Data Breach. It’s a term we’ve become all too familiar with in the recent past. Even as I write this article, we’re learning that Orbitz (subsidiary of Expedia Inc.) has discovered a data breach which seems (so far) to have affected over 880,000 credit cards. I’m not sure what shocks the conscience more; the numerosity of the people affected by data breaches, or the sheer amount of overall breaches which occur annually.
According to the Identity Theft Resource Center’s 2017 Annual Report, the final number of data breaches reported for 2017 was 1,579, a 45 percent increase over 2016’s number of data breaches. Businesses continued to suffer the majority of breaches and more than eight times the number of Social Security numbers were exposed in 2017 than in 2016.
Just to highlight some of the major incidents in the recent past:
- In late 2016 while negotiating a sale to Verizon, Yahoo announced that it had fallen victim to a breach compromising the email addresses, names, telephone numbers, and birthdates of hundreds of millions of customers.
- Equifax – The Company announced in September 2017 that 143 million people had personal information stolen. In comparing that to the US Population (323 million) that means that 45% of all Americans were impacted.
- In 2012, hackers stole the records of 21.5 million people from the Office of Personnel Management (OPM), including detailed information about their families, past residences, foreign travel, health records and other sensitive information.
It isn’t just conglomerate corporations and government agencies at risk. Consider the March 24th through April 18th, 2017 breach of the Chipotle restaurant chain (discovered relatively quickly on April 25th). There were 2,250 nationwide locations affected by malware that stole customer credit card information.
The list goes on. A recurring theme within these incidents is that the actual breach and theft of data occurring far before any detection of the intrusion. In the Orbitz example, we’re learning via press release today that the data was stolen in early 2017. With Yahoo, a 2014 intrusion detected in late 2016. The gap between intrusion and detection is unsettling, considering that stealing and moving massive amounts of data isn’t easy, or quick. Consider in Equifax’s case, those data transmissions occurred over 2 ½ months (from May 13th to July 30th).
Why does it take so long to detect? Network logs can answer the questions of who/what/where/when, including data sizes, influx and outflow. Shouldn’t your IT Department notice when abnormal amounts of data are moving?
Attacks go unnoticed for several different reasons. Because so few attacks disrupt a company’s day-to-day process, intruders often remain undetected for long periods of time. Also, companies might receive endpoint alerts related to intrusions, but they receive so many of these alerts and other security data that they can’t (or don’t) analyze all of it. Buried by alert data and logs, analysts seem to have difficulty prioritizing the risk or likelihood of the intrusion. Time and financial constraints prevent them from investigating every lead, and most companies don’t employ a dedicated team of individuals specifically designed to investigate and sort through data incidents. Consider these statistics: a 2014 Damballa report cited the average company generating an average of 10,000 security events per day, with the most active generating 150,000 events per day. By comparison, the Pentagon experiences 10 million “cyber break-in attempts” per day.
What can you do today to prepare?
- Audit, Audit, Audit! Document your policies and procedures, and regularly report on them. I’m proud of every single audit report that I author which finds something wrong! It means I’ve unturned a stone that can be corrected, on my terms, hopefully prior to having caused serious harm.
- Assess and Mitigate Risk – When was the last time you conducted a test intrusions, either internally or externally? Engage a professional to test your security protocols. Many times, problems lie hidden in plain sight, taking the naked eye of an outsider to bring to focus.
- Evaluate Insider Threats – If a user can access a resource, they can compromise that resource. Sometimes users do it maliciously — for example, selling off data or sabotaging a database to get revenge for perceived mistreatment. More often, however, the insider threat is a mistake. A user might create a weak password, leave their account logged in on a shared computer, login via an insecure connection, or screw up in any one of thousands of other ways.
- Install software patches in a timely manner. Consider – by the time the patch is distributed, hackers are likely working on the next best intrusion method.
- Segregation of Duties (Access Control) – The fewer users who have access to a particular piece of sensitive information, the less likely that information is to be compromised. The fewer permissions a user has, the less damage a hacker can do if they compromise that user’s account.
- Know Your Vendors – Third Party vendors need access to your landscape for you to run your business — for example, to process financial transactions or provide support. Unfortunately, hackers can target the portals they use as a means to gain access to your landscape. What controls, policy, and procedure do you require of your partners, if any? And how do you know they’re complying with those asks? Do you regularly audit your vendors?
Most Importantly? – Making Prevention a Priority
Instead of focusing on fending off attacks as they happen, companies need threat intelligence tools that identify internal vulnerabilities and data assets. Then, they should compare that with data from the external threat landscape to anticipate the company’s likelihood of being attacked. Hackers make it a full-time job to steal your data; what are you doing today to prevent that?
Since final publication of this article, there have been a handful of additional data breaches, which continue to be evolving situations, and therefore were not included in this post. USA Today reported that BestBuy, Sears, and Delta Air Lines report to believe that the personal payment details of “thousands of customers” may have been exposed due to an incident at 7.ai – a chatbot service (vendor) utilized by these companies.
By: Jeremy Felder
Dated: April 08, 2018
About: Jeremy Felder holds a Master’s Degree from Tiffin University and is the Chief Compliance and Operations Officer at Chase Receivables in Fairfield, New Jersey. He is a member of ACA International (ACA) and is certified and credentialed by the ACA as a CCCO, PCS and ACA International Scholar. Jeremy also holds a Board position as the Vice President, Office of Project Management, for S4 Infinity – an international non-profit organization.