Why Do People Still Not Expect The Spanish Inquisition?

Not a day goes by that there isn’t a new story about companies or agencies getting hacked and user data exposed.

Yet every one I read about is the same, they failed to properly protect their databases and systems and someone leaked or stole or exposed valuable data.

It’s like people have never seen the Monty Python sketch where someone remarks “I didn’t expect the Spanish Inquisition” and in jump the 3 cardinals who yell “no one expects the Spanish Inquisition”. Even during that Monty Python episode where this was introduced after the first attempt everyone expected them.

(As an aside the real Spanish Inquisition was a quasi-religious judicial system that the Spanish Monarchy created to investigate and root out falsely converted Jews and Muslims and later on Protestants as well, all supported by basically pointing a gun at the Pope to endorse it. They came to towns fully announced and even if you were targeted it was a judicial process like any other at the time. Most people were not executed and occasionally some were even found not guilty—there were a number of different degrees of guilt with only the worst one resulting in execution.)

With so many reports of hacking you would think people would take it as a suggestion that something be done to protect their data yet virtually every report is the same—lame or no encryption, limited defenses, and usually a ridiculous excuse.

There are so many reports now many simply disappear. Many of the hacked entities probably assume the story will never be widely heard or be overshadowed and therefore they don’t need to do anything smart. I am sure many simply treat it as a cost of doing business and not worth spending a dime on security.

To me that’s the worst attitude of all, that a customer’s personal information is simply not worth caring about; get hacked and offer some lame credit check, assume the story will fall off the end, and continue to spend money on enriching the executives or advertising or whatever is more important.

The most galling hack of course was the US Government losing 18,000,000 people with security clearances’ deepest personal information, and apparently to a foreign power’s military. The excuse of course was a lack of budget or old hardware, ridiculous given the enormous amounts spent on military and the intelligence community. So what is the point of the NSA spying on everyone when we just gave all the data for free to a foreign power? Yet even the mighty NSA got hacked and all of its secrets exposed, again because they failed simple security planning like limiting access.

When I worked for a HIPPA healthcare company I found the production server and database passwords were stored in a text file available to half the company as the chief architect didn’t like to remember them. When I complained the CTO told me “we pass our audits, and we trust our employees”. I am sure the NSA likely said the same thing. As I am sure the leaders of all these hacked companies said at one time.

I remember working at a financial services company in the early days of PCI where we argued that our customer’s credit card information should be encrypted on the AS/400 and also in Oracle. Yet the 4GL programmers complained that they would have to rewrite all their apps, so instead a committee was formed to investigate whole disk encryption which I think never happened. Of course security costs money and who has money? Much cheaper to just take a chance no one cares about our data.

I guess there is nothing we can do short of jailing the CEO when customer data is lost, and of course that sort of thing will never happen. So far any laws requiring data protection seem mostly toothless or are easily sidestepped.

Our modern interconnected and data-heavy world seems destined to fall apart at some point—once everyone’s most private data is available everywhere how does anything work? Whom do you trust? How do you verify that anyone is being careful? I bet there are more hacked companies and agencies that simply refuse to even mention that they were hacked that those that do.

The funniest thing about all this is that the basics of protecting your data isn’t remotely rocket science. But having the will to do it and the willingness to spend the money is apparently is. Even worse is the deliberate ignorance that you could be next in the face of so many hacks. Self-delusion is apparently a requirement to be a CEO or run a government agency.

I do think that there are CSOs out there who do understand and do want to protect their data and are denied the funds or the power to do anything about it. That has to be a frustrating job, it’s like insuring a homeowner who has no doors, stores their jewelry in the front hallway with a neon arrow and has a sign in the yard “steal from us”.

Everyone should expect the Spanish Inquisition, in the form of people trying to steal your data. It should never be unexpected. In fact you should know they are right outside the door, just waiting to pounce on you.

Perhaps we should put CEO’s of grossly hacked companies in a comfy chair and poke them with pillows. At least they would be embarrassed!