Three Massive Data Breaches and What You Can Learn From Them
By Gareth Sleger
Despite the common knowledge and general acceptance nowadays that insecure physical endpoints are bad for the health of data privacy, many "secure" industries - from health care to education - deal with data breaches and data misuse due to employees simply losing personal portable storage devices including USB thumb drives.
Even tech companies that should be well-versed in preventing data breaches are just now officially taking the proper steps to assure digital security.
Case in point: Only very recently has renowned global company IBM mandated enterprise-wide regulations to prevent employees from using flash drives for work-related purposes.
But compromised data through misplaced or stolen portable storage devices is just a small part of the larger scope of data breaches. And even though we're not even halfway through 2018, we've already seen or been affected by some major breaches.
What is a data breach?
A data breach is a verified event in which sensitive, private, confidential, or protected data has been stolen, viewed, and/or transmitted without official authorization. Data breaches usually involve personally identifiable information (PII), personal health information (PHI), financial information, intellectual property, or trade secrets.
Three of the biggest 2018 data breaches
There has been no shortage of data breaches over the past several years. And while the largest hacks have had nothing to do with wayward thumb drives, 2017 saw the most data breaches affecting the largest number of people in the history. And 2018 has already seen its fair share of headline-making data privacy breaches and exposure on a massive scale.
This year so far has seen several global brands either suffer or finally discover a breach from a previous year during the 2018 calendar.
Here are just a few notable 2018 data breaches:
Facebook data breach:
How many were affected: 87 million user profile details compromised.
What happened: While this isn't on the scale of the 2013-14 Yahoo data breach that saw 3 billion user accounts compromised, it's far more pertinent considering Facebook is the largest and most popular social media platform in the world right now. This instance could be considered more of a data scandal than data breach since political consulting firm Cambridge Analytica, hired by Facebook, used profile information to influence voter opinion. Either way, this recent data mishap raised ethical questions about how social media platforms put customer data at risk and shows how mishandled data can put even the most powerful of brands at risk.
Under Armour data breach:
How many were affected: 150 million user records hacked from the MyFitnessPal app.
What happened: Investigation into the Under Armour data breach showed that affected information includes usernames, email addresses, and passwords for the company's food and nutrition application in February. But Under Armour only first became aware of the breach in late March. The lag time between breach and disclosure to those effected isn't anything new, however. In 2017, the infamous Equifax data breach that saw nearly 146 million Americans compromised had a 41-day waiting period before anyone knew names, Social Security numbers, home addresses, dates of birth, driver's license numbers and credit card information had been stolen.
Orbitz/Expedia data breach:
How many were affected: 880,000 users' personal information stolen while using the popular travel and hotel booking website.
What happened: Again, there was a lengthy wait between the breach occurrence and Orbitz divulging the hack. This breach, however, took two years to come to light. Although the hack happened between January and June 2016, the data breach wasn't made public until March of this year. The Yahoo data breach also took three years to disclose, furthering its case as the worst-handled data breach of all time.
Data breaches under GDPR
General Data Protection Regulation (GDPR) is the compliance elephant in room of every business on the planet - impossible to ignore no matter how hard they have tried.
The recent data breaches detailed above gain additional poignancy when viewed through the lens of the fast-approaching enforcement date of GDPR. Just days away on May 25, companies face astronomical fines for non-compliance with GDPR. For instance, whereas in the past, companies and brands might have waited weeks, months, and even years before divulging a data leak or breach-like incident, GDPR orders a much faster response of 72 hours to let people know their personal, sensitive information has been compromised.
For any violation, organizations face a hefty fine of 4 percent of annual global turnover, or $21.2M ( ? 20M), whichever amount is higher.
Beating back breaches
To state the obvious, breaches are bad, and IT professionals and companies should do everything in their power to prevent them. Banning unsecured devices, software, and poor practices is one of the first steps that organizations should always look to take. However, given our modern age, prohibition is an incomplete strategy. And even beyond incident preparedness and response plans, shadow IT has a funny way of creeping in when alternatives are not provided.
To continue to state the obvious, additional measures are required. According to a 2016 RSA Conference on IT security, the average cost of a data breach exceeded USD $6.5 million. This is a significant cost and motivating factors for the business to be as proactive as possible when it comes to mitigating the risk of any potential incident. One of the considerations for technology leaders is to incorporate modern data-centric solutions as a cohesive element in any form tactical data protection method.
To effectively curb a potential breach and shore up overt or subtle security holes, organizations must implement a technological framework that enables robust and secure data movement, integration, storage, and sharing for sensitive or critical data that:
- Remains exclusively internal to an organization
- Requires transfer externally to customers or partner organizations
- Is in any state - at rest or in transit
In other words, the organization needs to account for any and all data, at all times.
Below are a two of the common solutions of a potential secure technology stack, representing some of the choices organizations should consider in developing an advanced data security strategy.
Secure File Sharing Software
On-premise and cloud-based file sharing software enable employees to easily and securely share and collaborate on data across a network of endpoints. These types of solutions provide inherent security measures, including encryption and administrative control.
As file sharing and collaboration programs were originally created for the consumer market, they tend to be easy to use. Further benefits include the ability to handle most file types and data size that is limited only by the subscription tier.
Some of the concerns IT leaders face are linked to the consumer-centric foundation of many of these solutions, and they're being retrofitted for enterprise requirements.
Enterprise File Sharing Solutions
In recent years, a new class of enterprise-grade file sharing solutions has evolved as a counterpoint to standalone file sharing offerings. Enterprise file sharing programs allow organizations to provide their employees with a compliant method of sharing data of any size or format internally, across distributed teams, and externally to customers and business partners without the risk of exposing sensitive data.
Further, certain offerings may be far more strategic in their ability to enable expansive data sharing, movement, and integration use cases. For instance, integrated as part of a larger solution set, a modern managed file transfer platform empowers business users to engage in multiple secure information sharing patterns, including but not limited to:
- Ad hoc file sharing (P2P)
- System-to-person data movement
- Person-to-system file integration
- Application-to-application (A2A), and
- Backend office application integration for file flows into a CRM, ERP, or TMS system
There is no way of predicting a breach. When the worst-case-scenario happens, the measurable impact affects tangible and intangible aspects of the business, from the bottom line to customer loyalty, brand reputation, and trust.
Whether sensitive data is exposed via a lost flash drive, or stolen PII ends up getting sold or used in harmful ways, following regulatory mandates with the meaningful application of appropriate technology is a must.