February 18, 2020
How to Prepare for Data Breaches — The Devil is in the Gaps (Part 1)
Part 1 in a 3-part series on preparing for preparing for data privacy breaches.
In early 2019, there was a report of a massive data dump involving more than two billion user credentials and sensitive data sourced from thousands of online breaches and leaks. The mass of data, called “Collection #1,” included usernames and passwords in plain text as well as sensitive documents amounting to a total of 87GB. Collection #1 was reportedly available for download on the “dark web” up until the last week of December 2019, and was actively exchanged in hacking forums prior to that date.
Collection #1 alone contains more than 700 million unique email addresses and more than 21 million dehashed passwords, making it very damaging to many people. But it’s only the beginning. InfoSecurity Magazine reported that even more data has been stolen.
Authentication security vendor, Authlogics, claims to have the data from Collection 2, 3, 4, and 5 in its possession, and is loading it into its breached password database. It estimates the new trove of data comes to roughly 784GB — nine-times the size of Collection #1, and could contain over seven billion records in its raw state. In fact, Sanixer may have even more breached and leaked data to sell, the cyber-criminal told researcher Brian Krebs. Together, all the packages they have up for sale are less than a year old and total over 4TB in size.
With all this sensitive, personal data available for malicious activities, online misdeeds can cross over to offline criminal activities. From socially engineered attacks, such as phishing and fraud, to identity theft and blackmail, individuals’ and organizations’ losses could become exponential.
Businesses who experience data breaches not only could end up paying non-compliance fines from several regulatory bodies, but could also lose their customers’ trust, revenue, and reputation. Individuals can be targeted for scams and cyberattacks, and their subsequent activities online can be limited because of the feeling of loss of security.
Business Benefits from Data Protection
Personal data is still the leading breach risk for today’s enterprises. But, despite investments in data breach prevention, the bad guys are still winning. So how can enterprises prepare for data breaches in ways that actually accomplish the goals? And, against what seems like all odds, should they even keep trying?
They not only should, but also must, continue trying to protect people’s private data. But they just need smarter tools. There are many reasons to keep up the fight, including avoiding non-compliance with today’s stricter privacy regulations, like European Union’s General Data Protection Regulation (GDPR). But also because protecting individuals’ privacy is the right thing to do.
If organizations need a financial motivation for data privacy and protection, Cisco just provided one in January 2020. Based on results from the Cisco Data Privacy Benchmark Study 2020, an unprecedented 70% of organizations are gaining “significant” or “very significant” business benefits from their efforts to maintain data privacy. Benefits cited include operational efficiency, fewer and less costly data breaches, reduced sales delays, improved customer loyalty and trust, innovation, and agility.
The average financial impact of these benefits is estimated to be $2.7 million. Across all respondents, the average ratio of benefits-to-spend was 2.7, meaning that for every dollar of investment, the company received $2.70 worth of benefit. Nearly half (47%) of the companies are seeing greater than a twofold return, 33% are breaking even, and only 8% appear to be spending more than they receive back in benefits.
“It is a business imperative and competitive advantage for companies, their boards, and senior leaders to embrace accountability and transparency in how they manage personal data,” stated Bojana Bellamy, President, Centre for Information Policy Leadership (CIPL).
What Types of Data Need to Be Protected
Personal data is still a leading lure in data breaches. Based on the data stolen in multiple breaches, here are specific types of information that are of value to cyber-criminals:
- Member name
- Date of birth
- Social security number
- Member identification number
- Email address
- Mailing or physical address
- Telephone number
- Banking account number
- Clinical information
- Claims information
Hackers search for these types of data because they can be used to make money in a variety of ways, such as by duplicating credit cards, perpetrating fraud, deploying identity theft, and even for blackmailing people.
Examples of Data Breaches by Industry
The motives of cyber-criminals define which companies they will attack. Different sources yield different information. The following breaches in five industries are examples of common targets:
Dixons Carphone (June 2018)
An estimated 10 million customers could be affected by the hacking attack on its network. The compromised data may include personal information, like names, addresses, and email addresses. Some 5.9 million payment card records (nearly all of which are protected by the chip-and-PIN system though) may have been accessed as well.
Ashley Madison (July 2015)
Hacktivists stole and dumped 10GB worth of data on the “dark web.” This included the account details and personally identifiable information (PII) of about 32 million users, as well as credit card transaction data.
SingHealth (July 2018)
The nonmedical personal data of 1.5 million patients was reportedly accessed and copied, including their national identification number, address, and date of birth. The stolen data also included the outpatient medical data of 160,000 patients.
Deloitte (October/November 2016)
The firm was targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients.
University of Maryland (March 2014)
More than 300,000 student, faculty, and staff records going as far back as 1998 were compromised. The stolen data included names, birth dates, university ID numbers, and Social Security numbers.
How to Protect Your Private Data
Multiple steps are required to prepare an enterprise to prevent data breaches, from fixing vulnerabilities with data loss prevention to updating encryption keys to conducting drills. However, if you were to conduct a gap analysis of a typical breach preparation plan, one critical step would likely be missing from the list: identifying all of the sensitive data located across an enterprise — from emails to endpoints.
The reason for this gap in data discovery is that the vast majority of organizations don’t have an accurate and dependable way to find all of their critical, sensitive data. Yet, without knowing all of the many places that sensitive data lives across and enterprise, organizations are at a significant disadvantage in the war on data privacy breaches.
To meet the new demands of data privacy, enterprises need to up their game by finding the gaps in data breach preparation. Advanced technologies that deliver accurate data discovery, classification, and control add a significant weapon to your organization’s data breach arsenal, giving you a fighting chance to defend data security and privacy.
For more information about how to prepare against data privacy breaches, read the upcoming part 2 in this 3-part series about GDPR compliance.