A previous finding in Cost of a Data Breach from last quarter’s newsletter was that the odds that an organization will experience a data breach increases year to year. Data breaches caused by malicious attacks are on average the most common, the costliest, and the most difficult to contain. Right now, countless organizations are experiencing the horrors associated with compromised data every minute of every day. Uber, LinkedIn, Facebook; these are just a few of the successful giants that have dealt with such a fate.
A recent article in CNET discussing the subject claims that exposed databases are as devastating as data breaches by hackers, perhaps not in dollar value but in consumers exposed. Breaches by hacking take the longest amount of time to contain and therefore are the most costly of any type of breach, but it does not tell the whole story: If your customers do not trust that you are properly securing your data in the cloud or otherwise they will decide your fate with their wallets.
In 2018 two hackers were indicted for the breach LinkedIn experienced through their subsidiary Lynda.com’s Amazon web servers. 55,000 accounts were affected. The group responsible admitted to using Amazon webserver logins belonging to Lynda employees to access customer information. They then used this data and in contacting the corresponding company, extorted them for hundreds of thousands of dollars’ worth of bitcoin. In a strange twist to the case, the group also admitted to hacking Uber in 2016 in a breach that compromised 57 million users. Uber who initially chose to keep the incident a secret, were slapped with a $148 million fine and will be required to submit to 20 years of privacy audits. By not reporting the breach were not only faced with lost business anyway, they were slapped with a fine as well. Stories like this should stand as a cautionary tale that breaches need to be revealed publicly as soon as they happen. LinkedIn did the right thing and chose to reveal the incident as soon as they became aware of it rather than trying to cover it up. As a result, they only have to face the prospect of lost revenues rather than also incur an FTC or similar fine. This ties onto the statistic presented in the last issue of this newsletter: The longer a breach takes to contain, the more costly.
2019 was a grim year for securing sensitive information. Names addresses and demographic data of 80 million US households were revealed. Expected salaries of over a million US households as well as thousands of Facebook passwords, likes and comments were revealed as well. In the case of the Facebook data, a third-party company stored the information incorrectly. These types of mistakes could have easily been avoided with the simplest password protection, encryption and other devSecOps consideration. Masking tools can be employed to ensure that no sensitive information exists in the cloud ensuring no risk to the customers whose information you are storing.
In April 2019 Facebook had over 540 million customer related records exposed according to UpGuard, a cybersecurity research firm. Once again, data stored on AWS servers is compromised. In September 2019 an unsecured AWS server exposed phone numbers that could be matched with Facebook accounts. These are only the known cases of data compromised related to Facebook’s AWS servers. These thieves did not have to break in, they merely exploited machines with improperly utilized security settings. With cybercrime and security breaches, now more than ever it is vital to secure organization data especially if placed in the cloud.
LexisNexis and Dow Jones both maintain lists of high-risk banking customers. These lists which were stored on unsecured databases were exposed in 2019. These were both related to not using password protection on servers in the cloud. Password protection, even before encryption, must be utilized in all cases on cloud servers. Hackers use special search techniques and custom software to find unsecured data to exploit. Not choosing password protection ensures that it is not a matter of if, but when the threat finds your vulnerable server.
Axis Technology LLC recommends unmasked customer information should never be stored in the cloud at all. Additionally, automation processes and AI can be used to further boost security, reducing the possibility of a breach. One thing is for certain, migrating to the cloud requires a plan: what data to put on the cloud, how to secure what you decide to put there, who gets access to it once it is up there and numerous other considerations.
For a data set stored in the cloud to be truly secure, an additional level of security is required. Completely secure your data by choosing an appropriate masking tool to obfuscate data stored within the cloud. Though it will still appear like real data and can be tested as such, the data will be fictitious ensuring that there is nothing for cyber thieves to steal.
Finally and perhaps most importantly, choose a partner who has two decades in the data security and automation space. We are Axis Technology LLC, your cloud migration experts.