Security breaches then and now

Security Breaches Today

Whether you are a warehouse worker using scanners to track packages or a c-suite executive heading technology development, odds are you work with at least one software each day. This software may be an integral part of your business or merely a tool used alongside your day-to-day operations. Either way, business and technology have fused for good.

There is a reason for this deep connection. Technology investment has paid off in dividends by increasing our individual productivity and cutting company costs. Imagine calculating your yearly net income with just a pen and paper. Or having to rely on the US Postal Service to communicate with vendors. Let’s be glad we’ve moved forward. But this advancement comes at a price. As softwares aggregate our information to better serve us, we become susceptible to security breaches. Data breaches can affect billions of people at a time. 

Here are some fast facts:

• More than 4,500 data breaches have been made public since 2005, with more than 816 million individual records breached.
• At least 16 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches since 2019.
• A recent study claims that there is a new victim of identity theft every 2 seconds in the United States alone.

The increasing threat of security breaches mostly has to do with the increasing amount of information being stored. In 2020, data production is estimated to be 44 times greater than it was in 2009. Although individuals are responsible for most data creation (70 percent), 80 percent of all data is stored by enterprises.

Cost of Breaches

According to 2018 research, the average cost of a data breach is $3.86 million ($148 per record) in addition to the incalculable damage to the organization’s reputation. It also costs time, with breach identification and containment taking an average of 280 days.

COVID-19’s Effect on Breaches

In 2020, it became even more crucial to prevent data breach events, with a large segment of the workforce transitioning to remote work. The first quarter of 2020 was one of the worst in data breach history, with over 8 billion records exposed.

76% of employees reported remote work increased the time it took to identify and contain breaches. This led to an estimated added cost of $137,000 per breach.

Even with the vaccine rollout, remote work continues to be demanded by employees who appreciate the work-life balance. It’s important to understand how to identify and contain these breaches, as the threat will remain high even after vaccine administration.

Find out about the most common types of breaches, notable recent breaches, and how to prevent them below:

Notable types of breaches

When large organizations “lose” or mistakenly expose data, it’s generally through hacking, negligence, or both. There are a few other types of data loss and corruption that would be classified as a “breach.”

Ransomware

Ransomware is malicious software that gains and locks down access to vital data (i.e., files, systems). The data is locked down until a certain fee is demanded (hence the “ransom” in ransomware). Most often this ransom is requested in the form of Bitcoin or other cryptocurrencies.

Malware

Malware is a software created to harm computer files or systems. Ironically, malware often masquerades as a warning against “malware” with a prompt to download a “malware removal software”… which ends up being the malware itself.

Phishing

Phishing involves mimicking a credible, trustworthy organization or individual to collect financial or highly personal information. Common methods for phishing scams can include a pop-up on your browser or an email with a link.

Denial-of-Service (DoS)

A denial-of-service (DoS) breach takes away access to web pages and can disrupt a large portion of your site. One of the biggest of these attacks is the 2016 attack on Dyn when the internet was virtually unusable for several hours on the US east coast. The largest and most recent attack happened to GitHub in February 2018.

Recent data breaches you should know about

700 million users- LinkedIn, June 2021

Data associated with 700 million LinkedIn users was posted on a dark web forum. This post impacted more than 90% of LinkedIn’s user base.

A hacker dubbed “God User” used data scraping techniques through exploiting the site’s API.  The data contained information including email addresses, phone numbers, geolocation records, genders and other social media details.

Because no personal data was exposed, the breach was classified as a violation of LinkedIn’s terms of service rather than a comprehensive data breach.

533 million users – Facebook, April 03, 2021

The data exposed included phone numbers, DOB, locations, past locations, full name, and in some cases, email addresses.

Over 1 million users – OneClass, June 29, 2020

Online learning platforms have become popular targets for data breaches. OneClass housed the data of over a million North American students (many of them minors) on an unsecured Elasticsearch server. The data exposed included students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details.

Over 2 billion records – BlueKai, June 19, 2020

US tech giant Oracle owns BlueKai, which houses one of the largest reserves of web tracking data. The firm uses website cookies to track user web activities. It then sells this behavioral data to enterprises.

During BlueKai’s breach, billions of web tracking records were stored on a server without a password. The data exposed included names, home addresses, email addresses, and web browsing activity.

Oracle states that they resolved the problem but have not provided details.

