With so much data being collected, stored and used, it was inevitable that breaches would be on the rise. The year 2017 saw more personally identifiable information (PII) exposed through malicious intent than ever than before.
Equifax and Yahoo led in the headlines, but there were many other notable breaches. As we look back, let’s see what we can learn from them.
Equifax makes all the headlines
Attackers hit more than 145 million Equifax customers this September. They stole names, birthdates, Social Security numbers and more. Costs are continuing to mount, but estimates say that it has cost the company between $200 and $300 million so far. Consumers will pay an estimated $4.1 billion to freeze their credit reports. The company told The New York Times in November that it was still conducting an internal review and was working on remediating “two significant deficiencies in its technology systems.”
Pam Dingle, principal technical architect at Ping Identity, says that a breach like this erodes customer trust.
“There are a lot of angles to the Equifax story that make it so very noteworthy, but the sharpest is the betrayal of public trust,” Dingle said. “Everyone who collects private information has a duty to act as a careful steward of that information — but Equifax operates on a whole other level, collecting information that when stolen doesn’t just mean more spam when it gets stolen, but the potential of personal financial disaster for a lot of people.”
Yahoo comes clean
Though it happened four years ago and was disclosed last year, Yahoo’s 2017 revelation that three times the number of customers they reported — 3 billion! — were affected by its 2013 breaches, making it the biggest one in history. The breach exposed a huge amount of PII, including names, email addresses, phone numbers, and even passwords and security questions and answers.
On its site, the company says that law enforcement analysis of the original breaches indicated that an unauthorized party stole data. The company also provides information to consumers to help them protect their accounts and says it is “continuing to work closely with law enforcement, and [we] continue to enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”
Most news outlets agree that the main cost to Yahoo was incurred in the $350 million slash to its purchase price from Verizon, its new owner.
Shuman Ghosemajumder, CTO of Shape Security, said that companies can learn something from this.
“One thing companies are increasingly doing to better protect themselves going forward is addressing security in a more scalable and effective way than they have approached in the past,” Ghosemajumder said. “The old mindset was to buy many security products and hire as many internal security personnel as possible, train them on those products, and have them operate and update them continuously. Very few companies can invest enough to provide sufficient protection to cover every possible attack [that] surface[s], so cybercriminals are still able to routinely breach even companies with large security budgets and teams. The new approach is to deploy security as a managed service as much as possible, where common platforms can provide common security functionality across many companies. This simultaneously improves coverage, efficacy, and efficiency from a security perspective.”
Breach drama at Uber
Uber revealed in November that it had suppressed news of a 2016 theft of information in 57 million driver and rider accounts. According to The New York Times, the ride-sharing app paid $100,000 ransom to hackers whose bounty included stolen phone numbers, email addresses and names from the company’s third-party server.
Dara Khosrowshahi, Uber chief executive, told the Times, “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Dun & Bradstreet database is revealed
A database belonging to marketing firm NetProspex exposed more than 33 million records in March. The company is owned by business service powerhouse Dun & Bradstreet. SC Media reported that the information was “properly curated and ready for distribution to a customer.”
Dun & Bradstreet told the magazine in a statement, “Based on our analysis, it is our determination that there has been no exposure of sensitive personal information from, and no infiltration of our system. The information in question is data typically found on a business card. As a general practice, Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data.”
Verizon reports security lapse
Verizon saw breaches that left the PII of 14 million customers exposed in July. It was caught before any loss or theft occurred. According to a CNN Money article, an employee at a vendor was at fault.
Also notable were massive phishing and malware attacks at Gmail, DocuSign and Kmart.
The year isn’t quite over yet, so we don’t have a final number for 2017, but with a record high of 791 reported midyear by Identity Theft Resource Center and CyberScout, one can only hope we’ve reached an inflection point about how data is handled. The imminent May 2018 deadline for compliance with EU’s General Data Protection Regulation (GDPR) has already prompted an attitude shift toward a more consumer-forward mindset. Let’s hope the trend continues.