It seems like every other week there is a news report on data breaches. Last year, it was reported that the computer systems of the White House and the State Department had been compromised in an attack that was attributed to Russian hackers, and it even appears that some of President Barack Obama’s unclassified emails may have been obtained by the intruders.
Only a few months later, the Office of Personnel Management (OPM) announced an intrusion in which hackers appeared to have targeted the files of workers who had applied for top-secret security clearances. It is believed that the same hackers responsible for OPM’s breach last year are also responsible for the OPM’s breach announced this June, where the personal data of up to 18 million current, former and prospective federal employees may have been accessed. Other countries have not been spared by cyber-attacks, with the European Central Bank, the Russian Central Bank and China’s Central Bank also having been targeted.
Data breaches are not only problems for governments, though; the private sector frequently falls victim to cyber attacks. The Sony Entertainment hack was probably the most mediatized cyber-crime incident of 2014, as millions of internal documents, private emails and employee details were leaked online. JP Morgan Chase suffered a data breach affecting approximately 76 million households and seven million small businesses. Other major cyber-attacks include Staples, where 1.16 million shoppers' credit cards and debit cards information may have been stolen; Home Depot, where 56 million customer debit and credit cards were exposed, and online retail giant eBay, with 145 million accounts put at risk.
Companies’ loyalty card systems have also been targeted by hackers. More recently, Anthem, the second-largest health insurer in the U.S., suffered a massive attack on its IT systems and said that up to 18.8 million people could have been affected by the breach. Similarly, Premera Blue Cross also became a victim of an attack on its IT systems, and as many as 11 million persons may have been affected by the breach. CVS and Walmart Canada have also announced that a data breach at a Canadian information-technology vendor may have leaked credit card information from their online photo processing websites. In August 2015, it was revealed that the personal information of more than 2.4 million customers of Carphone Warehouse, which included bank details, addresses, names and dates of birth, may have been accessed by hackers.
And according to a recent study conducted by the Ponemon Institute and sponsored by IBM, data breaches cost companies in the U.S. an average of $217 per compromised record, with the total average cost paid by organizations amounting to $6.5 million.
With the media's strong emphasis and coverage of reported data breaches, one could be tempted to see data privacy only from the viewpoint of data security. However, according to Bryan Cave's 2015 Data Privacy Litigation Report, "there is far more litigation centered on data privacy than on data breaches." The same report further notes that "plaintiffs' attorneys are six times more likely to file a complaint relating to an event concerning data privacy than one concerning a data breach. In addition, three times more plaintiffs' law firms have invested resources in bringing data privacy cases than have invested resources in data security breach litigation."
Numerous examples have shown how simply adopting standard web security practices could lead to disastrous consequences if privacy is not taken seriously: The recent Ashley Madison breach serves as a reminder of how important it is to always keep privacy in mind.
Here are some lessons learned the hard way in relation to data security and privacy:
Beware of Email Scams
Ubiquiti Networks, a California-based manufacturer of wireless products for service providers and enterprises, recently disclosed that it lost a total of $46.7 million through an email scam. According to the company’s financial filing, the “incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department."
Similarly, one of Omaha, Nebraska’s biggest and oldest companies, The Scoular Co., an employee-owned commodities trader founded 120 years ago, also fell prey to email fraud and lost $17.2 million in the process.
According to a recent alert from the FBI, cyber thieves stole nearly $215 million from businesses in the last 14 months using a scam that starts when business executives or employees have their email accounts hijacked. The key takeaway is to ensure staff are properly trained about the risks in relation to email, and if at all possible, CIOs and CISOs should consider additional IT and financial security procedures and two-step verification processes.
Take Your Systems’ Security Alerts Seriously
The hack of nationwide retail giant Target was probably one of the most reported data breaches in 2014, with approximately 40 million customer debit and credit card records reported to have been stolen. According to reports, the company had received multiple warnings that its security systems had been breached but failed to act.
It is essential to ensure that processes are in place to ensure that the relevant system alerts and notifications are properly prioritized. The key takeaway here is that CIOs and CISOs considering the acquisition of advanced threat detection systems should be familiar with the capabilities, but also the limitations, of such tools and systems.
