up their mess.

So, yeah, buddy boy: data protection rules and regulations are not meant to make it impossible for you to "break into" compliant companies. They exist to make these companies think twice before they decide to hoard and monetize data they don't need.