Defending Your Company Against Data Breaches
A recent report by Risk Based Security (RBS) reveals that there have already been 3,800 data breaches in the first half of 2019, exposing over 4.1 billion records. Over the last four years, there has been at least a 50% increase in data breaches!
What is a Data Breach?
A data breach is a security incident where confidential information is exposed to unauthorized parties. It could be accidental or intentional and may also be referred to as a data leak, data spill, or information leakage.
The International Standards of IT security (ISO/IEC 27040) and the GDPR define a data breach as:
A compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.
Cybersecurity and information security act to mitigate the risk of data breach incidents. Sensitive information is constantly being created and transmitted — whether it be an online shopper entering their payment information, someone applying for a phone plan, or a hospital recording patient details. Information risk management aims to protect the confidentiality, integrity, and availability of data.
While insider threats to information security are very real, the RBS report notes that 89% of data breach incidents are attributed to external cyberattacks. Hacking is the most common type of data breach — a result of growing vulnerabilities in the cybersecurity landscape.
Types of information targeted by cybercriminals include:
- Credit card details
- Personally identifiable information (PII)
- Trade secrets
- Corporate information
- Intellectual property
- Government or military secrets
- Contract details
Cybercriminals could use this sensitive information for identity theft or sell it in the black market or dark web.
According to the RBS report, in 2019, 67% of breach victims were businesses, 14% were from the medical industry, 12% were from the government and 7% were from the education industry. This 2019 Data Breach Investigations Report by Verizon demonstrates similar findings.
Breaking it down further, RBS reports that the top 5 economic sectors most affected by data breaches are:
- Healthcare services
- Finance & Insurance
- Public Administration
A 2018 study by the Ponemon Institute found that data breaches usually remain undiscovered for an average of 197 days and take another 69 days to be remediated. In 2019, Verizon found that 56% of breaches were undiscovered for several months or longer. An organization can never be too careful in taking protective measures against data breaches.
In this article, I will cover:
- Potential causes of a data breach
- Data breach examples
- How to prevent a data breach
How does a data breach happen?
The two main causes of data breaches are network attacks and social engineering.
A network attack is when a cybercriminal infiltrates a network due to weak infrastructure, systems and applications.
Social engineering, according to Wikipedia, is the “psychological manipulation of people into performing actions or divulging confidential information”.
Here are some ways these happen:
User credentials like email addresses and passwords are the most targeted by hackers as they enable access to systems and services. The RBS report reveals that email addresses were compromised in approximately 70% of breaches and passwords were compromised in approximately 65% of breaches.
Each year, Internet security firm Splash Data releases the “Worst Passwords List”, identifying the top 25 most common passwords leaked in that year’s data breaches. In 2018, over 5 million passwords were evaluated to emerge with this list:
Having a weak password enables hackers to gain easy access to accounts just by playing a game of trial and error. “123456” and “password” have topped this list since the report started in 2011. It is estimated that 10% of people have used at least one password on this list, and 3% have used the worst password “123456”.
An exploit is an attack that takes advantage of vulnerable systems or software bugs. Both cybercriminals and cybersecurity researchers work to identify vulnerabilities that hide within a system’s code. Cybercriminals exploit them, while cybersecurity researchers report them to software manufacturers to patch the bugs. Commonly exploited software includes operating systems, Internet browsers, Adobe applications and Microsoft Office applications.
An example of this is the SQL injection (SQLI) which attacks weakness in SQL database management software. A SQLI will cause unsecure websites to release confidential information. For instance, an attacker could enter a malicious code in the search field of a retail site and gain access to its customers’ credit card information. These attacks are easy to perform and can even be automated by entering the URL of a target site into the software.
A system is also vulnerable if it uses out-of-date software. This makes it easier for attackers to load malware onto a system to gain unauthorized access.
Malware refers to a variety of malicious software, including adware, spyware, viruses and trojans.
While most malware is designed to harm your computer (e.g., by causing errors or slowing it down), spyware is particularly damaging as it sends personal information from your computer or network back to the attackers’ servers.
Someone using an operating system or browser with a security flaw could unintentionally download malware by visiting a compromised webpage. This is called a drive-by download. A user could also accidentally download malware through email attachments or a trojan in targeted malware attacks. According to the Verizon report, 28% of breaches in 2019 involved malware.
There are even programs created for hackers to improve their malware. For instance, the Scan4You program was used to help cybercriminals avoid detection from antivirus programs. It was used by a hacker involved in the 2013 Target data breach (which I will cover below).
