Data security is an increasingly common concern thanks to the rising awareness that security breaches pose very real threats to individuals. Companies have long been aware of the cost that such lapses can have though 2014 was a year that woke many organizations up to the fact that security measures simply cannot be left to chance. Any security shortcoming is a vulnerability that can – and very possibly will – be exploited. Here are some of the most significant data breaches of this year and what they have taught us about technological preparedness.
Aaron Brothers and Michaels
Though this data breach began in the middle of 2013, it was still making news at the beginning of 2014. These two retail outlets had credit card data, including expiration dates, stolen from point of sale systems. An investigation into the incident revealed strong indications that sophisticated malware was used specifically for the purpose of obtaining this information. Data from more than two million payment cards were obtained from Michaels stores and data from around 400,000 cards came from Aaron Brothers.
This popular Texas retailer experienced an attack on their security that went on for seventeen months. The type of information held by this particular retailer may have made it an attractive target to criminals. Among the information possibly stolen were:
- Bank account information
- Customer names
- Payment card numbers and expiration dates
- Payment card security codes
License plate numbers may also have been part of the information collected by the criminals. Though the approximately 550,000 customers potentially impacted is a relatively small population compared to the millions affected by various other 2014 security breaches, this incident demonstrates that popular regional outlets are attractive targets for criminals. Small- and medium-sized businesses need to think about data security with the same seriousness as large organizations.
The security incident affecting online auction site eBay was argueably one of the widest publicized of 2014. Assessments of the data breach suggested that a majority of the site’s 145 million members were among those likely affected. eBay stores a great deal of private information valuable to criminals, including customer names, physical addresses, birthdates, phone numbers, and much more. Even encrypted passwords were accessed but prompt action on the part of site members may have helped mitigate the damage.
The company helped bolster customer relations by quickly making contact with each member and urging them to change their password. Automated emails were used to disseminate accurate information in a timely manner.
The late spring attack on eBay was quickly pushed out of the news by a troubling breach that took place at JP Morgan, the largest US bank and a major financial institution. Like several of 2014’s other major security breaches, the attack on JP Morgan was perpetrated by hackers.
Though the breach was discovered in July an investigation revealed that it had begun a month earlier. During those few weeks of vulnerability account holders’ personal information was stolen; stolen data included physical addresses, email addresses, names, and phone numbers. Notably, the hackers used high level administrative security protocols to access the company’s network servers.
Though the Target breach was somewhat smaller than the ones that impacted other organizations in 2014, the nature of this particular security threat makes it worth noting. Investigators looking into the breach that affected 70 million customers concluded that malicious software had been installed into payment card readers used in point of sale systems. This software collected customer card information though other information, such as customer names, addresses, and phone numbers were also stolen.
Payment cards have several layers of security, including the three digit code present on the back. That the thieves were able to collect this security code as well as PIN numbers and card expiration dates indicates a troublingly high degree of criminal sophistication.
Learning From 2014
It is worth noting that a few industries were especially affected by 2014 security breaches. Retail, technology, and financial service industry organizations were the most frequent targets. While these industries handle a very large amount of sensitive data, this factor alone does not account for this observation; the healthcare industry, for instance, experienced breaches on a relatively smaller scale. Since data volume is itself not the prime indicator of security risk, all organizations that handle large amounts of sensitive data have to take appropriate precautions.
This past year has also demonstrated that no industry is entirely safe. Even within specific industry sectors a wide variety of anti-security activity took place. Every industry has to take data security very seriously. While the majority of attacks came from malicious outsiders, including hackers, malicious insiders also played a small role in exposing proprietary and private data.
What 2015 Holds
If the past year is any indication, we will see a few other large data security breaches affecting the retail and financial sectors in particular. Any organization that processes or stores client payment information will need to be quite vigilant about maintaining secure information storage, transfer, and access.
Since we have abundant evidence that traditional brick and mortar organizations face the same kind of security threats that online businesses do, it is possible that a more unified approach to data security will be adopted. It is no longer advisable or practical to treat the data security needs of these two business types as discrete; physical and online businesses both face threats from similar malicious outsiders.
The future holds a great deal of promise, however. Companies are learning from past mistakes and are learning how to more effectively communicate with clients who have been potentially affected by security breaches. A strong customer relations response will help restore trust and preserve public confidence. Planning a response protocol will also give companies an opportunity to anticipate necessary media outreach efforts. This helps create a proactive managed response that encompasses the concerns of many stake holders.
This year has taught us many important lessons about the evolving nature of data security. Taking these lessons to heart will help organizations in many different industries develop effective security measures as well as a multi-faceted response plan. Talk to us about developing dynamic and effective outreach solutions for all kinds of complex situations.
Top image ©GL Stock Images