Data breaches and what we can learn from them

Brid-Aine Parnell

Sunday 11 October 2015

Big brand names have been the source of some of the world’s largest data breaches, but with an ongoing staff training and by constantly updating security measures, companies can stay ahead of cyber attacks.

Sony, Adobe, eBay, Target, JP Morgan Chase – what do these household names have in common? They’ve all been the source of some of the world’s largest ever data breaches, resulting in the theft of millions of users’ names, addresses, phone numbers, emails, dates of births and, in some cases, even their financial information.

Whether the leak is down to social engineering, poor employee training or sophisticated hacks, people are getting used to hearing that their personal data has been lost by big name firms. Often, it’s just email addresses and passwords. But even these small pieces of information can be enough to get clever hackers into other accounts when people are re-using passwords, and from there, to financial information or identity theft.

The war against cyber attacks is one of attrition. As methods of cybersecurity get more and more sophisticated, so too do the hackers’ malicious software and social engineering. Staying ahead is no simple task, but there’s one factor that companies can affect and that’s employee behaviour. Too often, a cyber attack starts as a result of human error – whether it’s a lost tablet with login info or falling for a social engineering trick or a fake login page. Once hackers get their hands on one employee’s login, it’s often all too easy for them to go from there to the theft of huge amounts of data.

“Even in the case of highly-sophisticated targeted attacks – so-called advanced persistent threats (APTs) – the starting-point can often be the use of social engineering to trick staff into launching code that then gives the attackers an initial foothold in the organisation,” says David Emm, principal security researcher at Kaspersky Lab.

It’s not easy to mitigate against human error, but companies should be investing in ongoing staff training to keep their employees’ cybersecurity knowledge up to date.

Another problem is that companies often fail to report data breaches to users. Online marketplace eBay was criticised last year for its slow reaction time to the theft of the personal data of up to 145 million of its customers. Although the hack, facilitated by employee login credentials, took place in late February and early March, eBay did not start informing users until late May. Many customers first learned of the breach not from an email from the company, but from reports in the media.

“Historically, companies have been very reluctant to acknowledge breaches publicly, because of the perceived damage to reputation. However, it’s important that they do so,” Emm adds.

“First, it’s important that companies alert their customers to the dangers and risks of any personal data that has been compromised. Second, openness allows for discussion of weaknesses that can be exploited by cybercriminals and helps to highlight security measures that can be used to successfully combat attacks.

“Third, since it’s likely that information will eventually leak out into the public domain, it makes more sense for companies to go public,” he continues.

But at times, the breach comes from a sophisticated hack like that at JP Morgan Chase. Cyber attackers managed to get a list of the applications and programs that were running on the bank’s computers, which they then crosschecked with known vulnerabilities in those software in search of a backdoor into the system. This gave the hackers access to personal information on millions of customers, though the bank said there was no evidence that financial account data had been taken.

It’s difficult to know just what the firms at the heart of the biggest data breaches have done to upgrade their security systems, since companies are unwilling to discuss the specific measures they take in terms of cybersecurity in case they thereby tip off the attackers. But it is important that whatever measures they do take are constantly being updated.

“There’s no doubt that attackers will continue to seek ways of breaching the security of organisations and compromising data they hold. Such data is the life-blood of companies and other organisations and is very valuable to attackers,” Emm concludes.

“Also, since technology, and the way we use it, changes over time, so too will the form that attacks take. For this reason, it’s important to see security as a process, rather than as a one-off completed task. Organisations need to be ever-vigilant and continually review their security measures.”

Return to the Data centre theme page to learn more about managing your data securely and building a comprehensive server infrastructure.