As your company’s data sentinel, you are probably acutely aware of the massive rash of data breaches over the past few years. 2014 alone was chock full of large-scale attacks on companies that included Target, Home Depot, Goodwill and P.F. Chang’s, making these business stalwarts only a small portion of the 43 percent of businesses that reported cyber invasions in 2014. For another perspective, it might help to realize these invasions affected one billion customers. That number actually rose 10 percent over the previous year’s reported cyber attacks. Even worse than the percentage of reported infiltrations into companies’ sensitive customer data is the 10 percent of cyber hacking incidents that go unreported, according to USA Today.
These cyber criminals take their stolen data — credit card numbers, names, passwords and other personal customer data — to sell it on the online black market, also referred to as “The Dark Web.” This growing problem worries legitimate and ethical business owners and managers like yourself, causing you to wonder what more you can do to protect your valued customers’ data from online bottom feeders, seemingly without consciences. One of the best things you can do is study the breaches over the past years, trying to understand what went wrong and why — and things can go wrong with the company’s best intentions — or how they managed to avoid an attack and all the negative ramifications associated with an attack.
Top Data Breaches
Looking at the most recent spate of data breaches is probably the most helpful way for you to understand what cyber criminals are using to make their way into well-guarded systems and how you might use that information to safeguard your own system and its invaluable contents in 2016.
1. CareFirst BlueCross BlueShield
The CareFirst BlueCross BlueShield event did not cause a huge breach of data, in terms of the number of records compromised; however, this incident highlights the cyber thieves’ increasing focus on targeting the vulnerable and extremely confidential healthcare industry. Patients entrust their highly sensitive and confidential data with their medical insurance and healthcare providers with a leap of faith, so any breach can easily shake their tenuous faith. Thanks to CareFirst’s security firm’s system review, they quickly learned that hackers had made their way into insurance carrier’s company’s website and services. The hackers managed to access patients’ email addresses, names, birth dates and subscriber information, but the system’s password encryption managed to stop the thieves before they reached the 1.1 million patients’ social security numbers, financial data and medical file information. If you manage the data for anything involving the healthcare industry, security is essential for keeping your customer base’s trust.
2. VTech Learning Lodge App
VTech, a Hong Kong-based toy manufacturer, is another company whose attack shows that it isn’t always the size and scale of the hack as much as the nature and vulnerability of the potential victims that makes it such a massive violation. The data leaked during this attack included photographs of children, their parents and chat logs, making this particular cyber invasion seem so personal. With this combined data, hackers could take information about the children and parents from the photographs and chat logs and find out their last names, addresses and more, according to Network World. The Learning Lodge App, which connects the customers to many of the company’s devices, was hacked on November 14, 2015, and affect 4.8 million customers. VTech quickly suspended access and contacted affected customers. The company announced that the breach was caused by a SQL injection vulnerability and poor password security measures. Combining the scale and nature of this event, it ranks as one of the largest data breaches of the year.
3. U.S. Prison Phone Records
70 million U.S. prisoners’ personal data was provided to reporters as a result of this massive breach. This incident is yet another opportunity to show that the type of cyber crime is just as important as the number of people it affects. Unique in a number of ways, this case is particularly troublesome because it suggests that these prisoners might have experienced a violation of attorney-client privilege on an ongoing basis. The security system the prison system hires to protect their landlines charges high fees to the prisons and the prisoners themselves. Between the breach and the large loss of confidentiality versus the high fees, the prison system has contacted the FCC to perform an intensive probe into this breach.
4. Ashley Madison
The Ashley Madison breach probably caused the most personal relationship angst of any cyber attacks over the past several years. The company serves as match-making service for people trying to engage in confidential extramarital affairs, so its protection of data was critical to protect their customers. If anyone has trouble identifying with the primary customer’s loss of privacy, it is important to remember the privacy and lives of spouses and children factor into the equation. 37 million customers experienced compromised data due to a bad MD5 hash implementation. The security system remains uncertain as to how the attackers got into the system, as well as when, but they detected their presence in July 2015 when the cyber hackers, calling themselves “The Impact Team,” brazenly sent notification to employees’ login screens, announcing the breach. This case was massive because of the personal strife it caused, ravaging marriages and possibly causing two suicides.
5. Office of Personnel Management
Upon a forensic investigation, triggered by anomalous traffic and a decryption tool discovered in the network, the Office of Personnel Management discovered it had been under attack for 343 days for a data mining operation. The hackers used stolen credentials to hack the system and, once inside, they planted a malware backdoor entry directly into the network. This hack allowed the cyber criminals to roam freely and undetected while mining data on personnel for intelligence purposes, as opposed to doing so for financial gain. At the end of their siege, the hackers walked away with information on 22 million current and former federal employees in law enforcement and intelligence.
Call in a Professional Internal Audit Provider to Shore Up Your Operations
Hopefully these cases might spark some security inspiration for you, your IT team, your board members and your C-Suite, thinking of potential blind spots and vulnerable areas you can bolster. Another way you can add intensive security to your system is by contacting I.S. Partners, LLC to learn more about their expert internal auditing expertise. Call us at 215-675-1400 or request a quote here. The more trusted eyes, ears and minds you have monitoring your sensitive data, the better you can reduce risk, ensure compliance and increase profits as you improve your internal processes.