Many data breaches are the result of the failure to take even the most basic precautions. Here are several that have been reported in the past:
- Garage sale bargains: One garage sale customer purchased a filing cabinet packed with personal data including Social Security numbers and home addresses.
- Sensitive data transported in an employee’s car: An organization held its annual drill to assess its data breach preparedness. Yet instead of using test data, the actual data was left in an employee’s car overnight and stolen most likely along with the owner’s favorite Rick Ashley CD.
- Thumb drive on a key chain: Flash drives are great portable devices, but they don’t belong on key rings especially when the data isn’t encrypted. It makes you wonder which cost more, the replacement key fob or the data breach!
It would be nice if these were isolated events, but the truth is that for many, security is still an afterthought. Just consider databases, they continue to be one of the most popular targets for cyber criminals. Yet, some administrators fail to implement even the most basic controls to secure them. As an example, older versions of MongoDB don’t enforce any kind of authentication which is a scary thought, given that the MongoDB software has had over 20 million downloads. Since earlier this year, there has been thousands of these default install, unsecured MongoDBs targeted for attack. A quick search on Shodan returns many potential targets.
The attackers simply exploit the lack of authentication, delete the original database, and hold a copy of it for ransom.
This same technique was also used to breach CloudPets database and steal more than one million records from over 800,000 accounts. Much of the breached information involved hundreds of thousands of minor children’s data, including their names, genders, and birth-dates.
What’s the cost of these types of mistakes? The 2016 Ponemon Institute data breach study reports that the average consolidated total cost is $4 million dollars per breach. HIPAA violations can be up to a maximum penalty of $1.5 million dollars per breach. Under the Federal Trade Commission Act, organizations that fail to abide by commitments of the E.U. Privacy Shield Principles can be subject to penalties of up to $40,000 dollars per violation or $40,000 dollars per day.
Implementing basic controls such as changing default passwords, encrypting data, and patching systems can go a long way towards providing a minimum level of security. Sometimes “Small Things” can prevent “Big Problems!”