The Importance Of Proper Cyber Security
We live in a constantly evolving technical world and unfortunately, these technical advances also come with significant risks. As technology evolves, the number of vulnerabilities and threats to these technologies is growing at an exponential rate. The term “data breach” has become one of the most common and feared terms in the business industry.
A data breach can have an enormous impact on a company’s finances and reputation. For instance, three of the largest recent data breaches, alone, are estimated to have cost more than a trillion dollars and impacted more than 3 billion users. Due to the enormous potential financial loss, irreparable harm to a company’s reputation, and the exposure of user’s private information, it is critical that companies take adequate steps to protect individual’s confidential information. A data breach is unauthorized access to private data or information. Information that can be stolen consists of credit card numbers, email addresses, home addresses, social security numbers, bank accounts, passwords and many more valuable pieces of information (Trend Micro I 1). These data breaches are not just exclusive to businesses but can also impact governments. In addition to enormous costs for the businesses and governments, data breaches can have a significant future costs to consumers. For example, when a data breach occurs and consumer identities are at risk, this makes them more susceptible to identity fraud.
How do data breaches occur? Data breaches can occur when there is a vulnerable system or even vulnerable employees. A black-hat hacker would be able to exploit a system or even socially engineer a vulnerable employee to gain access to unauthorized information. They might try to access this information for personal gain, morals, or even fraudulent reasons. Based on the recorded data breaches from 2005 to 2015, personally identifiable information (PII) was the most common stolen data type. Financial data was the second most common data type stolen. The most common tactic used for breaching information/data is hacking with malware (Trend Micro I 1). Malware is any software that is intentionally built to cause harm to computer systems (Rouse 1). For example, a ransomware would be considered malware. These are just a few examples of how a data breach can occur.
As discussed earlier, data breaches can cause major damages. For example, they can negatively impact the development and growth of some of the largest corporations today. They can cause financial damage in terms of law suits and damages to systems. One of the largest data breaches occurred effecting Yahoo and their users. In 2014, Yahoo failed to disclose a data breach resulting in a 35 million-dollar fine, lost stock evaluation and millions of dollars in liability (Kastrenakes 1). Hackers managed to take information from 500 million user accounts. This attack caused damage to Yahoos value and reputation but, worst of all, millions of innocent users were impacted. Information was stolen from over 500 million users, which could cause problems for these users for years to come. Many other companies have been breached or attacked such as LindedIn, Equifax, Target, eBay, JP Morgan & Chase, and many more. Overall, data breaches can cause tremendous damage and harm to a company as well as the users.
The Yahoo 2014 breaches are considered the largest breaches to date in which all 3 billion user accounts were affected (Trend Micro I 1). The records compromised included; user accounts, password, telephone numbers and more. Luckily, Yahoo stored financial information on uncompromised systems that were not breached (Trend Micro II 1). Although there was a considerable amount of records compromised, the actions taken after the fact consisted of notifying users to change their passwords regularly. This data breach exemplifies the importance of password strength and password control.
The next largest breach to date is the AdultFriendFinder (AFF) breach with 412 million records stolen (Trend Micro I 1). AFF was breached in October of 2016, with user information such names, email addresses, and passwords being lost (Armerding 1). Unfortunately, in this case, extremely private information was exposed. People’s private profiles had information regarding their sexual preference, photographs, likes and dislikes and many other preferences. The AFF breach was a whole new kind of threat to the users. All of the user’s information had been leaked resulting in none of their information being private anymore (Trend Micro III 1). This breach also showed that AFF was keeping information on users even after they deleted their accounts. One user came out and said he tried AFF and deleted it but was still on the leaked list and began receiving spam emails (Trend Micro III 1). This shows how careless management of information can harm users inadvertently and adversely. AFF’s failure to properly protect its user’s information caused significant harm
What is considered the third largest data breach was with the site MySpace, wherein 360 million accounts where compromised. The database leaked consisted of MySpace accounts and passwords (Blanco 1). Although 360 million accounts were compromised, the damages were minimized as MySpace took prompt steps to protect users’ information by notifying them and requiring them to change their credentials. Even though MySpace took prompt measures, consumer trust in MySpace was substantially harmed. It is believed that this massive data breach was in part to blame for MySpace’s lost popularity.
