Every day I read about the latest data breach that has happened to ‘Company X in Country Y’ and, if you are like me, I do not give it much attention unless it is a “Mega Breach.” That’s right! I have become so immune to sub-million data record breaches that I hardly pay ‘normal breaches’ any heed at all.
So how did we get ourselves into this situation?
Have our security systems suddenly become vulnerable overnight?
Have hackers just gotten better?
Have our internal security procedures failed us?
Do we just not have enough trained security staff combatting these cyber-attacks?
Well, the answer is a combination of all the above. It is also related to the fact that after the EU general update to data protection regulation (GDPR) came into place in May 2018, firms are more likely to report attacks, as we will discuss below.
2.0 COUNTING THE COST
The cost of data breaches is increasing every year and the 2018 Ponemon Institute report; “The 2018 Cost of a Data Breach” - sponsored by IBM – has found that the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from the 2017 figure.
Due to the small amount of mega breaches in the past, the ‘Cost of a Data Breach’ study historically analyzed data breaches of around 2,500 to 100,000 lost records.
This year for the first time, the study also calculated the costs associated with “Mega Breaches” ranging from 1 million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 million respectively.
3.0 DATA BREACHES – HARD FACTS
As a reminder, I have selected a few notable data breaches which have happened in 2018 – see graphics below.
Facebook has received some notoriety by making the list twice. The first in March 2018 was the Facebook/Cambridge Analytica harvesting of millions of peoples personal data records without their consent.
Facebook was only fined 500,000 GB pounds for this breach, which was the maximum fine possible at the time but more than $100 billion was knocked off Facebook's share price as a result.
The first breach happened before the GDPR European legislation come into effect in May 2018. One would have thought that Facebook would have learned from that, but no! In September 2018 hackers accessed 30 million user records of which 14 million had their names, contact details and sensitive information such as their gender, relationship status and recent location check-ins exposed.
The EU privacy watchdog Data Protection Commission Ireland (DPC Ireland) announced it was investigating the data breach for possible violations of Europe's new General Data Protection Regulation (GDPR). If found guilty, Facebook was said to be facing fines of up to $1.63 billion.
The British Airways hack where some 380,000 customers’ personal and financial data has been stolen over a two week period from the 21st August to the 5th September is notably because BA informed the Information Commissioner’s Office (“ICO”) within 72 hours of the breach as is the requirements laid down in the GDPR.
However, the customer data stolen in this breach included bank card numbers, expiry dates and CVV codes. Some affected customers data was discovered for sale on the Dark Web for around $10 a card in November.
The potential implementation of hefty fines of up to €20,000,000, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for its breach is undoubtedly the aspect of GDPR which has struck the most fear into organizations.
GOOGLE+ EXPOSED THE DATA OF 500,000 PEOPLE THEN 52.5 MILLION
Companies outside the purview of the GDPR are not as forthcoming in declaring the fact that they have been breached. In October Google confessed that the Google+ social network exposed the records of 500,000 users over a period from 2015. It was only after the Wall Street Journal broke the story that Google owned up as they feared that news of the breach would hurt public perception of the company and increase regulatory scrutiny!!!
Then again in December, Google revealed it had experienced a second data breach that affected 52.5 million users. Google has now decided it will shut down Google+ for good in April 2019.
We had a Mega Breach in December, which generated hardly any attention at all.
Quora discovered that one of its systems had been hacked by "a malicious third party," said CEO Adam D'Angelo in a blog post. "We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future," D'Angelo wrote.
"It is our responsibility to make sure things like this don't happen, and we failed to meet that responsibility."
The compromised information includes users' names, email addresses and encrypted passwords as well as data from social networks like Facebook and Twitter if people chose to link them to their Quora accounts.
Quora is notifying users whose data have been compromised, logging them out of the site and invalidating their passwords.
"“The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial."
So, are we getting immune to Mega Breaches as well?
Perhaps the breach was not dramatic enough? So along comes a more interesting Mega Breach, this time that of Marriott Hotels who recently revealed that hackers had accessed the information of an estimated 500 million customers continuously since 2014, affecting guests who stayed at Marriot’s Starwood properties.
We now have a dramatic breach as the cyberattack on the Marriott hotel chain is alleged to have been part of a Chinese intelligence-gathering effort. The hackers are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency according to FBI sources in Washington. However, the Marriott is the top hotel provider for American government and military personnel.
Perhaps we will never learn the true story of this breach, as it comes at a time when the Trump administration is planning actions targeting China’s trade, cybersecurity and economic policies; so perhaps there is a political play here with its timely release?
4.0 HACKERS FOLLOW THE MONEY
The festive hacking season formally kicks off on Black Friday and Cyber Monday!
Black Friday and Cyber Monday are big targets for cyber attackers - but they also ramp up their efforts throughout December. Security researchers at Carbon Black warn that both individuals and organizations should expect to see a rise in attempted cyber-attacks during the holiday season.
Attackers take advantage that during the Christmas break most companies will have security teams understaffed which potentially gives attackers a better chance of breaching networks and less chance of being spotted if they do breach the network or deliver malware. According to researchers at Proofpoint, the notorious TA505 hacker group is targeting US retail, restaurant and grocery chains in new campaign for the holiday shopping season to steal credentials and their valuable data.
The European Union’s General Data Protection Regulation (GDPR) legislation provides consumers, who have been affected by data breaches, with some protection. Thanks to GDPR, companies must now disclose data breaches promptly or face massive fines.
On December 13th 2018 Google announced that it would shift control of European data from the USA to Ireland to aid GDPR compliance.
GOOGLE – Still more problems ahead
A group of seven European Union member state countries – Czech Republic, Greece, Norway, the Netherlands, Poland, Slovenia and Sweden – are now asking European privacy regulators to take action against Google for its “deceptive practices” related to location tracking.
FACEBOOK – More Woes
Facebook had another breach whereby a Photo API bug gave application developers too much access to the photos of up to 5.6 million users. Facebook says the bug ran for 12 days from September 13th to September 25th. Facebook said it discovered the breach on September 25th and informed the European Union’s privacy watchdog the Office of the Data Protection Commissioner (IDPC) on November 22nd. The IDPC has begun a statutory inquiry into the breach.
As more business infrastructure gets connected, cybercrime will cost businesses over $2 trillion total in 2019 and that the average cost of a data breach in 2020 will exceed $150 million, according to a Juniper Research report.
It is worth noting that the largest data breach of all time was suffered by Yahoo in 2013, affecting 3 billion customer accounts.