Data breach vs. data misuse: Reducing business risk with good data tracking
Introduction
Imagine this, and let’s face it, this isn't too hard: your personal data, including financial information, has been stolen in a major data breach. You’d be pretty worried. Unfortunately, this scenario plays out too often.
Some of the biggest breaches of all time have happened in the last few years. Breaches that expose the personal and often highly sensitive data of countless millions of individuals. Breaches like the Capital One cyberattack that exposed over the data of over 106 million people, including names, addresses, dates of birth, credit scores, Social Security numbers and bank account details. And the situation is only getting worse. In the first half of 2020, 27 billion data records were exposed: double the numbers for the whole of 2019.
Data breaches are painful on a corporate and personal level. But some breaches are seen as less harmful than others … is it all about data misuse rather than data breach? And can an enterprise reduce risk by tracking data?
What should you learn next?
Data breach examples
To set the scene, here is a snapshot of data breaches in 2020.
Magellan Health (365,000)
April 2020 saw the health data of 365,000 patients exposed via an initial exfiltration attack followed by a ransomware infection.
Zoom credentials (500,000)
In April 2020, over half a million previously stolen Zoom passwords and other account details were up for sale in dark web forums.
Easyjet (9 million)
May of 2020 saw an external hack with the theft of personal and travel details of 9 million customers. The attack metrics are still under investigation.
Experian South Africa (24 million individuals and 800,0000 businesses)
Personal details were exposed in a hack in August 2020. The metrics of the attack are not fully disclosed but it has been described as a social engineering attack.
Future crimes and data breaches
When data is breached, there is an expectation that legal repercussions will be brought against the offending company. These legal challenges are often class actions but can also be complicated by regulatory fines, such as those handed out by the GDPR or CCPA for non-compliance.
Legal actions related to data breaches are evidenced by several class actions in recent years. A data breach litigation typically uses the allegation of “future harm.” This is harm, usually taking the form of identity theft or financial loss at some point in the future. However, the court does not always accept that it must follow, that a breach will result in material harm to the individual.
This was the case in a recent action against the Sarrell Regional Dental Center for Public Health. The center had been a victim of a ransomware attack, affecting around 391,000 individuals. A class action brought by Lindsey Blahous against the company relied on past examples of data breaches and identity theft to evidence a future threat. The papers specify that:
“Plaintiffs do not allege any facts of actual theft (beyond alleged access) of their personal data and subsequent misuse of it — or even a specific future criminal intent to misuse it — by the ransomware perpetrators. Instead, Plaintiffs rely on data breach statistics generally to allege that they will suffer future harm specifically.”
This lawsuit was dismissed by a judge, who ruled against the class-action because they could not prove the data was used by cybercriminals to put victims’ identities at risk. The judge in the case, Austin Huffaker, described the situation as "the extent and depth" of the breach is still "murky," and that there was no evidence to show "at least some plausible specific allegation of actual or likely misuse of data."
This is an important point of law. Proof of future harm is always complicated. However, data breach and identity theft statistics should provide, at least, a smoking gun as evidence that cyberattacks lead to damage at an individual level.
Reducing the risk of a data breach by keeping track of data
Damage to customers should never be an option. Even if a court case rules that future harm is “not likely,” this should not be a reason to not care about data protection. But as we have seen, protecting data is complicated. This is becoming even more difficult as the COVID-19 pandemic requires working from home, which expands endpoints and challenges IT infrastructures to the limit.
Keeping track of data is where data protection starts. Knowing where data is at any point in its lifecycle gives an organization the information to determine risk, and in turn, understand the right security measures to put in place.
Data tracking policies should be a part of a corporate defense strategy. Data tracking is a way to manage enterprise risk and should be part of a wider enterprise cybersecurity strategy and culture. A November 2019, McKinsey survey, “McKinsey on Risk,” asked security executives about their use of SaaS platforms. Respondents said they used several measures including data usage tracking tools to manage data security risks. Data tracking can ensure that gaps are not allowing exposure or malicious exfiltration.
It is worth noting that data security risks within a complex cloud ecosystem can also have impacts on regulatory compliance. For example, under GDPR there is a right to be forgotten. An individual may request that a document containing personal data must be deleted. If this document is deleted from one place, without knowing of other instances of the same document or having a synchronization system in place, this means that the regulation has not been adhered to properly and leaves a gap in security.
Data tracking beyond a breach
Stolen data often ends up on dark websites for sale — see the Zoom credential breach above as an example. Being able to see where data goes post-breach can help to alleviate the harm potential of these data.
There are a variety of services that offer analytics and insights into dark web data stores and sales. These services offer dark web monitoring and perform searches that look for brand names hacked and associated data for sale. A company can share this information with law enforcement. They can also ensure that customers are aware of data tracking finds and can then change passwords, cancel credit cards and so on.
When data tracking goes bad
It is important to note that data tracking can itself be vulnerable to misuse. This is true in the case of consumer data used for marketing purposes. Data tracking has also been hotly debated in the case of COVID-19 trace-and-track apps across the world.
Mobile devices have been shown consistently to have harm potential when tracking of data is used. An example was reported by the New York Times Privacy Project in an article, “One Nation Tracked.” When given access to files, the article researchers found “50 billion location pings from the phones of more than 12 million Americans”. The users’ mobile devices were automatically tracking their daily movements.
FREE role-guided training plans
Conclusion: Harm by default?
A report from Javelin Research, “2020 Identity Fraud Report,” discovered that losses from identity fraud have increased by 15% and the consumer is paying for this with a doubling of out-of-pocket costs. We need to remember that our customers are our bread and butter. Also, the last thing that any organization wants is to end up in costly court battles with customers. Even a win such as that seen in the case against Sarrell Regional Dental Center for Public Health ends up as a loss for everyone involved. The only winners in the data breach arena are the cybercriminals and fraudsters.
A data breach is data misuse, no matter how tenuous the connection between exposed data and individual harm. The bottom line taken by an organization should be the protection of data no matter what. None of us have crystal balls; we should assume harm by default.
Sources
2020 Mid Year Data Breach QuickView Report, RiskBased Security
Blahous v. Sarrell Regional Dental Center For Public Health, Inc., docketbird.com
We were not hacked, a clever criminal convinced us to give him our data – Experian SA CEO, MyBroadband
One Nation, Tracked, The New York Times
Digital Data Tracking and Privacy: The Future Implications of COVID-19, SocialMediaToday
McKinsey on Risk, McKinsey & Company
In this Series
- Data breach vs. data misuse: Reducing business risk with good data tracking
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security