This Data Privacy Day 2020, we urge individuals and organizations around the world to learn from the fallout of the mega-breaches of the recent past. We provide five positive steps that companies around the world can take to better protect consumers, employees and more.
Until recently, data privacy was only considered critical in the digital world. But as the digital and physical worlds intersect, it is now integral not only to secure an individual or a corporation’s digital identity but also to avoid the safety of citizens being compromised. Data privacy considerations should underpin all company decisions, whether on the board level or on the shop floor and, this Data Privacy Day, organizations should encourage their entire workforce–not just IT teams–to re-evaluate how they secure and manage data.
By David Higgins, Technical Director, CyberArk
It’s now well-established that data is the world’s most valuable asset and a tempting target for malevolent hackers with varying motivations. More often than not, they are pursuing credentials that they can use to infiltrate businesses and target sensitive and valuable data. Attackers seek ways to cause irreparable damage across a whole range of industries, from seizing companies’ administration logins to hacking into medical data so as to hold individuals to ransom over the disclosure of sensitive personal information. As a tragic, but potentially realistic scenario, this could even result in a doctor being unable to perform a life-saving operation due to a lack of availability of the patient’s records, for example.
Hackers will inevitably be successful from time to time. Addressing this threat, and limiting how far they can infiltrate a network after a successful breach, is imperative in order to safeguard national security. Infiltration or compromise of CNI, for instance, could plausibly result in the loss of control of public services such as utilities, healthcare and government, posing a severe risk to public safety. This Data Privacy Day, we need to take a step back to not only understand the value in the data we hold but also the importance of only allowing individuals and systems that need it to access it.
Lesson #1: Equifax Breach
(reported in 2017)
Several tech failures in tandem–including a misconfigured device scanning encrypted traffic, and an automatic scan that failed to identify a vulnerable version of Apache Struts–ultimately led to the breach which impacted 145 million customers in the U.S. and 10 million U.K. citizens.
Data Privacy Day Learning – get security basics right. Cyberattacks are growing more targeted and damaging but a good industry reminder from the Equifax breach is that standard security basics should never be ignored. Patches should be applied promptly, security certificates should be maintained, and so on. This breach also inspired elected officials to push for stronger legislation to tighten regulations on required protection for consumer data.
Lesson #2: Uber Breach
(reported in 2017)
In 2017 Uber revealed it had suffered a year-old breach that exposed personal information belonging to 57 million drivers and customers.
Data Privacy Day Learning – don’t store code in a publicly accessible database. Uber data was exposed because the AWS access keys were embedded in code that was stored in an enterprise code repository by a third-party contractor. A clear takeaway is that no code repository is a safe storage place for credentials.
Lesson #3: Facebook’s Cambridge Analytica Breach
(reported in 2018)
Cambridge Analytica harvested the personal data of millions of peoples’ Facebook profiles without their consent and used it for political advertising purposes. The scandal finally erupted in March 2018 with the emergence of a whistle-blower and Facebook was fined £500,000 (US$663,000), which was the maximum fine allowed at the time of the breach.
Data Privacy Day Learning – protect user data (or pay up). Lawmakers claim Facebook “contravened the law by failing to safeguard people’s information” – and suffered the consequences. Now the U.S. government is placing additional pressure on Facebook to stop the spread of fake news, foreign interference in elections and hate speech (or risk additional, larger fines).
Lesson #4: Ecuadorian Breach
(reported in 2019)
Data on approximately 17 million Ecuadorian citizens, including 6.7 million children, was breached due to a vulnerability on an unsecured AWS Elasticsearch server where Ecuador stores some of its data. A similar Elasticsearch server exposed the voter records of approximately 14.3 million people in Chile, around 80 percent of its population.
Data Privacy Day Learning – adhere to the shared responsibility model. Most cloud providers operate under a shared responsibility model, where the provider handles security up to a point and, beyond that, it becomes the responsibility of those using the service. As more and more government agencies look to the cloud to help them become more agile and better serve their citizens, it’s vital they continue to evolve their cloud security strategies to proactively protect against emerging threats – and reinforce trust among the citizens who rely on their services.
Lesson #5: Desjardins Breach
(reported in 2019)
The data breach that leaked info on 2.9 million members wasn’t the result of an outside cyber attacker, but a malicious insider–someone within the company’s IT department who decided to go rogue and steal protected personal information from his employer.
Data Privacy Day 2020 Learning – be proactive in identifying unusual/unauthorized behavior. While insider threats can be more difficult to identify, especially in a case where the user had privileged access rights, having a solution in place to monitor for unusual and unauthorized activities that can take automated remediation steps as needed can help reduce the amount of time it takes to stop an attack and minimize data exposure. This breach shows that a defense in depth security strategy that includes privileged access security, multi-factor authentication, and the detection of anomalous behavior with tools such as database activity monitoring has never been more crucial.
About the Author
David Higgins is EMEA Technical Director at CyberArk. Since joining CyberArk in 2010, David has worked to help the world’s leading – and most complex – organizations secure and protect their privileged access. Today David works with clients to advise on threats associated with privileged escalation, lateral movement and credential theft as well as discussing best practices and driving innovation around privileged management processes. David is a frequent speaker at events as well as with media. He holds a BSc. in Computer Systems and Information Systems.
Disclaimer: CISO MAG does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views are personal.