Data breach on laptop with warning sign

Majority of Companies Are Not Disclosing Their Data Breaches

Data breach on laptop with warning sign

It is a common misconception to think that companies absolutely must disclose details of any internal breaches they may have suffered. In reality, the majority of data breaches go unreported, and details of the leak are rarely revealed to the public. Recently in the media, Yahoo came under fire and heavy scrutiny for late disclosure of two major data breaches of user account data. The Internet service company suffered two massive breaches in both 2013 and 2014 – resulting in the largest discovered data breaches in the history of the Internet – but this situation was only made public during the latter part of 2016.

This begs the question, should companies be forced to disclose data breaches? As we shall soon see being PCI compliant is only the beginning to assessing the security practices of a company.

False sense of security protection

Just because a company is internationally known it doesn’t automatically mean that your data is safe. Many users have a false sense of protection, simply because they trust the brand. But when it comes to these companies’ cybersecurity practices, quality security measures may not be a top priority since most are typically sales-driven. For example, besides the recent Yahoo breach, there have been numerous cyberattacks that have made headlines like Dropbox’s 68 million users’ data leakage that remains engraved in the minds of the public.

Part of that reason that so many attacks go unreported is because most companies simply do not need to disclose that sort of information in the first place. There is no current law requiring corporations to reveal when customer data has been compromised, so it makes sense that data breaches go unreported. A hacking incident could tarnish the reputation of the brand and instill mistrust among customers, which is never something corporations want. Even if large corporations choose to disclose data breaches, the extent to which data has been compromised are probably not revealed in full and downplayed.

For instance in the case of credit card breaches, customers will simply receive email reminders to change their account passwords or the bank will issue new cards to mask the data breach. Cases like this provide a sense that nothing is wrong and it is simply “routine procedure.” So, what can you as the customer do?

PCI Compliance?

If you are engaging in online transactions, ensure that the company is PCI-DSS (Payment Card Industry Data Security Standard) compliant.

Below is a clear definition of this industry standard:

The Payment Card Industry Data Security Standard, or simply PCI DSS, is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

With most brands moving their businesses online, there is a growing concern for the security implications of online transactions. When a corporation is not PCI compliant, there is a higher chance of data leakage – but even this industry standard is purely a minimal requirement. Just like how it is not a law for corporations to reveal internal data breaches, PCI compliance is just a security standard for online transactions – but not the law. That means businesses can continue to sell products online without the proper security standards intact. Furthermore, research by Verizon has shown that seven in ten businesses who achieve PCI compliance fail to maintain this compliance for a minimum period of one year.

Because corporations do not differentiate between what it means to “be validated” and to “be compliant,” this finding is extremely daunting especially in the light of recent data breaches. To be validated specifies a precise point in time when a business chooses to be assessed for compliance. This assessment is therefore a snapshot in time and says virtually nothing about the business during the rest of the year. For example, a company that suffered a data breach may reveal to its customers that they were validated for PCI compliance within the past year, but it doesn’t necessarily mean they were compliant at the time of the actual data breach.

In fact, according to one of the authors of the Verizon report, “…data from the past 10 years shows, that not a single company that suffered a data breach was compliant with PCI requirements at the time of the incident.” PCI standards set a strong baseline protection for any business but at the end of the day it is just the “minimum bar” to entice competitors to reach that same level of security simply because customers expect at least that much.

But is it enough? In many cases, no.

For example, Home Depot, who was PCI compliant, suffered a massive data breach in 2014. Many questioned how this breach could have occurred to such a huge retailer especially when it was supposedly certified to the security standards associated with credit card transactions. However, according to CIO, Home Depot’s data breach stemmed from using outdated Symantec antivirus software, not monitoring the network continuously for suspicious behavior, and performing vulnerability scans irregularly at only a  few of its stores. Stolen customer information also went unnoticed for several months. This is a perfect example that demonstrates that there is more to being secure than being PCI compliant.

Security beyond PCI compliance

A larger company like Home Depot can certainly afford to hire a security team but because security was not prioritized, it was too little too late when they were struck with a massive data breach. Adhering to the PCI standards sets the minimum bar but there is more to security – to start off, companies should be incorporating a Web Application Firewall (WAF) to their security platforms. Not only does a good WAF do much more to protect your website against external threats including DDoS and data leakages, the best part is that they also do not require a special security team to operate and manage the system.

With the rise of cloud services, WAF-as-a-service has also become popular since it doesn’t require additional hardware.Only minimal technical knowledge is needed involving a simple DNS configuration to register websites under WAF protection. Cloud WAFs manage all inbound and outbound traffic and are able to automatically detect and filter malicious attacks. This is huge for businesses who may still be starting out and cannot necessarily afford specialized security teams. For example, Cloudbric, a cloud-based WAF service, offers easy to understand web traffic analytics and allows users with little to no IT-security knowledge to manually look at their web traffic data in search of any inconsistencies.

