Some organizations are surprisingly good at setting a very bad example. Especially when it comes to data breaches. Despite an untold number of warnings, and despite staggering data breaches making the news regularly for the last few years, some organizations still press on with subpar security measures, contentedly sticking with the status quo until it’s their millions of records being compromised and their company name grabbing headlines for all the wrong reasons.
It’s unfortunate, but the very least the rest of us can do is learn from the missteps of the following four organizations involved in some of the biggest data breaches of 2016.
The Haven’t They Suffered Enough data breach
The facts: In March of 2016, 21st Century Oncology, a California company providing cancer care services, announced they had suffered a data breach that involved the personal information of 2.2 million patients being compromised, including names, social security number, insurance information and diagnosis and treatment information.
The folly: The company reportedly wasn’t even aware of the breach until the FBI informed them roughly one month after the intrusion occurred. The company then proceeded to not inform any of the patients affected nor the Security and Exchange Commission for another three months. Twenty-first Century is facing over 13 class action lawsuits for over 57 million dollars for the careless handling of patient information, with many patients alleging they have been the victims of identity theft.
The You Can Hear This Now data breach
The facts: Also in March of 2016, Verizon Enterprise Solutions suffered a data breach that saw the information of 1.5 million customers stolen and put up for sale in an underground cybercrime forum with a price tag of $100,000.
The folly: Verizon Enterprise Solutions provides assistance to Fortune 500 companies for, wait for it, data breaches. According to cybersecurity blogger Brian Krebs, who uncovered the sale of the data, it seemed as though the hacker behind the breach found a way to force the Verizon database platform to dump its contents. Verizon stated the company had uncovered a security vulnerability on their enterprise client portal.
The Linked Way In data breach
The facts: In May of 2016 a Russian hacker going by the perhaps inaccurate name of ‘Peace’ put up for sale the email and password combinations of a whopping 117 million LinkedIn users. The asking price? Approximately $2,300.
The folly: Though the information went up for sale in 2016, it was actually stolen in 2012 with a resultant class action lawsuit settled in 2015 for 1.25 million dollars. The hacked data search engine LeakedSource claimed to have obtained the compromised information. Though the passwords had reportedly been encrypted by LinkedIn using the SHA1 algorithm, LeakedSource also claimed to have cracked 90% of the passwords in just 72 hours.
The Boohoo Yahoo! data breach
The facts: Like the LinkedIn breach, the Yahoo! breaches didn’t actually happen in 2016, but that’s when they garnered attention. In September it was announced that 500 million Yahoo! accounts had been compromised in 2014, with names, emails, birth dates and phone numbers stolen. If that wasn’t bad enough, in December of 2016 Yahoo! announced another data breach, this one from 2013, which had compromised 1 billion accounts. This is the largest data breach in history.
The folly: Yahoo! has indicated they believe the breaches are related, and that they are state-sponsored. The 2013 breach was reportedly tied to forged cookies that allowed attackers to access accounts without the use of a password. Yahoo! is being investigated by the Security and Exchange Commission for the length of time it took them to report the intrusions and is facing what will likely be record-setting class action lawsuits for failing to protect consumers.
Lessons to learn
The year 2016 was a record-breaking one when it came to the number of data breaches that occurred, and with that tremendous number of intrusions came a few trends when it came to the failures of the organizations affected as well as a few important lessons for other organizations.
The first one is the direst as well as the most obvious: most organizations affected had database security that was just not up to the task of protecting their consumers in the current attack-ridden cyber landscape. Other organizations can avoid this devastating mistake by using cybersecurity firm Imperva’s ‘10 Questions to Determine if Database Security is a Priority’ to help assess the current security situation.
The second lesson that needs to be learned involves an organization’s employees understanding how important security is and how much vigilance it actually requires. Data breaches that affected organizations like Centene, Seagate, Snapchat and Tidewater Community College resulted from either lost hardware or employees falling for phishing scams. These missteps may be indicative of a systemic issue within the company.
Lastly, organizations need to understand that if the worst-case scenario occurs and data is compromised, best practices need to be followed when it comes to reporting breaches to regulating bodies as well as affected users. Yahoo!, 21st Century Oncology and a number of other organizations are facing fines as well as inflated class action lawsuit settlements due to their tardiness in reporting their very serious breaches.
It’s the responsibility of all organizations to protect their data, because otherwise, the companies that have already been rocked by breaches will have suffered for nothing. That’s on top of roughly 2,000 other reasons organizations need to protect their data, of course, but every reason counts.