(By David Higgins)
This Data Privacy Day, we urge individuals and organisations around the world to learn from the fallout of the mega-breaches of the recent past. We provide five positive steps that companies around the world can take to better protect consumers, employees and more.
Until recently, data privacy was only considered critical in the digital world. But as the digital and physical worlds intersect, it is now integral not only to securing an individual or a corporation’s digital identity, but also to avoiding the safety of citizens being compromised. Data privacy considerations should underpin all company decisions, whether on the board level or on the shop floor and, this Data Privacy Day, organisations should encourage their entire workforce – not just IT teams – to re-evaluate how they secure and manage data.
It’s now well-established that data is the world’s most valuable asset, and a tempting target for malevolent hackers with varying motivations. More often than not, they are pursuing credentials that they can use to infiltrate businesses and target sensitive and valuable data. Attackers seek ways to cause irreparable damage across a whole range of industries, from seizing companies’ administration logins to hacking into medical data so as to hold individuals to ransom over the disclosure of sensitive personal information. As a tragic, but potentially realistic scenario, this could even result in a doctor being unable to perform a life-saving operation due to a lack of availability of the patient’s records for example.
Hackers will inevitably be successful from time to time. Addressing this threat and limiting how far they can infiltrate a network after a successful breach is imperative in order to safeguard national security. Infiltration or compromise of CNI, for instance, could plausibly result in the loss of control of public services such as utilities, healthcare and government, posing a severe risk to public safety. This Data Privacy Day, we need to take a step back to not only understand the value in the data we hold, but also the importance of only allowing individuals and systems that need it to access it.
Mega Breach lesson #1: Equifax Breach (reported in 2017) – Several tech failures in tandem–including a misconfigured device scanning encrypted traffic, and an automatic scan that failed to identify a vulnerable version of Apache Struts–ultimately led to the breach which impacted 145M customers in the US and 10M UK citizens.
Data Privacy Day Learning – get security basics right. Cyberattacks are growing more targeted and damaging but a good industry reminder from the Equifax breach is that standard security basics should never be ignored. Patches should be applied promptly, security certificates should be maintained, and so on. This breach also inspired elected officials to push for stronger legislation to tighten regulations on required protection for consumer data.
Mega Breach lesson #2: Uber Breach (reported in 2017) – In 2017 Uber revealed it had suffered a year-old breach that exposed personal information belonging to 57M drivers and customers.
Data Privacy Day Learning – don’t store code in a publicly accessible database. Uber data was exposed because the AWS access keys were embedded in code that was stored in an enterprise code repository by a third party contractor. A clear takeaway is that no code repository is a safe storage place for credentials.
Mega Breach lesson #3: Facebook’s Cambridge Analytica Breach (reported in 2018) – Cambridge Analytica harvested the personal data of millions of peoples’ Facebook profiles without their consent and used it for political advertising purposes. The scandal finally erupted in March 2018 with the emergence of a whistle-blower and Facebook was fined £500,000 ($663,000), which was the maximum fine allowed at the time of the breach.
Data Privacy Day Learning – protect user data (or pay up). Lawmakers claim Facebook “contravened the law by failing to safeguard people’s information” – and suffered the consequences. Now the US government is placing additional pressure on Facebook to stop the spread of fake news, foreign interference in elections and hate speech (or risk additional, larger fines).
Mega Breach lesson #4: Ecuadorian Breach (reported in 2019) – Data on approximately 17M Ecuadorian citizens, including 6.7M children, was breached due to a vulnerability on an unsecured AWS Elasticsearch server where Ecuador stores some of its data. A similar Elasticsearch server exposed the voter records of approximately 14.3 million people in Chile, around 80% of its population.
Data Privacy Day Learning – adhere to the shared responsibility model. Most cloud providers operate under a shared responsibility model, where the provider handles security up to a point and, beyond that, it becomes the responsibility of those using the service. As more and more government agencies look to the cloud to help them become more agile and better serve their citizens, it’s vital they continue to evolve their cloud security strategies to proactively protect against emerging threats – and reinforce trust among the citizens who rely on their services.
Mega Breach lesson #5: Desjardins Breach (reported in 2019) — The data breach that leaked info on 2.9M members wasn’t the result of an outside cyber attacker, but a malicious insider – someone within the company’s IT department who decided to go rogue and steal protected personal information from his employer.
Data Privacy Day Learning – be proactive in identifying unusual/unauthorized behaviour. While insider threats can be more difficult to identify, especially in a case where the user had privileged access rights, having a solution in place to monitor for unusual and unauthorized activities that can take automated remediation steps as needed can help reduce the amount of time it takes to stop an attack and minimize data exposure. This breach shows that a defence in depth security strategy that includes privileged access security, multi factor authentication, and the detection of anomalous behaviour with tools such as database activity monitoring has never been more crucial.
(The author is the Technical Director at CyberArk)