At the beginning of 2017, Infosecurity published the first of its ‘Top Ten’ series, looking at the 10 largest historical data breaches to have occurred at the time. To remind you, the list read as follows:
- Yahoo – 500 million account details breached in 2014
- FriendFinder Networks – 412 million user details made available
- Myspace – 360 million user passwords were lost
- Experian – 200 million Social Security numbers were accessed
- USA Voter Database – data on 191 million American citizens leaked
- LinkedIn – 165 million accounts were impacted
- NASDAQ stock exchange – more than 160 million credit and debit card numbers were lost
- ebay – attackers gained access to a database of 145 million user accounts
- Heartland Payment Systems – an estimated 100 million cards were impacted
- VK – a database of 100 million accounts was breached
Casting an eye over that list, it seems remarkable to me that more data breaches have been reported with even larger numbers of people affected. Take the largest breaches of 2018 as an example: in the first six months of the year, almost one billion records were compromised in the Aadhaar breach incident, including names, addresses and other personally identifiable information.
Also, consider the Marriott Starwood breach. As we detailed in this issue (page 8), as a result of hackers gaining unauthorized access to the company’s data for more than four years, up to 500 million customer details were impacted.
In the cases of both Aadhaar and Marriott, these were breaches of data where people had chosen to enroll on a service. With Aadhaar, anyone who is subscribed can use their data or thumbprint to access services including banking and receive state aid, and while enrolment is not mandatory, Indian citizens who aren’t subscribed are unable to access even basic government services.
The issue is not just about the size of the data breach, as it is easy to forget those breaches that do not hit 100 million victims. Perhaps this is down to breach fatigue, or because we only seek out those breaches which astound us with the largest numbers of victims?
Robin Tombs, co-founder and CEO of Yoti, said that there is as much emphasis upon businesses as there is on individuals to step up their game when it comes to security online. “Individuals can have their personal data stolen and be at risk of identity theft and online fraud, and businesses can lose their reputation, customers and money,” he added. “Any good solution needs to strike a balance between convenience and security.”
Many of the recent breaches occurred because of what is known as ‘cyber-hygiene’ failings. In the case of the breach suffered by UnityPoint Health in July, it was a password phishing email sent to employees that resulted in 1.4 million records being compromised.
Raz Rafaeli, CEO of Secret Double Octopus, said that password phishing scams shouldn’t exist in 2018, not only because we shouldn’t be falling for them anymore, but also because password protection is no longer the best way to secure a server. “In an age where passwords, or any other single factor authentication solution, have been proven vulnerable, we should expect corporations to make the safety of their customer data their top priority. The solutions are out there, and it’s time for companies to step up, stop making excuses, and bolster their security.”
Are problems with human error to blame for so many data breaches, and if so is there any way to stop these sorts of errors happening, if they are the main cause? “It’s tempting to put all the blame on greedy or under-educated CISOs, but the problem is higher in the corporate food-chain,” argued Nick Selby, director of cyber-intelligence and investigations for the NYPD. “Until the C-suite and boards of directors accept that their entire value chain depends on information systems, they will continue to under-invest in information security.
“Many data breaches are caused by a failure of executive and board-level leadership to support a bold, creative and realistic information technology strategy. Today, that means thinking beyond your firewalls and adapting to the realities of new cloud computing architectures.”
It is clear that since our Top Ten data breach list was produced in 2017, a number of major breaches have been reported. Have we got enough new data to create an entirely new list? It is sad to think that way, but in a few months time, we may be able to do just that and until cybersecurity is able to stop these simple mistakes to plug the gaps, we will continue to write about these incidents, and millions of people will continue to be affected