How 2019’s worst corporate hacks could have been prevented: lessons learned

By Tresorit Team, Jan 23, 2020 Industry News

2019 made it to a landmark in terms of security with an ever-increasing number of data breaches in the corporate world. User log-in credentials, customer data bases, corporate emails, sensitive enterprise documents, medical and tax information are just a few examples of data that fell into the wrong hands and got publicly exposed. It’s not a question anymore if your company will have a data breach but when it will happen.

Incidents come at a high price. According to IBM’s 2019 Data Breach Report, the cost of a data breach has increased by 12% over the past 5 years and is now $3.92 million on average. The bad news is that the impact of an incident is not limited to the immediate aftermath of the breach; the costs will be felt for years down the line. Reputational harm, failing share prices, lawsuits and reputational losses are just a few examples of what a company has to deal with in the wake of a data incident.

The good news? The majority of breaches can be avoided with the implementation of proper security policies and tools. Let’s look at four of the most prominent examples from the last year.

Payroll data of 29,000 Facebook employees stolen

What happened?

The data breach reportedly occurred when someone stole multiple unencrypted physical hard drives from a payroll employee’s car. Information on the hard drives apparently included names, bank account numbers, Social Security Numbers, salaries, bonus amounts and equity details.

How could this have been prevented?

When storing sensitive data on external drives, it’s a must to use hardware encryption which protects information by converting it into unreadable code that cannot be deciphered by unauthorized people. But it’s not only external drives that can get into wrong hands. Data is often exposed when a physical device – laptop, iPad, iPhone – of an employee gets lost or stolen. To prevent sensitive data from leaking this way, it’s advisable to remote manage data with a cloud-based storage solution which allows data to be wiped remotely from devices. In this case, if the device gets into the wrong hands, the administrator can simply remote wipe the device and data will no longer be found on it.

Medical data belonging to roughly 20 million individuals exposed in AMCA data breach

What happened?

A security breach at American Medical Collection Agency (AMCA), a billing services provider for the US healthcare sector, exposed the personal and financial information (names, home addresses, phone numbers, dates of birth, Social Security numbers, payment card and bank account details) of over 20 million Americans. The exposure was caused by unauthorized access to a database which went on for nearly eight months.

How could it have been prevented?

When dealing with highly sensitive information such as medical or financial data, one must ensure that no unauthorized access is possible to the database. While many services propose ‘secure’ storage for business-critical data, only providers who offer end-to-end encrypted file storage can make unauthorized access technically impossible. In this case, files are encrypted locally on the users’ device. Therefore, no one – not even the service provider – can look into the contents of the users’ files. Even if hackers breach the server of the provider, the only data they’ll find will be undecipherable gibberish. Setting access rights and privileges can further help to ensure that only authorized personnel has access to sensitive data.

Fortune 500 company Tech Data leaks 264GB of private data

What happened?

In the case of the technology giant Tech Data, an exposed server was responsible for the leak. The open database contained customer data, including names, postal and email addresses, job titles, invoicing data and partial payment information, such as card type, cardholder names and expiry dates. Apart from obfuscated card numbers, the data was in plain text.

How could it have been prevented?

If a malicious attacker gains access to an unencrypted server, data can easily be exposed. It is essential for companies to store data in an encrypted format. However, they also have to make sure not to store the encryption key on the same server. If you or your service provider holds the encryption key, anyone who manages to get access to the servers, can decrypt your data. To avoid this kind of breach, businesses should opt for a cloud solution which encrypts and decrypts files locally, on the users’ device, not in the cloud.

UniCredit data breach exposes 3 million customer records

What happened?

Italian bank UniCredit said a single, compromised file generated back in 2015 was the source of the security incident which exposed three million customer records, including names, telephone numbers, email addresses, and cities of residence.

How could it have been prevented?

This incident brings attention to the importance of secure and controlled file sharing. When sharing files, internally or externally, businesses should opt for solutions that allow transfer via secure links. There should be an option of link withdrawal in case it is accidentally sent to the wrong recipient, and a link expiration and/or download limit which help to mitigate the problem of leaving files out in the open and forgotten.

What’s the takeaway from all this?

In order to prevent data breaches caused by human error or malicious attacks, businesses should look for a solution which protects sensitive business data with: