All posts by aleksszymanski

Frequency vs. size of cloud data breaches: Which is worse?

(c)iStock.com/sproetniek

Let’s face it, 2014 was a busy year for hacks and data breaches. There were the high profile Sony hacks, the record breaking fines handed out as a result of ePHI (electronic Protected Health Information) healthcare data breaches in the US, and sites such as Gmail and eBay were also targeted by hackers.

The potential for breaches to occur more frequently as businesses collect increasing amounts of consumer data was discussed at the CES conference earlier this year, and was highlighted as a concern by Barack Obama during his State of the Union address on January 20th.

There are a number of factors to consider when weighing up whether frequent or large data breaches are worse. After all, not all breaches are created equal.

Assessing the severity of a breach

Firstly, consider the type of breach – was it a malicious attack, or did it occur as a result of human error?

Secondly, the type of information that was breached will determine the severity. Even a small breach can cause a significant amount of damage if personal or financial information is involved.

The high profile Sony hack was not its first major hacking incident; in fact, Sony has fallen victim to five breaches since 2013. While the focus of the most recent hacks was widely reported to be the early release of five movies in response the the release of The Interview, the hack revealed the US Social Security numbers of more than 47,000 celebrities, freelancers, and current and former Sony employees, as well as medical records, salaries, and other sensitive personal information that can be used for identity theft. Nearly all of this information was stored in Excel spreadsheets, which had absolutely no form of password protection.

Other notable breaches in 2014 included JP Morgan Chase, which saw 83,000,000 records breached for use of identity theft. Or Home Depot, which saw 109,000,000 records breached in order to gain access to financial information. eBay also had 145,000,000 records breached, again for identity theft.

Social networking sites often fall victim to hackers too; Twitter has experienced 11 hacking incidents since 2013, although the majority of these are considered to be minor, and affected single accounts in most instances. The most common type of breach in this instance proved to be a nuisance, rather than harmful.

Snapchat experienced two breaches in 2014, and both times a significant amount of personal data was leaked online. The first breach saw 4.6 million usernames and phone numbers being breached, and later, in October 2014 almost 98,000 stolen files were posted to The Pirate Bay. Snapchat blamed third-party applications for the breach, although they didn’t name the culprit. This hack occurred despite a warning from a data security report conducted in August 2013 showing that Snapchat’s data was vulnerable to attack.

The highest ever fine in HIPAA history was also handed out in 2014, following a data breach that saw the electronic PHI of 6,800 patients disclosed on Google. The New York Presbyterian Hospital and Columbia University Medical Center together have agreed to hand over a whopping $4.8 million to settle the alleged HIPAA violations.

When determining which is worse – the frequency or the size of a breach – the simple answer is that any breach can be devastating. It is therefore essential that organisations, large and small, put security and compliance at the top of their agenda this year.

Preventing data breaches from happening

Organisations may encounter numerous attempted cyber attacks every day without even knowing it. Here is a list of necessary steps and actions which every organisation should be taking, in order to avoid potential breaches:

  • Perform regular risk assessments to identify where valuable data is stored, and how it is transmitted internally and externally.
  • Perform vulnerability scanning on a regular basis, followed by penetration testing for the most critical assets to identify and remediate security weaknesses.
  • Deploy technologies to protect against all attack vectors, ensuring security and authentication software is installed on all devices.
  • Partner with a third party team of experts to help ensure your organisation has enough manpower and skillsets in-house to deal with cyber attacks, and to make sure those technologies are installed, optimized and working continuously.
  • Use adequate authentication and encryption on all devices, especially around the storage and exchange of documents and data.
  • Create and regularly practice an incident response plan as part of the organisation’s business continuity planning so that if a breach occurs, the business knows what steps to take to contain it and minimise the damage.
  • Educate employees about appropriate handling and protection of sensitive data. Lost, stolen and discarded devices containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rule; and this is especially important given the increase in the number of mobile devices used by organisations over the last few years.