This is a type of social engineering where people (either targeted individuals or mass groups) are tricked into revealing sensitive information after they receive an email or text message pretending to be from a company they have an account with. The phishing message will request the user to perform a certain action which requires their login credentials. This fake message could be anything from an online shop asking the user to verify their purchase to a bank asking their customer to update their contact details. It will then direct the user to a malicious login page which looks identical to the original and collect the user’s sensitive information.
This combines malware and social engineering. In a ransomware attack, malware is usually delivered through spear phishing emails, resulting in highly sensitive data being stolen followed by a demand for a ransom. According to a recent report by Malwarebytes, ransomware attackers are increasingly targeting businesses over mass consumers due to bigger potential payouts. It reveals that there has been a 365% increase in business detections of ransomware from Q2 2018 to Q2 2019. Businesses that tend to have weak IT infrastructure and operational security (e.g., education and healthcare) are targeted. Such attacks have a track record of being highly successful, with attackers receiving ransoms that could add up to millions.
Insider threats and weak security infrastructure
In the first half of 2019, misconfigured databases and services have resulted in the exposure of over 3.2 billion records. Weak security infrastructure is often the cause for internal data leaks, whether they be accidental or malicious.
For instance, broken access controls could result in malicious employees gaining unauthorized access to sensitive information and using it for personal gain. Also, misconfigured access controls may make private website files and back-end folders public. Cyber criminals can then quite easily use strategic Google searches to access these folders which may contain sensitive data like customer details and payment information.
Infiltration of third-party systems
Sometimes, information is compromised through an attack on third-party sites. This means that even if the company you have an account with has not directly been hacked, your data could still be exposed if one of their partners has been attacked.
For instance, in the American Medical Collection Agency (AMCA) breach, hackers stole 22 million patient records, including birth dates, Social Security Numbers and financial details. It was especially difficult to manage as there were multiple parties involved. The incident was so severe that AMCA was forced to file for bankruptcy protection two weeks after the breach was made public.
In 2013, retail giant Target was the victim of a sophisticated cyberattack which used social engineering to conduct a phishing scam on a third-party vendor, before launching a malware attack on Target’s physical point-of-sale (POS) devices.
It started with a phishing attack targeting employees of an air-conditioning company contracted by Target. Their air conditioners were connected to Target’s network to monitor energy usage. Once the accounts in the air-conditioning company were compromised, the attackers gained access to Target’s system. They then spread malware to Target’s POS systems which reprogrammed their credit card scanners to collect customers’ payment data. An estimated 110 million customers had their data compromised. The attackers had stolen personally identifiable information including full names, addresses, email addresses, phone numbers and credit card information. Target received lawsuits from customers, state governments and credit card companies. The estimated cost of the breach was $162 million and the CEO and CIO resigned as a result.
Data Breach Victim A: Capital One
Capital One Financial Corporation was recently the victim of one of the largest data breaches of a bank. Its banking data from 2005 to 2019 was leaked, affecting consumers, applicants and businesses in the United States and Canada.
Sensitive data stolen in this leak included:
- Phone numbers
- Email addresses
- Social Security Numbers/Social Insurance Numbers
- Reported income
- Dates of birth
- Credit scores
- Credit limits
- Linked bank account numbers
- Payment history
- Transaction data
This data breach affected 100 million consumers and applicants in the United States and 6 million in Canada. The impact of this breach is estimated to have cost around $100 million to $150 million. There has also been a class action lawsuit filed against the company.
The breach occurred in March and April of 2019. In mid-April, the attacker responsible for the breach posted information about it on GitHub, a project-managing site popular among web developers. Capital One was only made aware of the breach on July 17, via an anonymous tip off via email.
* “S3” refers to Amazon Web Services’ cloud-storage product used by Capital One.
Capital One confirmed the breach on July 19 and reported it to the authorities. They did not alert customers of the breach until July 29, after the attacker was arrested. According to their official statement, once they confirmed the breach they “immediately fixed the configuration vulnerability that this individual exploited” and that the attacker had been arrested and put in custody. They announced that they will offer free credit monitoring and identity protection to everyone affected.
However, the damage was already done and Capital One had waited too long before notifying their customers of the breach. It should have been an immediate priority. Such an incident is time-sensitive and further harm can often be mitigated if victims act early. For instance, informed customers could have contained the risks of the breach by quickly freezing their credit cards and changing their passwords. Article 34 of the GDPR accurately outlines the urgency of such a situation: “the controller must communicate the personal data breach to the data subject without undue delay.” It was poor corporate practice of Capital One to take 10 days to announce the breach.
How it happened
Capital One uses the Amazon Web Services’ (AWS) cloud-storage solution to store their data. The intrusion occurred through a misconfigured web application firewall on AWS’ system that enabled access to the data. The alleged attacker, Paige A. Thompson, has been charged with computer fraud and abuse. As Thompson was a former Amazon employee, some consider this to be an insider threat. However, it is also possible and common for external security researchers to identify these misconfigurations.
