Halfway through the year 2017, we find ourselves reading a similar headline in the news every day, “XYZ Company Has Announced 100 Million Customer Records Exposed in Data Breach.” As we skim the articles, we breathe a brief sigh of relief that it isn’t our company in the headline, knowing that we could be next. According to a 2017 Ponemon Institute Report, the average total cost of a data breach in 2017 is $3.62 million. Let’s look at some of the top data breaches in 2017, the type of attack, and the kind of data that was affected to learn some lessons that could help prevent a costly data breach from occurring at your organization.
This past February, Arby’s announced that they had experienced a data breach that affected one third of its locations nationwide. It was discovered that a malicious software had been installed on its payment card systems, resulting in a large breach of credit card information. It’s important to remember that when training your employees to properly handle payment card information to include how to notice and report suspected tampering of payment card terminals.
In May 2017, any organization affected by the infamous WannaCrypt ransomware definitely wanted to cry. Noted as the largest worldwide cyber attack to date, cyber criminals held data for ransom on more than 300,000 computers, claiming over 200,000 victims. This unprecedented data breach stemmed from an uninstalled “critical” Microsoft patch that was released three months prior. Updating security patches and keeping operating systems up to date is crucial, as attackers will target known vulnerabilities.
Princeton Community Hospital
After being hit with the latest ransomware known as Petya, this West Virginia hospital was forced to rebuild their entire network, replacing nearly 1,200 hard drives in the process. Petya, uniquely designed not to make money, froze the hospital’s electronic medical records, making it impossible for patients to be treated. They were unable to pay a ransom and lost access to computers and all data. While we learned from WannaCrypt that keeping patches up to date is critical, it’s equally as important to ensure proper backups. In the event of an attack such as Petya, there is no way to retrieve any data other than restoring from a backup. Regularly performing backups for critical data, files, and systems can help make the recovery and restoration process quicker and easier.
Another common cause of a data breach in 2017 is incorrectly configured third-party hosting providers. In July three million WWE fans had personally identifiable information such as addresses, birthdays, ethnicity, earnings, educational background, and children’s age ranges exposed. It was discovered that the Amazon Web Services S3 server was storing all the database data in plaintext, without password or username protection. When assessing your information security program, don’t forget to regularly examine and verify any third-party vendor security and compliance.
The most recent data breach to plague 2017 affected approximately six million customers. Verizon announced that names, addresses, phone numbers, and account PINs were left exposed in a database hosted on a third-party cloud server. As cloud security flaws continue to be a common reason for a data breach, it’s important to understand your risks, and do your due diligence to ensure the policies and procedures for securing your data are appropriate and effective for preventing a data breach.
Don’t let your organization be next! Stay up to date and proactive when it comes to the latest threats to your organization’s security. For help conducting a Risk Assessment or assessing your current security posture against the threat landscape, contact us today!