The first recorded data breach of our century occurred in 1984 at TRW, a credit reporting agency. One stolen password posted to an electronic bulletin board could have permitted access to the credit histories of 90 million people. Computer experts warned that prevention of such incidents demanded greater security. Thirty-three years later—the data breach conundrum pauses to reflect upon who’s on first.
The data breach conundrum
If we get a toothache, we call a dentist. If our automobile gas gauge is nearing empty, we fill our gas tank. If we run out of staple food, we visit the grocery store to buy more staples. If we crave cap of ribeye (spinalis)—we call the butcher to place a special order. For all the above situations, we have a logical sequence of steps we follow to achieve specific results.
When we become the victim of a data breach, there is little or no respite. Though we attempt to make sense of whatever breach, leak or hack nabbed us—there is often no way to follow a logical sequence of steps, because nine times out of ten, the specific result ultimately smacks of “game over.” The bad guys got us, and we don’t even know ‘who’s on first’.
As one example—consider Equifax’s recent spine-chilling data breach that spilled our everything . . . as consumers, we were clueless before the spill (and still are) as to who they sold our data to. But, as Americans—we’ve always been an Equifax product—only this time, we are an Equifax hacked product.
We wait. We sit—mostly silent. Our options trivialized by the calculated movement of the pendulum swaying nonchalantly back and forth—reminding each of us that the concern for our personal data could become (at any moment) inconsequential and inappreciable when placed in the hands of remiss and stoic gatekeepers.
According to a new report from Risk Based Security, during the first three quarters of 2017, 3,833 breaches were reported, exposing over 7 billion records. Compared to the same period in 2016, the number of reported breaches rose up by 18.2% and the number of exposed records rocketed by 305%. The report also reveals that 78.5% of all records exposed came from the five largest data breaches of 2017:
- Equifax— (Hacking) 145,500,000 names, dates of birth, Social Security numbers and other confidential information compromised by exploiting unpatched vulnerability in Apache Struts (CVE-2017-5638).
- DU Caller Group— (Web) 2,000,000,000 user phone numbers, names and addresses inappropriately made accessible in an uncensored public directory.
- Deep Root Analytics— (Web) Approximately 198,000,000 voter names, addresses, dates of birth, phone numbers, political party affiliations, and other demographic information exposed in an unsecured Amazon S3 bucket.
- NetEase— (Hacking) 1,221,893,767 email addresses and passwords stolen by hackers and sold on the Dark Web by DoubleFlag.
- River City Media— (Web) 1,374,159,612 names, addresses, IP addresses, and email addresses, as well as an undisclosed number of financial documents, chat logs, and backups exposed by faulty rsync backup.
Businesses need to properly manage sensitive data and place more focus on breach prevention, detection and response. Some items that have been overlooked in the lessons to be learned category include:
- Evaluating security protocols, updating and patching, and always backing up data frequently
- Encrypting all data
- Securing the network with a corporate VPN
- Handling customer data protection as a corporate social responsibility (CSR)
- Hiring employees that take breach prevention and management seriously
- Implementing advanced security controls
- Limiting employee access
- Developing an exit strategy that leaves no backdoors open
- Monitoring and securing BYOD programs
- Holding outside consultants and vendors to the same security standards as your organization
- Developing policies and procedures on data breach prevention and mock testing procedures
- Providing ongoing data breach training
Providing ongoing training for employees, upper management, and the board is crucial. Lastline’s CMO, Bert Rankin says “It’s often human insight that makes the difference in rapid breach detection, and that requires a vigilant training program. Security teams obviously need to stay up to date, but it’s also important to educate other administrators and users so they can identify and report the early warning signs of an attack campaign.”
What about our responsibilities?
Most of the time it is all about convenience. We love it. We live it. It’s easy to point the finger when we’ve over-used the same password on multiple sites across the Internet, or been phished via an email that we thought our CEO sent to us.
Though there are plenty of instances where companies have been negligent or lax with customer data—on the other side of the coin—there are plenty of users that have hindered security efforts by visiting fraudulent websites, clicking on phishing links, reusing the same passwords on multiple sites, using free (unsecured) public WIFI (that can easily be compromised), leaving Bluetooth on when not in use, and not enabling two-factor authentication on sites that provide it.
I’ve been the victim of eighteen reported data breaches since 2007: Adobe, Albertson’s, Bit.ly, Citigroup, Disqus, Dropbox, Equifax, Exploit.In, Forbes, Hannaford’s, Home Depot, LinkedIn, MySpace, Onliner Spambot, River City Media, Staple’s, Target, and TJ Maxx.
I feel as though our personal data is consistently flailing inside some giant yawning sinkhole—always waiting for another data breach plunge into one more chaotic abyss.
Sometimes I wonder if data collection technology forged ahead too rapidly—or perhaps the technology behind it coerced security into coexisting as a tag along.
Yes, the genie is out of the bottle—as individuals, it appears we’ve lost all control of our personal data. We’ve never really known who’s on first and we can’t even visualize getting to second base because it always looks like we will strike another out.
Though the data breach landscape looks discouraging and dismal this year, we still have time (not much), to get our acts together (on an individual and organizational basis) and inoculate security hygiene into our mindsets, motivations, and daily workflow.
My mantra: Ask not what data breach security can do for you—but what “together” we can do for data breach security. What is your mantra?
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.