2017 was another tough year for headline-grabbing data breaches. At this point, data breaches seem to happen every day, affecting enterprises and their customers, and harming those relationships by injecting mistrust, anger, concerns and resulting legal battles. Keeping your company out of the headlines when it comes to data breaches is something you should take quite seriously.
With that in mind, here is a round-up of some of the worst and most headline-grabbing data breaches of 2017 to offer some real-world examples of what not to do so you can work to avoid similar situations for your company.
Equifax Data Breach
From May to July, the personal information of some 143 million U.S. consumers was exposed in a data breach at Equifax, one of the nation's three major credit reporting agencies. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to the Federal Trade Commission (FTC). The hackers also stole credit card numbers for about 209,000 people and accessed dispute documents that included personal ID information for about 182,000 people.
Uber Data Breach
In November, Uber revealed that hackers had accessed and captured the personal information of about 57 million of its customers and drivers. And that wasn't the bad news. The really bad news was that Uber disclosed the massive data breach a full year after it had happened in 2016. The company at the time paid $100,000 to the hackers as a ransom so the hackers would destroy the data without publicly revealing the breach. This is not how your company wants to handle any such incidents. The hackers stole mobile phone numbers, email addresses and names of Uber drivers and customers from a third-party server and then demanded $100,000 to delete their copy of the data.
Yahoo Data Breach
In October, four months after Verizon acquired Yahoo, the company disclosed horrific new facts about a data breach that had occurred at Yahoo back in 2013. Instead of affecting the 1 billion or so customer accounts that were announced at the time, the breach is now said to have affected about 3 billion Yahoo customer accounts, which essentially includes every customer of the company. Credit card and bank account data was not taken in the breach, but customer names, email addresses, phone numbers, birth dates and hashed passwords and security questions and answers were captured, according to a story by NPR.
Verizon Data Breach
In July, Verizon confirmed reports of a data security breach affecting more than 14 million of its customers in the U.S. after a third-party vendor mistakenly left the sensitive users’ details open on a server, according to a story by The Hacker News. The data was exposed on an unprotected Amazon S3 cloud server that was fully downloadable and configured to allow public access, according to the story. The exposed customer data included sensitive information including customer names, phone numbers and account PINs (personal identification numbers).
WannaCry Ransomware Cyber Attacks
In May, cyber attacks around the world by the WannaCry ransomware worm caused massive computer system problems across the globe. WannaCry was viewed as far more dangerous than other common ransomware types because of its ability to spread itself across an organization's network by exploiting critical vulnerabilities in unpatched Windows computers, according to a security advisory posted at the time by security firm Symantec.
The WannaCry worm searched for and encrypted 176 different file types, added the file suffix .WCRY to the end of file names, then asked users to pay a $300 ransom in bitcoins, which would be doubled after three days.
Lessons to Be Learned About Data Breaches
Certainly, there were additional highly-publicized breaches in 2017, but this sampling shows the wide range and threat of such situations faced by all businesses in the digital age.
So, what can you do to prevent your company's name from being splashed across the headlines involving a similar data breach?
It starts with awareness, properly executed risk assessments and regularly-scheduled software and system updates and patches. It continues with realistic and step-by-step disaster planning and having a long-term view of possible threats and making plans for how to react to such incidents. And it also involves swift reactions and public acknowledgment of such incidents, including sharing the details with affected customers and the public to minimize their exposures and to provide full disclosure as a matter of trust and honor.
Enterprise IT security systems must be as strong and redundant as possible to protect critical corporate information and personal customer data at all times.
Yes, breaches do and can happen, despite the best efforts of corporate IT and security teams. These are the threats that keep IT security workers up at night and corporate leaders sweating and praying that they don’t see their company’s name in the headlines the next day.
You don't want to see your company go through similar public embarrassments. Keep that in mind the next time you think your company's IT security is good enough.