These days, many consider data to be the most valuable asset of any organization with digital presence. To protect the modern goldmines, it should be in everyone’s best interest to try and minimize any risks to sensitive data amid heightened connectivity and rampant cybercrime. Yet statistics suggest that data breaches take place every second, are often kept under the radar, and can get extremely costly for the target.
Is it impossible to prevent data leaks? Not really. One common misconception is that effective data protection requires high-end technology and a bottomless budget. While they do certainly help, oftentimes it comes down to the most basic security measures to keep data safe.
In this article, we take a look at three highly publicized, highly scrutinized data breach incidents to explain what mishaps resulted in the leaks and how such incidents can be prevented from occurring in the future.
1. Panera Bread leak in April 2018 (at least 37 million customer records affected)
Last April, leading IT journalist Brian Krebs revealed that the U.S. bakery chain Panera Bread had been leaking customer records in plain text via its poorly designed website for at least eight months. The issue was first discovered by security researcher Dylan Houlihan, who tipped Krebs off after Panera Bread did not address the issue despite Houlihan repeatedly notifying them since August 2017. Millions of records related to customers who had signed up for Panera Bread’s online food order service were fully accessible via the website due to a lack of access control. The compromised data included personal emails, addresses, and some credit card information that could easily be indexed and crawled for malicious use.
Now grabbing baked goods should never come at the expense of personal data. The number one rule in secure database management is to ensure that masking and encryption are used when dealing with sensitive customer data, because identity protection and data integrity are essential for sustainable business operations, regardless of size or industry.
2. Equifax leak in September 2017 (at least 143 million people affected)
One of the biggest security scandals of 2017 was undoubtedly the Equifax leak, which impacted the sensitive data of over 143 million people. What enabled the hack was an unpatched vulnerability in the Apache Struts software that the credit reporting agency used to manage its dispute resolution portal. Now, Equifax became aware of the bug on May 9 but failed to install a patch, which allowed hackers to break into the company systems a few days later. The breach compromised an extensive range of customer information, from credit card details to social security numbers, which could be used for impersonation attacks and thus potentially have far-reaching consequences for affected individuals. To make matters worse, it took Equifax until late July to notice what had happened, and until September to craft a public announcement on the breach.
One of the most basic rules in IT security is to always keep systems up to date. While it can be challenging to immediately deploy patches in a corporate environment, the lack of urgency kept dragging on and making the systems more vulnerable by each passing day. In order to prevent similar incidents, effective patch management that combines both automated and manual monitoring should be a priority for any organization, along with an effective web application firewall to block malicious code from reaching the corporate systems in the first place.
3. U.S. voter record leak in June 2017 (at least 198 million records affected)
In the last year, numerous firms were revealed to be in data trouble as a result of not securing their Amazon Simple Storage Servers (S3). Yet the biggest blow was the leak of 198 million U.S. voter records via an exposed S3 server belonging to the Republican data analytics firm Deep Root Analytics, which resulted in the breach of voters’ personal information, such as names and phone numbers, and voter profiles that relied on data gathered over ten years. The public server was first discovered by cyber-resilience firm UpGuard’s analyst Chris Vickery, who took a responsible approach to vulnerability disclosure by allowing Deep Root Analytics to fix the issue before informing the public. This case is believed to be the largest exposure of voter-related data to date.
Poorly configured Amazon S3 resources were a serious problem last year: around 7% of all S3 buckets had unrestricted public access and 35% were unencrypted, according to Skyhigh Networks. To remedy this, Amazon introduced default encryption and began warning users of publicly accessible buckets last November. But looking at the big picture, this situation suggests that some IT managers pay little attention to system settings, perhaps due to the illusion of having everything securely set up when using a service like AWS, though that is not the case.
In order to prevent system compromise, human alertness is always key. Even with the most advanced security solutions in place, hackers can easily sneak into corporate records if the systems are not properly configured. So at the end of the day, installing a security solution is just the first step towards preventing data breaches–the most important step is to make sure everything works as intended.