Never Neglect Strong Password Protection
Arguably one of the most talked-about hacks of 2014, the leak of nude and intimate photos of various celebrities, is still continuing to make the headlines. According to a June report from NBC News, almost 600 online storage accounts have allegedly been breached. It appears that users' account names, passwords and security questions were the means of entry.
The key takeaway here is that even the most robust security system may easily be breached without strong login credentials. In addition, using the same password for multiple online accounts significantly increases the odds of being compromised: If one account is breached, the other accounts may also fall like Dominos.
Always Make Sure Sensitive Information Is Transmitted Securely
Two separate companies, Fandango and Credit Karma, settled charges in 2014 with the Federal Trade Commission (FTC), which alleged they both misrepresented the security of their mobile apps and, despite their security promises, failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps by having the SSL certificate validation disabled. Such validation is needed to verify that the apps’ communications were secure.
When transmitting sensitive data, it is crucial to ensure that communications are secured.
Ensure Proper Data-Security Procedures Throughout the Company
Many data breaches originate from persons who have been granted access to the company’s systems. For example, it appears that a data breach of a DCH Regional Medical Center took place in June 2014 when an employee downloaded patient information onto his personal laptop, including Social Security numbers and account numbers. He did this on the same day he was terminated from the hospital.
It is important to ensure that user access can be quickly terminated and that any unauthorized access to protected data is promptly investigated. The issue of unauthorized access is a common cause of data breaches. According to some media reports, the Ashley Madison attack may have been carried out by someone who had inside access to the company’s networks.
Don’t Track Your Customers Without Their Express Consent
According to a complaint from the FTC, Aaron’s, Inc., a national rent-to-own retailer, allowed its franchisees’ to install and use software on rental computers that secretly tracked consumers’ locations and monitored them by taking webcam pictures of them in their homes or capturing their login credentials through the use of keyloggers.
Aaron’s subsequently entered into a consent agreement with the FTC, where it agreed to give clear notice and obtain express consent from consumers at the time of rental before using any technology that allows location-tracking of a rented product. Under the terms of the consent agreement, Aaron’s would have to give notice to consumers not only when it initially rents the product but also whenever the tracking technology is activated unless the product has been reported as lost or stolen.
Gathering customer information should only take place upon clear notice to the customer and with the customers’ consent.
If You Make a Promise, Make Sure You Keep It
This is not the first time that a company has been charged for not keeping a promise made, and it seems that it may not be the last. Snapchat, the developer of a popular mobile messaging app, was charged by the FTC that it deceived consumers about the disappearing nature of messages sent through the service after the expiry of the sender-designated time period, as well as misleading customers over the amount of personal data it collected and the security measures taken to protect that data. It then agreed to settle those charges with the FTC, where it was required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.
The above settlements demonstrate the FTC’s willingness to go after companies that do not keep their privacy promises to consumers.
Children's Privacy Is Not Just for Kids' Sites
Companies need to ensure that their sites and mobile apps do not collect children’s information without a parent’s consent. In particular, the Children’s Online Privacy Protection Act, or COPPA, requires that companies collecting information online about children under the age of 13 follow a number of steps to ensure the children’s information is protected, including clearly disclosing how the information is used directly to parents and seeking verifiable parental consent before collecting any information from a child.
For example, online review site Yelp and mobile app developer TinyCo were both separately charged by the FTC for improperly collecting children’s information in breach of COPPA without first notifying parents and obtaining their consent. Both Yelp and TinyCo agreed to settle the FTC’s charges by deleting the information improperly collected and submitting a compliance report outlining their COPPA compliance program. In addition, Yelp agreed to pay a $450,000 civil penalty, while TinyCo agreed to pay $300,000.
It is therefore important to make sure that children’s data is not collected without a parent’s consent. If a company becomes aware that a child under 13 has registered without parental consent, such information would need to be removed.
Beware Before Granting New Devices Access to a Sensitive Network
Think twice before allowing new "smart devices" to connect to a production network and granting them access to other systems. The massive data theft at Target is believed to have been facilitated by a breach of its Internet-connected heating, ventilation and air conditioning (HVAC) systems. Hackers apparently gained access to Target’s system by using stolen login credentials from the HVAC service provider. The more integrated systems are, the more attractive they are to hackers because they can fall like Dominos.
If you want to comment on this post, you need to login.