The reality is that hackers can gain access to confidential information with relative ease so data leaks will likely continue to prevail. It’s important to keep in mind that just because it doesn’t make news headlines doesn’t mean that data breaches are not a common occurrence. We can have a false sense of security believing that entrusting our sites to well-known and successful companies can keep our information secure. But while following standards like PCI DSS is a great start, when thinking about the best security practices it’s best to think about the long-term and how to implement a solution that has you covered any time and anywhere.

hearts on valentine's day

Love in All the Wrong Places: the Dangers of Online Dating

online dating can result in cyber crime or scams especially on valentine's day

As February 14th creeps closer, hype over finding a valentine is at its peak. But finding a significant other does pose more difficulty in this day and age with the rise of career-driven individuals, slaving away with the chaotic schedules of everyday life. Furthermore, with the digital world just an arm’s length away, it’s not surprising that many have opted to look for a match in cyberspace. The use of online dating apps has increased nearly threefold since 2013, and social stigma for online dating has largely subsided, with mentions in popular media and even attractive celebrity endorsements. But unfortunately, like any other new phenomenon, many fail to realize the security implications of finding love online.

The oversight is understandable as the desire for love and companionship often trumps over protective instincts, but with the increase of online dating also comes an increase in cybercrime. In the UK, as many as 350 online dating scams were reported monthly, with victims handing over not only their hearts but more than £39m to false lovers in 2016. There may be those who would be baffled by the enormous amount of money handed over to hackers and scam artists, but with love – anything is possible.

The Consequences of Finding Love Online

We’ve all heard of stories of someone getting “catfished,” when unsuspecting individuals may be lured by a fake online profile. The scammer could be using an attractive picture, extraordinary details, but suddenly disappear when the time comes to meet. Worse, they could extort money out of their innocent “catfish catch,” who being madly in love will gladly acquiesce to aid their partner.

But as scary as a “catfish” exchange may be, the consequences may stretch even further and deeper in cyberspace – as information can be transmitted across the world in just seconds. In 2013, Cupid Media, a media group housing over 30 online dating sites, had 42 million passwords in plain text taken from their server. While many of these passwords were taken from inactive accounts, the millions of members that were active users now have their personal information in the hands of hackers.

When Ashley Madison, a site serving as a platform for individuals looking for extramarital affairs and casual hook-ups, was hacked in the summer of 2015, many were harassed with ransom and blackmail threats to distribute their names, credit card information, and email addresses. The threats demanded payment – the alternative? All personal information and data on website activity would be openly displayed on a public website. Some paid up, and some didn’t – citing that information had already been leaked anyway.

Nevertheless, online dating can have dire consequences on both your wallet and ego. So for Valentine’s Day this year, while you don’t necessarily need to skip the web-browsing tango, take these tips with you to have a loving, safe February 14th.

1. Watch out for the telltale signs

Avoid the “catfish” traps. Blonde, loves sunsets by the beach, and has the body of a model? If someone looks too good to be true, it’s a real possibility that you’re talking to a made-up persona. Before you reveal your deepest and darkest secrets, check for inconsistencies throughout their profile. Even if it’s not a con-artist on the other side of the screen, it’s estimated that around one-fifth of all online daters have asked a friend or family member to help them “tweak” their profile

And with more than 60% percent of web traffic comprised of bots, it is not surprising to run into “chatbots” on online dating sites and apps. These chatbots are designed to simulate real-life conversation and can convince you to click on a link or give away personal information. The telltale signs include the “bots” responding suspiciously quickly, chatting  in an unnatural way or using weird syntax, or sending links without asking you.

2. No advance fees

No matter how in love you may be, don’t fork over the cash just yet. Once an online relationship has built a basis of trust, the requests for favors may start rolling in. Perhaps a loved one is having a medical emergency, or they’re a little short on rent that month.

After a certain, most likely pre-planned, amount of time has passed, the scammer may even ask you to wire some money to purchase a plane ticket… to finally meet. While some may be wooed by the idea of finally meeting in person – perhaps a safe way to respond would be to suggest that they borrow money from a family member or the bank.

3. Find a worthy website using a WAF service and encryption

Although the examples we’ve given so far may be on the scarier side, not all online dating sites are vulnerable. Especially if a company has taken the time to employ a Web Application Firewall (WAF) or WAF service, as well as encryption for their data, your personal information has less of a chance of being compromised.

Think this is a given? Many companies will keep their data in plain text out of sheer convenience – but they might have to face dire consequences. Don’t play with fire, and bet on a company that is transparent about their security practices. Better safe than sorry, especially when your future relationship is at stake.

4. Nothing’s as good as (secure) face-to-face

“Let’s meet in real life” are the words that an online lover might be impatiently waiting to hear. However, if you’re not feeling ready about a potential meetup – then be firm and put your foot down. If meeting in-person, meet in a predetermined and public location, never at home or in your office. Consider having a friend to be a “safe buddy” so that if things aren’t going well they will be on standby to get you out of a potentially risky situation.

Some might choose to “meet” via video chat programs like Skype or FaceTime. Even then, make sure to have a secure connection, turn off any kind of geolocation settings, and be on guard to not disclose too much about yourself.

The Future of Online Dating?

The majority of people will first think of the physical dangers of online dating. However, in this day and age, cybercrime can go a long way, and even faster at that. Be smart offline and online, but to not be a downer – keep your hopes up: 5% of Americans say that they met their significant other online, and with other statistics in the cyber realm, it seems like this number has nowhere to go but up.

Perhaps love is just around the website. And hopefully a secure one.