In late 2016, the Identity Theft Resource Center (ITRC) and CyberScout reported that business data breaches were up 40% from the year before–and that only included reported breaches. Almost half of the breaches occurred in the business sector. This sector stores valuable customer information, yet the level of data breach protection ranges from pretty good to completely inadequate.
Regulated sectors except for healthcare did well, with the education sector, government / military, and financial sectors at a low number of reported breaches. The financial sector was lowest of all, which makes sense given the industry’s robust compliance and security. However, despite privacy regulations healthcare failed badly, reporting nearly 35% of the overall number of data breaches.
Data attack types abound. Skimming is a popular criminal activity at the consumer level, where humans or hidden scanners steal credit information from a credit or debit card. And even simple device theft can be devastating. Coca-Cola found this out when a disgruntled employee stole several laptops containing highly sensitive personal information on over 70,000 employees and contractors (Moral of the story: encrypt sensitive data on mobile devices.)
In most businesses however, cyberattacks like hacking and phishing caused the most damage. Two of the largest hacks in Internet history happened on Yahoo’s watch. There were two occurrences, the first in 2013 and the second in 2014. The 2014 breach affected over 500 million user accounts. The 2013 breach affected – get this – 1 billion user accounts. Stolen data included customer names and email, phone numbers, security Q&A, birthdates, and passwords. Although Yahoo did not publicly report the breaches until 2016, at the time they involved the FBI thanks to disturbing evidence of state-sponsored cyber activity.
And here’s the kicker: as of March 1, 2017, Yahoo reported that an additional 32 million user accounts have been hacked. The hacking is probably related to the 2014 breach.
Hacking and Phishing: What’s the Difference?
A lot of people (including me) use the term “hacking” to describe any deliberate attempt to digitally steal data. Its specific meaning though is attackers using computer exploits to access site control or data.
Hacking isn’t always about data theft. It can also be political protest or cyberwarfare, such as Anonymous hacking into ISIS recruiting sites, or the infamous Stuxnet virus damaging an Iranian nuclear facility. However, financial gain is a major motivation for hackers.
Hackers hit Spamhaus, a global filtering service that separates spam messages in incoming email. The attack was especially bad in Great Britain, and was serious enough in the United States to involve the FBI. The hack was a DDoS (Distributed Denial of Service) attack where hackers flood a website with multiple data requests. DDoS attacks slow down servers and frequently crashes them. Truly successful attacks render the site unusable.
Target is still suffering the effects of a hacking data breach in 2013. The hackers launch the attack on November 27, 2013, just two days before Black Friday, one of the largest shopping days in the year. Target’s InfoSec team did not discover the breach until December 13. They immediately notified the U.S. Justice Department and brought in a third-party forensic consultant. By December 15, the team had mitigated the attack. But the damage was done. 110 million Target shoppers who used their credit and debit cards during those dates were compromised. In December 2015 Target settled for $39 million. But the hit to their reputation impacts their business to this day.
IT and InfoSec bear the primary responsibility for protecting the business from external hacking attempts.
Phishing is tricking a user into voluntarily surrendering or giving access to sensitive information. Most phishing attempts arrive as email with an attachment or a link to a website. Should the user open the attachment or link, viruses are released onto the computer and onto other networked devices. Some phishing emails are less sophisticated than others. If an email purports to come from a Nigerian prince, then most people know to trash it. But some phishing attempts are quite sophisticated, especially those targeting specific high-level individuals.
The Russian hacking group Fancy Bear used spear-phishing to hack Colin Powell, the DNC, and John Podesta’s email accounts. The group had a list of almost 4000 individuals to go after including journalists, the military and their contractors, and government and their supply chains. These and similar attacks were so serious that they may have affected the U.S. presidential election.
Sometimes the attackers’ motivation is purely financial. Hollywood Presbyterian Hospital experienced such an attack. A user innocently opened an attachment, believing it to be from a colleague. The Trojan horse virus spread throughout the hospital network and encrypted critical information including medical records. The hackers demanded $17,000 a bit coins to get the encryption key. The hospital tried its best to recover without pain, but after two weeks had to admit defeat. The attackers walked away with the ransom.
Although IT and InfoSec must be involved in staving off phishing attacks, the first line of defense is the email user. No matter what their title, each email user must be wary of emails that have anything unusual about them. The email for example may bear a trusted name and email address, but review the message carefully before clicking on that attachment or the download link. Be especially careful to note the web address on a link. The link may appear to be from a well-known business domain. But just one letter off makes it highly suspicious.
The Biggest and the Baddest Data Breaches
Sony Corp. of America is a great example of what not to do. One of the largest data breaches ever reported was the 2011 external cyberattack on Sony’s PlayStation Network. Attackers made off with 77 million highly sensitive customer records, and networked PlayStation consoles went dark for 23 days. Sony then discovered that Sony Online Entertainment (SOE) customer accounts had also been hacked; nearly 25 million of them. Even the U.S. House of Representatives got into the action by asking Sony “How can this happen?”
Sony made several big changes to guard against external hacking. Apparently, they did not go far enough. In 2014, another hacking group calling themselves the Guardians of Peace introduced malware into the network. The group emailed Sony executives demanding money or they would activate the malware. The executives did not respond, so the program launched. The hacking group downloaded and exposed many thousands of employee records, and leaked unreleased films. Once again, Sony was on its knees.
No system on earth is truly intrusion-proof. Even highly secure systems with no Internet connection can be physically dismantled and carted away. But when it comes to cyber intrusion, don’t be the low hanging fruit. Make it hard for attackers to get any value from you or your employees. Protect your data and reputation by protecting your network against exploits and malware, and require your users to only use strong passwords and to change them frequently.
If a company does not take data breach protection and information security seriously enough, then they share equal responsibility with hackers. It sounds harsh but this is the difficult truth in today’s cyber reality.