What exactly constitutes a data breach? How do we define it? Is it simply when an attacker runs off with thousands of customer details, or does it also include the theft of IP? Perhaps it’s any action that leads to the compromise of organizational data, networks, or assets? What about when our personal details are leaked – perhaps due to our own carelessness?
If you ask John Colley, managing director EMEA of (ISC)², then defining what we mean by ‘data breach’ is essential before any discussion of its significance ensues. “Given that security is usually defined in terms of confidentiality, integrity, and availability”, he told me, “it can be argued that a ‘breach’ of data or otherwise could be a breach of any of these attributes”.
So, the definition of what makes a data breach can be viewed as rather broad. Personal financial information, webmail account login credentials, or the loss of paper-based assets all apparently fit the description. With this in mind, allow me to segue into how this relates to the presidential election here in the US.
Now, I’m not going to advocate for one candidate over the other – this simply isn’t the venue for such opinions. Nor will I lay out each candidate’s stated approaches to things like information and cybersecurity. Instead, allow me to amuse you by reminding you all that, much like verbal missteps often highlighted on the campaign trail, the ability of these candidates to keep their own information assets protected is no better than the average person – or healthcare organization.
Rather than create a list of the most notorious data breaches for our most recent Sept/Oct print edition, Microsoft’s Roger Halbheer thought we should examine specific breaches as case studies in an effort to highlight the important lessons that can be learned from each. Well, Roger, these vignettes from the American political landscape are for you.
On June 6, the website Gawker reported that someone had illegally accessed the personal Hotmail account of Mitt Romney, a claim later confirmed by the Republican presidential candidate’s campaign staff. The hacker, if we can call him that, subsequently posted some of Gov. Romney’s personal correspondence on Dropbox, which he consequently deleted and apologized directly to the candidate for in a follow-up email. The culprits here were a rather facile email address of mittromney@hotmail.com, in combination with the hacker’s ability to guess the ‘Favorite Pet’ security question associated with the account. Smell some social engineering, anyone?
Romney, security expert Phil Lieberman told us at the time, should have known better than to use a Hotmail account for personal email because it is “never going to be as secure as is required for a presidential candidate”.
Then there are the unconfirmed reports of thieves absconding with Romney’s tax returns from a PwC office in Tennessee. PwC confirms a ransom note was delivered to its offices by those claiming to have walked away with the returns, but it has denied any such breach occurred. A similar offer was made to local Democratic and Republican party offices in Tennessee, but so far no evidence has surfaced as to whether the allegations were real, or if any such incursion actually took place. One thing is for certain – Romney’s refusal to make his tax returns before 2010 publically available, as is the recent custom, is what contributed to this even being a controversy. If it’s true, then it’s a failure of security in both the physical and electronic sense; if it’s a hoax, then it’s yet another distraction from real campaign-related issues.
Barack Obama, on the other hand, is not without his own embarrassing incidents in this area. There was the 2008 hacking of his Twitter account, although a subsequent investigation revealed that it was Twitter’s own lax security policies that allowed a hacker to access an employee’s administrative ID and password, thereby allowing
the attacker to modify accounts and send out malicious messages from then president-elect Obama. Maybe, in this case, we can lay more of the blame on Twitter for this breach. Yet no matter who was responsible, it serves as an example of how poor security procedures – and social media – can lead to headaches for the man with his hand on the ‘red button’.
So what’s the lesson to be learned from these security mishaps? Perhaps it’s that all of the advice and resources in the world – or at least at the disposal of these two candidates – can’t prevent potential embarrassment in today’s information-driven society. As many of you in the enterprise setting are already acutely aware, when such information leaks, rest assured that some journalist, or blogger, will be there to bring it to our attention.