The phrase ‘data breach’ has passed into common parlance, mostly because we see it so much. As a result, its potency and shock value are somewhat diminished. Perhaps its perceived relevance to your organization also wanes.
With a tendency to glance at the stories we see with mild curiosity, perhaps there might come some reassurance from the thought that “It can never happen to us”. Any such assumption–that hackers will ongoingly leave you off their radar–is at best risky and, at worst, simply irresponsible.
Correctly gathered, stored, and used data offers invaluable insights but it also carries a huge weight of responsibility.
Data Privacy laws are designed partly to ensure that organizations recognize this responsibility, but more importantly, to protect citizens’ personal information; whether it relates to healthcare, finances and financial transactions, energy, and utilities, or any other interaction with a business or an institution.
It Can Happen To You
One of our previous blogs discussed the ease–and often ingenuity–with which hackers can pierce your defenses; regarding the heist of 340 million customer records from a Marriott Hotel. The company was fined £18.4 million.
The stature of fines like this underscores the weight of the responsibility to protect data. It’s best to hone in on the relevance of such incidents because the stark reality is that if you’re online you’re on the front line, if you’re digital then everything you do is critical, and if you use data, no precaution can be left for later.
5 Significant Data Breaches To Know About
If you accept risking anything, it means you are in danger of risking everything. Any organization is a potential target for hackers, with the caveat that the bigger you are, the harder you’re likely to fall.
There were nearly 1.1 million breaches in 2017, yet 2022 is set to top that stat, coming in at 8.51 million in the first six months. Hackers often have time on their side, to sort out what they want to sort out in as comprehensive a fashion as possible. They have been known (or, rather, unknown) to lurk in a system for up to 327 days; and that makes for a bountiful harvest.
Here is the state of play on the current line-up of significant data breaches in 2022 (although more significant ones may appear within days of this blog being posted). ‘Worst’ in this instance is not defined necessarily by size but more by the nature of the information stolen, and the implications of the thefts:
- American Airlines: The airline explained to those affected that “an unauthorized actor compromised the email accounts of a limited number of American Airlines team members” The Company statement on the attack continues: “The personal information involved in this incident may have included your name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information you provided”.
- Cisco: Cisco said that the access vector was through “the successful phishing of an employee’s personal Google account, which ultimately led to the compromise of their credentials and access to the Cisco VPN”.
- Costa Rican Government: The Conti ransomware gang hacked the Costa Rican government and declared a state of emergency when hackers grabbed “highly valuable data and demanded $20 million in payment to not leak it. Nearly 90% of this data—amounting to around 670GB—was posted to a leak site on May 20”.
- Medibank Private, one of Australia’s largest private health providers: 200GB of stolen customer data (of 9.7 million Medibank customers), including details of private health information for ‘around’ 500,000 customers, as reported by BBC News. The suspected methodology was “unauthorized access to (Medibank’s) systems through the use of compromised user credentials”. As of 10th November, hackers have started to publish details of some of the data on the Dark Web after the company's refusal to pay the $15 million demanded, reports Information Age.
- Toyota: Unauthorized access to c. 300,00 customer email addresses. Toyota said that the cause of the breach was a “subcontractor uploading Toyota source code to a GitHub repository that was inadvertently set to public access”.
Bear in mind that the average cost of a data breach in the United States is $9.44million, compared to the $4.35 global average (IBM Security: Cost of a Data Breach Report 2022).
The foregoing list offers up victims from the pillars of modern life: Airlines, Tech Giants, Governments, Finance, and Manufacturing. Getting fined is a sizable hit on any business, but it comes along with multiple stings in its tail.
Don’t join that club
Membership is most easily gained by either an ill-defined approach to authorized access or no approach at all. The cost of membership includes fines, remediation costs, and reputational damage leading to erosion of trust; possibly even loss of customers.
With every organization eligible for membership the most prudent way to avoid it is to solve the problem before it comes your way. This means being obsessive about how you handle your data and how you protect it. Focus on the value of your data as much as the bad guys do.
Access is the critical word here. Given the fundamental role that data plays in driving any organization, it follows that people across the organization need ready access to it; exactly what the hackers need too.
The best way to start is by accepting that the data breach problem may one day land with you. If, or when, it does, how secure will you feel knowing that the only conceivable possible access is by being an authorized user?
Identifying who should have access is about an intimate understanding of your data, what and where it is, what privacy laws pertain to it, and who uses it for what purposes. Become a data expert fast. If not, perhaps you should look for someone who is.
NOW Privacy enables organizations to reveal where the risks lie across their entire IT estate through our data discovery platform that ensures ultimate visibility across structured and unstructured information.
By knowing what’s in your data and where it is, you can prevent and protect sensitive data from being obtained in data breaches and maintain regulatory data management standards. Take a look at how we help before someone else takes a look at what they can steal.