Impact of Data Breaches

Along with advancing technology, cybersecurity has been increasingly problematic in the world of data protection. In the past ten years, there have been nine major data breaches of well-known companies in the United States. Looking at these past data breaches, we hope to point out some grave realities of the cybersecurity hacks and how to protect yourself from them.

What Happened?

Yahoo (2013)

The cyberattack occurred in 2014 and compromised the real names, email addresses, dates of birth, and telephone numbers of 500 million users. However, this did not come to public knowledge until September 2016 during selling negotiations with Verizon. It was also unveiled that in 2013, a different breach compromised 1 billion accounts, which included further breaches of security questions and answers. In 2017, Yahoo increased that estimate to nearly 3 billion compromised accounts. Verizon opted to acquire Yahoo’s business anyway, but with two companies to split regulatory and legal liabilities as a result from the breaches.

Marriott International (2018)

The origins of Marriott International’s breach date back to 2014 on the Starwood hotel brand systems. When Marriott acquired Starwood in 2016, the breach was not discovered until September 2018. It is believed that the breach was conducted by a Chinese intelligence group seeking data on U.S. citizens. Some victims escaped with minimal information stolen, such as name and contact information. However, roughly 100 million customers were reported to have credit card numbers and expiration dates stolen. Some were even more unfortunate and had passport numbers, Starwood Preferred Guest numbers, travel information, and other personal information stolen.

eBay (2014)

In May 2014, eBay suffered a cyberattack that compromised names, addresses, dates of birth, and encrypted passwords of all 145 million users. The hackers gained access into the company network using three corporate employees’ credentials. They had access for an extended period of time which allowed them to hack the user database undetected. eBay came under harsh scrutiny for its delay of notifying users and poor implementation of password renewal. The silver lining was that users’ financial information was stored separately and therefore remained uncompromised during the breach.

Equifax (2017)

In September 2017, Equifax announced that an application vulnerability on one of their websites led to a data breach compromising 147.9 million consumers. The breach was reported to have happened in a three-month period. Social Security numbers, birth dates, addresses, and driver’s license numbers were exposed in the breach, as well as nearly 209,000 consumers’ credit card data. The breach also affected some UK and Canadian residents.

Target (2013)

Target’s infamous 2013 breach resulted from a third-party vendor hacking its point-of-sale (POS) payment card readers, compromising approximately 40 million credit and debit card numbers. Personally identifiable information of 70 million customers had been exposed, including full names, addresses, emails, and phone numbers. Totaling 110 million customers affected and $162 million, Target’s CIO and CEO resigned in early 2014. In the aftermath, Target was noted to have significantly improved security measures, but had not improved their incident response.

Lessons Learned

Response and Disaster Recovery

Learn by example. Target’s breach was unfortunately unveiled by multiple sources and only confirmed the breach after other corporations released their own investigations. Michaels, on the other hand, took the overcautious tactic of notifying customers of a potential breach after it had been victim of multiple cyberattack attempts. The best approach is to have a communication created before a breach happens. This will allow you to release it upon notice of such breach, giving you a chance to get ahead of other sources releasing the information before you do. Nothing is worse that recovering from a bad reputation stemming from a lack or delay of communication in time of crisis.

This communication should also be simple and concise. No need to detail anything beyond the facts, such as, who was affected, what information was breached, your plan to remedy the situation, and a contact for questions. It’s also important to convey empathy and to assure that there is a plan in place for immediate action to both address the current breach and to prevent future breaches. Remember to check from whom your communication is being distributed. For example, Target’s communication notifying its customers had a suspicious sender address and included a similarly suspicious link for monitoring. Make sure that your communication comes from an easily identifiable sender address, like “communications@[companyname].com” so that your customers do not have to suspect another malicious hacking attempt, but also so it doesn’t end up in their junk mail. To combat any misconceptions of links to complimentary credit monitoring services, perhaps provide an email and phone number for customers to reach out to should they have questions or wish to opt-in to the complimentary service.

Equifax is an excellent example to use in effective communication and strategist. As a response to their 2017 breach, Equifax hired a forensics firm to investigate and provide prevention methods for future attempts, as well as complementary credit monitoring to those affected. However, one common misconception of free credit monitoring is that it does not monitor current accounts, which can provide a false sense of security to those victims. Credit monitoring solely looks at changes to credit files reported to one of the three credit bureaus. If you do not wish to offer free credit monitoring, perhaps looking into alternative monitoring solutions (i.e., most banks and credit card companies have their own fraud departments and tracking methods, outside vendors like Credit Karma could provide additional credit monitoring solutions).

Like with communication, it is best to have a plan for response and a disaster recovery plan for a breach. If you don’t already, you should invest in adequate cybersecurity protections, such as training courses, upgrading IT resources, network security (i.e., firewalls, encryption, system monitoring, etc.), and seeking expert advice. Your disaster recovery plan should include a response, a strategy to address the current issue, and a plan for prevention.

Train Workforce & Prevention

Proactively combatting cybersecurity can be completed through training your workforce and implementing prevention methods. Cybersecurity training programs can help your staff identify different types of scams, phishing, etc. practices, as well as malicious behavior in others. If a new system is implemented, having an expert train on how to properly use the system and explain what type of data is stored in it is a great way to educate your employees and make them more security-minded in their practices. Some cybersecurity protection programs utilize current scams to test your internal staff’s ability to identify and address potential threats. It can weed out places in your system or staffing that are problematic to the integrity of your data. For example, point-of-sale (POS) systems and networks are typically weak spots in a company’s cybersecurity defense.

Creating policies for data and equipment is part of best practices, processes, and procedures. Your data and equipment policies should include limiting data transferring, backing up data, shredding paper files, frequently changing passwords and requiring complex password creations (i.e., including symbols, capitalization, and numbers), clearly defining acceptable usage of computers and other company electronics, and limiting cloud use.

Regularly auditing, implementing automation and encryption when possible, and monitoring usage can also be beneficial best practices to protecting data and equipment. Since human error is a leading cause of accidental breaches, automating systems (i.e., checking and reminding of password changes, assessing server and firewall configurations, email and internet browser filters) and using encryption (i.e., in sending confidential documents or information) offer another layer of protection against human error. Audits, assessments, and monitoring use of data provides great insight into internal behaviors. For example, tracking and monitoring data services can identify who is responsible in the case of a breach if data was misused, access was unauthorized, or was exposed to an unauthorized user.

Invest in Cybersecurity Solutions

Paying for certifications or educational classes regarding consumer privacy and data security legislation, such as the Payment Card Industry Data Security Standard and General Data Protection Regulation. Familiarizing yourself and your employees of the approximately 20 industry- or sector-specific federal laws and more than 100 state-level privacy laws can better inform you of best practices and your legal obligations.

While data breaches and cybersecurity are not easy to protect, it is important to remember that no company is impenetrable. It is how you prepare and proactively protect yourself from them that make a difference. Keep in mind that the average time it takes to identify and contain a data breach is 279 days. It is a tedious, frustrating process, but with these tips, hopefully it will prepare you in a worst-case scenario. For further advice and strategies to improve your cybersecurity protection, contact Core ID Services.