Honorable mentions

Other notable major data breaches:

• AOL: 92 million records compromised in 2005; 20 million records compromised in 2006
• TK/TJ Maxx: 94 million records compromised in 2007
• Heartland Payment Systems: 130 million records 2009
• U.S. Military: 76 million records compromised in 2009
• Sony PlayStation Network: 77 million records compromised in 2010
• Sony Online Entertainment: 24.6 million records compromised in 2011
• Evernote: 50 million records compromised in 2013
• Living Social: 50 million records compromised in 2013
• Target: 70 million records compromised in 2013
• Ebay: 145 million records compromised in 2014
• Home Depot: 56 million records compromised in 2014
• JP Morgan Chase: 76 million records compromised in 2014
• Anthem: 80 million records compromised in 2015
• Yahoo: One billion records compromised in 2016
• Deep Root Analytics: 198 million voter records in 2017

How to combat security breaches

Here are some tips on how to prevent security breaches:

1. Consider data breach insurance

Even a breach at a small business, resulting in maybe 1,000 lost records, costs tens of thousands of dollars. In order to manage this risk, some companies are purchasing data breach insurance. This insurance covers expenses of a breach including those incurred through notifying all affected parties, investigating details of the breach, fielding inquiries from affected parties and providing tools to help affected parties (i.e. credit reporting).

2. Review the following data breach defense and prevention resources

Verizon’s annual Data Breach Investigations Report investigates thousands of data breaches with the help of the U.S. Secret Service and several partnering security organizations.

Data Breach Today is a multimedia news resource and a robust source of information on the latest data breaches.

The Global Privacy & Security Compliance Law Blog is helpful for firms with strict and ever-changing security and compliance requirements.

3. Educate employees

Help your employees create strong passwords, change their passwords frequently, and educate them on how to spot, avoid, and report phishing scams and other suspicious activity.

Employees should have a firm understanding of websites that can expose work computers and mobile devices to risks, such as file-sharing websites. Request that they only use work computers for business, and keep other activities to their personal computers.

4. Develop data procedures

Create and update data security procedures to ensure clear expectations and show your commitment to combating data breaches. Use differing roles and permissions for each employee accessing data.

You should also institute encryption procedures. For example, require all confidential data sent via email to be encrypted.

If using a Wi-Fi network, ensure you have a dedicated network for your team that the public can’t access. For the most sensitive data, you may require employees to not use Wi-Fi at all as it can allow cyber criminals to intercept data.

5. Remote around-the-clock network monitoring & security software

If you don’t have the staff for around-the-clock monitoring, consider working with a managed IT services provider.
You can also purchase security softwares like firewall, anti-virus, and anti-spyware. You can automate them to run on a continuous basis. (Just make sure you work with a professional to ensure the softwares are not actually malware).

6. Data backup and recovery

Make sure your IT team backs up your data on an automated remote backup system so it can be recovered in case of a breach.

7. Keep only what you need

Make it a habit to eliminate unnecessary data. Additionally, minimize and keep track of the number of places you store confidential data and follow data retention standards for your company or industry.

8. Destroy before disposal

Make sure physical records are stored in a secured location and that access is restricted to only the employees that need access.

9. Safeguard physical data

Flash drives, mobile phones, tablets, and other portable devices are often subject to loss or theft. Portable devices should have hard-to-guess passwords, anti-theft apps installed, and other security measures.

10. Protect portable devices

Flash drives, mobile phones, tablets, and other portable devices are often subject to loss or theft. Portable devices should have hard-to-guess passwords, anti-theft apps installed, and other security measures.

How to implement security breach prevention

Once you’ve nailed the basics, you can take some additional steps to further combat breaches. By itself, securing data is not enough to prevent attacks. Being fully equipped to combat breaches means you also need a secure development environment built on a dependable and protected IT infrastructure using secure hardware, software, and services and providers.

Training

Security of your company’s data is essential, and the best way to make sure security is taken seriously is to implement regular trainings from day one. By educating your staff – developers, IT, organization management, and stakeholders both internal and external – you’ll be improving security across the entire organization. This helps to prevent security breaches and the financial consequences and damage to your reputation that comes along with them.

So how can you start training your staff? Well, while theoretical education is important, it isn’t enough. Allowing your engineers to learn using real-world coding simulations will give them the experience they need to prevent attacks and guard against security breaches. Avatao’s hands-on exercises provide this experience, teaching your developers how to avoid the most common coding vulnerabilities through practical, real-world examples.