Preparing for Data Breaches — The Devil is in the Gaps

In early 2019, there was a report of a massive data dump involving more than two billion user credentials and sensitive data sourced from thousands of online breaches and leaks. The mass of data, called “Collection #1,” included usernames and passwords in plain text as well as sensitive documents amounting to a total of 87GB. Collection #1 alone contains more than 700 million unique email addresses and more than 21 million dehashed passwords, making it very damaging to many people. But it’s only the beginning. InfoSecurity Magazine reported that even more data has been stolen.

With all this sensitive, personal data available for malicious activities, online misdeeds can cross over to offline criminal activities. From socially engineered attacks, such as phishing and fraud, to identity theft and blackmail, individuals’ and organizations’ losses can become exponential.

Businesses who experience data breaches are often required to pay non-compliance fines from regulatory bodies, but that’s just the beginning. They are also likely to lose revenue, their good reputation, and the trust of their customers. Individuals can be targeted for scams and cyberattacks, and their subsequent activities online can be limited because of the feeling of lost security.

Business Benefits from Data Protection

Personal data is still the leading breach risk for today’s enterprises. But, despite investments in data breach prevention, the bad guys are winning. So how can enterprises prepare for data breaches in ways that actually accomplish their goals? And, against what seems like all odds, should they even keep trying?

They not only should, but must, continue making the effort to protect people’s private data. And they will need smarter tools to get the job done.

There are many reasons to keep up the fight. Protecting individuals’ privacy is the right thing to do. It’s also good for your organization’s bottom line. Privacy regulations like the European Union’s General Data Protection Regulation (GDPR), Canada’s Anti-Spam Law (CASL), the California Consumer Privacy Act (CCPA) and many others, continue to evolve, leaving organizations open to fines for lack of compliance.

Based on results from Cisco’s Data Privacy Benchmark Study 2020, an unprecedented 70% of organizations gain “significant” or “very significant” business benefits from their efforts to maintain data privacy. Benefits include operational efficiency, fewer and less costly data breaches, reduced sales delays, improved customer loyalty and trust, innovation, and agility. Across all respondents, the average ratio of benefits-to-spend was 2.7, meaning that for every dollar of investment, the company received $2.70 worth of benefit.

What Types of Data Need to Be Protected

Personal data is still a leading lure in data breaches. Based on the data stolen in multiple breaches, here are specific types of information that are of value to cyber-criminals:

  • Member name
  • Date of birth
  • Social security number
  • Member identification number
  • Email address
  • Mailing or physical address
  • Telephone number
  • Banking account number
  • Clinical information
  • Claims information

Hackers search for these types of data because they can be used to make money in a variety of ways, such as by duplicating credit cards, perpetrating fraud, deploying identity theft, and even for blackmailing people.

Data Breaches by Industry

The motives of cyber-criminals define which companies they will attack. Different sources yield different information.
Commonly targeted industries include retail, medical, banking, education, and online businesses. Here are just a few notable examples that have occurred this year.

Recent Data Breach Examples

2020 has already had its share of major data breaches. Here are just a few examples of the more than 38 notable breaches that have occurred in the first half of this year.
In January, a Microsoft customer support database with more than 280-million Microsoft customer records was left unprotected online. Microsoft’s exposed database included email addresses, IP addresses, and support case details. Microsoft claims the database did not include any other personal information.

In February, more than 10.6 million hotel guests who have stayed at MGM Resorts had their personal information posted on a hacking forum. The data dump shared names, home addresses, phone numbers, emails, and dates of birth.

In April, the credentials of more than 500,000 Zoom accounts were found for sale on the dark web and hacker forums for as little as $.02. Email addresses, passwords, personal meeting URLs, and host keys were collected through a credential stuffing attack.

How to Protect Your Private Data

It takes multiple steps to prevent data breaches, from fixing vulnerabilities with data loss prevention to updating encryption keys to conducting drills. And if you were to conduct a gap analysis of a typical breach preparation plan, one critical step would likely be missing from the list: identifying all of the sensitive data located across an enterprise — from emails to endpoints.

The reason for this gap in data discovery is that most organizations don’t have an accurate and dependable way to find their critical, sensitive data in all of the multitudes of places it may exist. Without knowing where sensitive data lives across the enterprise, organizations are at a disadvantage in the war against data privacy breaches.

To meet the new data privacy demands, enterprises need to up their game by filling the gaps in their data breach preparation. Advanced technologies that deliver accurate data discovery, classification, and control add a critical weapon to your organization’s data breach arsenal, giving you a fighting chance to defend data security and privacy.

Spirion’s prepares you in the fight against data breaches

Find sensitive data wherever it lives with the highest levels of accuracy in the industry. Set up a demo to see how Spirion can help your organization protect what matters most.