A Closer Look At The VTech Breach And Its Consequences

Let’s start today’s piece with a question, ladies and gentlemen - who here is tired of hearing about data breaches? These days, it seems like you can’t even browse the web without hearing about yet another major corporation that lost sensitive information or leaked consumer data. Perhaps one of the most alarming in recent memory was the attack on VTech.

In early December, the global toy manufacturer was hit with a cyberattack in which the perpetrators accessed the account details of more than six million children. Although the man responsible has since been arrested, an investigation into the company revealed that, shockingly, it made little effort to protect customer passwords. They were weakly hashed and unsalted.

It’s a strikingly - and perhaps depressingly - familiar story; the only thing that makes the VTech breach different from the scores we’ve seen is that it involved children. The majority of enterprises simply do not care about protecting user data or safeguarding user privacy. As it turns out, there’s a very good reason for that.

Regulatory bodies - for all their legislative bluster - lack the teeth to do any serious harm to most large corporations. At most, they can slap a business with a fine. On the surface, that doesn’t seem so bad, right? After all, that’s a direct attack on a business’s bottom line. What better way to punish an organization than to hit it in the pocketbook?

That’s great thinking...the only problem is that the fines are never large enough to actually make a dent. Consider the fine laid down on AT&T last year for a 2013 breach of over 280,000 customer records: $25 million. More money than most people will see in a lifetime...but to a company whose 2015 net profit was $3.2 billion, a drop in the bucket.

The FTC fine, which was touted as its largest to date, accounted for less than 1% of the businesses revenue, and probably cost the company less than it would have to implement proper security procedures.

Of course, there are other consequences to a breach, too. Loss of reputation. Class-action lawsuits. Loss of revenue.

Again, though - these are all drops in the bucket. How many times has Sony’s PlayStation Network been breached, attacked, or compromised? How many times have we heard of a social network like LinkedIn using appallingly-shoddy security techniques?

And yet in spite of all this, people still use them. Customers forget about how their data was compromised, and blindly follow their brands of choice. The problem here is twofold: the majority of customers seem to have remarkably short attention spans where privacy violations are concerned, and those that actually do take action rarely amount to much more than a regular operating expense.

Taken together, all of this amounts to one truth: companies don’t care about privacy because it’s more profitable not to care. They simply don’t have a reason to consider best practices, because there are no real consequences to not doing so. Until regulators are actually given the capacity to cause lasting harm to businesses that botch their security - and until consumers are willing to vote with their wallets - that isn’t going to change.