Capital One claims to protect sensitive data by tokenizing select data fields like Social Security Numbers and account numbers. According to ZDnet, tokenization is “the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data.” However, tokenization could not sufficiently protect the data in this incident as the attacker was able to decrypt it.
The attacker’s motive is unclear as she had not sold or disseminated any of the data. However, she posted about it publicly on GitHub and Slack, revealing the security flaw to others who could take advantage of the situation.
A new court file reveals that the servers seized from Thompson’s residence included not just the data stolen from Capital One, but also multiple terabytes of data from more than 30 other organizations, including educational institutions. This demonstrates how a single hacker could be a threat to millions.
It should be noted that after a security breach is made public, malicious individuals and groups often capitalize on the situation using “follow up” scams. For instance, scammers might target potential breach victims via phishing emails or phone calls, posing as Capital One, requesting that they reveal their personal details in order to remedy the situation.
The Capital One data leak was caused by a firewall breach of a third-party system.
The tokenization was not strong enough to protect the data.
The attacker also had unauthorized access to data from 30+ other organizations.
The most concerning part is that this might still remain undiscovered if not for the anonymous tip.
How to Protect Your Organization from a Data Breach
Implement cybersecurity policies
- Your cybersecurity policy should contain clear protocols, training, checklists and best practices regarding your organization’s security infrastructure. Establish and document procedures on how your information security team will prevent, detect and handle data breaches. View an example by the Federal Trade Commission here.
- According to Wikipedia, information security is largely achieved through a structured risk management process to protect information confidentiality, integrity and availability.
- This involves:
- Identifying information and related assets, plus potential threats, vulnerabilities and impacts;
- Evaluating the risks;
- Deciding how to address or treat the risks, i.e., to avoid, mitigate, share or accept them;
- Where risk mitigation is required, selecting or designing appropriate security controls and implementing them;
- Monitoring the activities, making adjustments as necessary to address any issues, changes and improvement opportunities.
- Prepare a security incident response plan in the event of a breach to minimize and contain data leaks. This should describe the procedures involved to identify, contain and quantify the incident. The Federal Trade Commission has produced a comprehensive data breach response guide here.
- Ensure your information security team conducts ongoing penetration testing to identify and fix vulnerabilities. Conduct security awareness training for IT staff and employees and hold them accountable. Build a culture of continual improvement where everyone is dedicated to improving data protection policies.
Educate employees on best practices to prevent a data breach
- Do not open unfamiliar email attachments or links as they might contain malware.
- To confirm if the sender is legitimate, conduct a separate search using an independent source to check if the contact details match
- Download anti-phishing toolbars which will alert the user if they land on a site that is known to be malicious
- Check that the site is secure before entering sensitive information.
- Ensure the URL starts with https:// and contains a closed lock icon
- Check the site’s security certificate
- Use strong passwords or a password manager like 1Password or LastPass.
- Change passwords every 60-90 days
- Use a combination of upper and lower case letters, numbers and symbols
- Take action ASAP if you notice any suspicious activity — e.g., unexpected transactions in your financial accounts.
- Use multi-factor authentication. This requires you to prove your identity before logging into an account and provides an added layer of protection against unauthorized access.
Secure your data
- Back up your files and store them securely in an offsite location. Check your backup regularly to ensure that it is functioning correctly.
- Wipe your hard drive when recycling or disposing of old computers.
- Practice data segmentation by storing data in different locations. In the event of a security breach, this will slow your attackers down and buy you more time in containing the breach. In contrast, storing all your data in a single location creates a flat network, which gives the attacker access to all your data from a single intrusion point.
- Protect sensitive information with SSL/TLS encryption. Should an attacker obtain these files, they would not be able to access them without the decryption key.
- Limit access controls using the principle of least privilege (POLP). This means that employees are given minimum access permissions required to do their job. Use temporary accounts for third-party employees (e.g., contractors and interns) which will expire at end of their contract. This is to prevent internal leaks, which could be unintentional or malicious.
Secure your network
- Keep your system and software updated
- Use high quality security patches, antivirus software and malware blockers
- Implement a strong firewall – this could be in the form of hardware or software or both. A type of firewall is the web application firewall (WAF) which protects web applications from cyberattacks that aim to create data breaches. Read about the different types of firewalls here.
Concerned about your own data? Worried that your personal information could be floating around somewhere out there? Cybersecurity researcher Troy Hunt has created a database of all known accounts that have been compromised. Check if your account is on the list at https://haveibeenpwned.com/ and then come back to this article to ensure you tick off all these security measures