Data security has been a hot topic these last twelve months, with the Office of Personnel Management, Neiman Marcus, and Ashley Madison all making headlines. But there's never been a week quite like September 27-October 3, 2015. In those seven days alone, cell phone carrier T-Mobile, investment firm Scottrade, and crowdfunding site Patreon all suffered data breaches. The breaches underscore the dangers to companies, and the steps that can be taken to guard against such breaches.
The breadth and depth of the data breaches from that week are stunning. T-Mobile's customer data was compromised as a result of a breach of its credit processor, Experian. The names, addresses, phone numbers, and Social Security numbers of more than 15 million United States residents who applied to be T-Mobile customers between September 2013 and September 2015. The contact information and Social Security numbers of more than 4.6 million Scottrade customers were illegally accessed. Patreon's breach was perhaps the scariest and most surprising. At first, it appeared that "only" 2.3 million names, mailing addresses, and email addresses of its donors. Yet just one day after the initial notification of the breach, Patreon's entire 13.7 gigabyte database was posted online. The database included password data, donation records, and most worrying, the database's source code.
After the breached companies absorb the bad press, expensive credit monitoring services, and other blows to their prestige and bottom line, the questions remain: what have we learned, what do we know, and what can be done? The answer to all three questions is "plenty."
1. There and Gone Before You Know It: As my colleague, Scot Ganow, has said many times before, by the time you find out about a data breach, it is too late to do anything about it. Scottrade underscores the inability of companies to respond in real time. Its network was compromised "in late 2013 and early 2014," with the breach ending more than 18 months before Scottrade became aware of it. Due diligence and sound data governance procedures can help detect a breach quickly and ensure that a company stays out in front of security concerns (and any negative press).
2. The consequences from a breach are broadening: For better or worse, people may be accustomed to names, email or mailing addresses, and other personally identifiable information being stolen by hackers. But the theft of Patreon's source code is, in many ways, a new frontier. Hackers can use the source code to recreate Patreon's database and connect what were disparate pieces of information; i.e., the hackers could associate particular donations with particular individuals, who have particular account numbers. The source code also lets hackers look for mistakes in Patreon's programming and crack the database's encryption of passwords and Social Security or tax identification numbers, which would otherwise take approximately six quadrillion years to do.
3. Security Still Matters: If nothing else, these recent breaches reinforce what privacy and data security experts have long known: it is not a question of "if" a data breach will happen, but "when." That means, as discussed below, a company has to have protocols in place not only to try to prevent a breach, but to minimize the damage if one happens. If Patreon's source code had been secured, then the damage to Patreon would have been limited due to the 2048-bit RSA key encryption of its passwords and Social Security numbers. These strong encryption measures can delay hackers in their attempts to obtain passwords, by which time users can change them and limit their personal exposure.
4. They've only just Begun: For Patreon, Scottrade, and T-Mobile, the fallout is only starting. Response to data breaches goes beyond Tweeting apologies and offering free credit and fraud monitoring to their consumers. They must coordinate with state attorneys general on notice and response protocols, which often vary widely by state. They are facing potential class action litigation, regulatory fines, and lost business. When a massive breach happens, companies can face losses in the hundreds of millions of dollars. How can companies guard against this potential financial ruin? First, having comprehensive and well-documented data security, training, and breach response procedures in-place will show consumers and government officials that your company: (a) has done all it can be reasonably expected to do to prevent a breach; and (b) has all the reasonable mechanisms in place to quickly and completely respond to a breach. Second, cyber insurance has gone from a niche curiosity to an essential part of a company's strategy in just five years, with total premiums paid soaring from $600,000 in 2010 to almost $2 billion in 2014 and most major insurers writing policies. With the frequency and severity of attacks increasing, a comprehensive policy can reduce the financial pain from a breach and let a company focus on maintaining its business.
The threat of data breaches presents the risks of bad press, costly litigation, and loss of business. But the threat also presents opportunities for businesses willing to be proactive in their security and response measures. Not only is an ounce of prevention worth a pound of cure, that prevention can attract new clients looking to rest easy in the knowledge that their data is secure-- as secure as it can be, anyway.