The next largest data breach occurred against eBay, the online auction and shopping corporation. In 2014, eBay disclosed a data breach that compromised all 145 million of its users’ names, addresses, passwords, and date of births. Although this sensitive data was exposed, fortunately, financial information was stored on uncompromised systems. The hackers had unauthorized access to this data for more than 229 days (Blanco 1). However, this attack had little effect on eBay and the consumers as the users were simply advised to change their passwords. In the end, eBay implemented new password renewal processes and procedures to help further protect users’ information. Another large breach occurred with Equifax from May 2017 to June 2017, where 143 million consumers were affected (Armerding 1). Equifax is one of the largest credit reporting agencies that handles both consumer and businesses credit. In June of 2017, Equifax discovered the breach and realized that hackers had been in the system since mid-May. There was a vulnerability in the Equifax website applications that hackers used to gain access to unauthorized files. These files included “social security numbers, birth dates, addresses, and in some cases driver’s license numbers” (Ragan 1). About 200,000 consumers also had their credit card information exposed causing tremendous risks and consequences to the consumers and the company. Fortunately, Equifax handled the breach in a diligent manner by notifying those that were affected and by setting up a website for people potentially affected. Post-breach, Equifax hired a forensics team to help them investigate the breach and reduce the risks of this incidents happening in the future. The CEO and Chairman, Richard F. Smith, also released personal statements about the breach. He discussed how the company was taking measures to recover from this incident and prevent further attacks from occurring in the future. Although this breach put millions of consumers at risk, the attack was caught and handled swiftly.
One of the most financially devastating data breaches occurred against Heartland Payment Systems in March of 2008. Nearly 140 million credit cards were exposed through spyware that was installed on the data systems of Heartland. During the time of the breach, nearly 100 million transactions were occurring a month on the infected systems. This data breach was actually considered to be part of a “global cyber fraud operation” and was investigated by the Secret Service and Department of Defense (Armerding 1). Heartland has taken cautionary measures to protect from any future incidents or breaches by implementing a new real time anomaly alert system to immediately notify them of any anomalies on the network (Armerding 1). One of the most notable retail stores and corporations, Target, suffered a breach in 2013. Hackers were able to gain access to Target’s Point-Of-Sale (POS) card readers through a third party vendor (Armerding 1). Credit and debit card information was stolen along with personally identifiable information. This breach caused tremendous damage to target both financially and developmentally. Following the breach, the Chief Information Officer (CIO) and the CEO resigned. The estimated financial cost of this breach was about $162 million (Armerding 1). Yet another notorious data breach was with TJX companies. During this breach, hackers exposed over 94 million credit cards. There was actually a connection between some of the suspects from this breach and the Heartland breach, which was thought to be part of a “global cyber fraud operation” (Armerding 1). This breach resulted in adverse effects on the credit card companies and consumers. Consumers in places like the UK and Ireland were even affected. Overall, this breach was part of one of the biggest fraud operations.
Another list-worthy breach occurred against Uber. PII from over 57 million Uber users and about 600,000 drivers was stolen. Although this was not one of the biggest breaches, it was fairly damaging to Uber in large part due to how they handled the breach. Upon discovering the breach in 2016, Uber failed to disclose it to its users and drivers for almost a year. Uber also paid the hackers $100k to delete the data even though there was no evidence that they actually deleted it. As a result, Uber placed the blame on its CSO and fired him. This breach, and the manner in which they handled it, substantially affected Uber’s net worth. Before the breach, Uber was valued at $58 billion and after the breach, they were valued at $48 billion (Armerding 1). Not all of that worth could be attributed to the breach, but a tremendous amount could be as users and drivers lost confidence in Uber’s ability to protect their information. Overall, this breach should be the poster child for how not to react in the event of a data breach.
Unlike Uber, one of the common themes shown by many of the companies that have been victims to data breaches is that they typically will step up and spend the money to protect their users after a breach occurs. The problem with this is the fact that many companies wait until after they have been breached to take the right steps. This is simply too late! In order for consumers to place trust in these companies and allow their personal information to be shared, they must feel confident that their information is being adequately protected. Otherwise, consumers will fail to use their services resulting in the companies lost revenues and potential failure. When this happens, not only are all the employees of the failed companies hurt, the users may be without a service that could otherwise make their lives easier. Therefore, companies that keep confidential user information must take the proper steps and spend adequate money to ensure that their users’ information is protected before a breach occurs. Unfortunately, data breaches will continue to occur as not every application or company will be totally secure. Hackers will continue evolving with technology and expose vulnerabilities. Not all breaches can be stopped, however, many can! Corporations must constantly be finding vulnerabilities before the hackers find them. Consumers want to feel safe using the applications that companies provide and create. Consumers will continue to be skeptical using company applications as long as data breach numbers continue to rise.