Looking After We Leapt: What Can the Worst Data Breaches in History Teach Us?

Posted by Chelsie Grant on 13 June 2019

According to ABC News, Yahoo survived two of the largest data breaches in history. In 2013 alone, three billion accounts were breached! What new technology could have prevented these massive breaches? And, how can it secure your business’ data today

Breaches happen frequently lately, and there’s no foreseeable end in sight. Week after week, another major heist of emails and credit card information takes over the evening news. Grim reports of hacked user accounts at major social networks or companies we once trusted Like some gruesome horror movie, criminals, both foreign and domestic, ravage American corporations and feast on precious customer data.

Instead of throwing around breach numbers like baseball stats, let’s dissect one particular breach from 2018.

Data Security

 

Marriott’s 2018 Breach

With no intention of picking on Marriott – we stay at their hotels! – let’s examine their data breach of 2018. We can learn from analyzing it—even just on the surface–that Marriott dutifully reported the potential scope and magnitude of information stolen by hackers.

According to Marriott, the 2018 breach of their Starwood database ultimately involved 383 million records. Now that may not seem as bad as Yahoo’s multibillion account breaches in 2013—until you hear what the criminals stole…

Never mind email addresses or even credit card numbers. This heist gave criminals access to a jaw dropping amount of personal information, including millions of passport numbers. And, it gets worse. 

Marriott revealed that “the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

 

Identity Theft Bonanza

In short, if you wanted to steal someone’s identity and impersonate them, accessing a single record from the hacked Starwood database would provide you with enough information to effectively recreate a person’s identity. Breaches like Marriott’s help explain why identity theft has become a growth industry, ruining millions of lives every year.

Javelin: “In 2017, there were 16.7 million victims of identity fraud, a record high that followed a previous record the year before.”

 

A Serious Business Problem

Because it impacts consumers, we tend not to think of identity theft as a business problem. However, consider where criminals get the customer data in the first place. Businesses and organizations gleefully collect and store data, even if it means putting them on the receiving end of unfathomable risk.

In their 2018 Identity Fraud report, Javelin points out that the crime has reached an epidemic height and entered a new era of complexity.

 

Lessons to Share

Although, our analysis the Marriott breach only scratches at the surface of deeper technical matters (and we don’t want to blame the victim), today’s technology offers you and your organization direction to safe harbors for your data security.

Cloud versus on-prem: Could the breach have originated through vulnerabilities in an on-premises data center/network supported by in-house security? A skillfully deployed hybrid solution can mitigate risk by leveraging the robust security investment and 24/7/365 monitoring delivered by commercial cloud providers like Microsoft.

Data at rest issues: Could more data encryption have mitigated some of the damage? It appears that some of Marriott’s data was encrypted, and some was not. A more consistent and aggressive use of encryption technologies could have helped to prevent hackers from accessing much of the information that was stolen.

Data gluttony: Your marketing and sales department will continue to gather and store as much customer data as they can to learn and create opportunities. But that data, especially when its stale, represents needless risk. The best way to avoid a data breach is to not collect the data unless you need it, and then, securely use it or lose it.

GDPR encourages companies to store the data for the shortest time possible for a reason. Establish time limits to erase or review your data. Javelin wrote:

“With all of the data and tools at their disposal and unprecedented levels of sophistication, criminals are engaging in complex identity fraud schemes that are leaving record numbers of victims in their wake. This degree of complexity, which can target a single victim but span multiple organizations, means that an organization can no longer reasonably expect to protect customers through its efforts alone.”

 

 

Don’t Go it Alone

Javelin’s correct, and not just about the increasing complexity of identity fraud, either. The modern threat landscape evolves quickly. The complexity is too great, and stakes are too high for do-it-yourself security. Organizations need security help. Expert, third-party strategies and solutions deployed and supported by full-time, accredited, and objective security specialists, like BioConnect, can save you a world of grief.

Worried about your vulnerability to breaches? Use biometrics to improve your security before disaster strikes.

Topics: Cybersecurity, Digital Security, unified security, Data Breaches