If the series of 2015 Data Breaches taught us anything it is this: 2015 was a good year to be a hacker. In fact, it seems that as the years progress, the life of a hacker seems to get better and better. While doing research for this topic, I noticed the following trend: with every passing year, the year prior was described as “the worst year for data breaches.” Some quick examples – here is an article from early 2014 saying 2013 was the worst year for data breaches, followed by this article from early 2015 saying 2014 was the worst year for data breaches, finishing with this article from last year showing 2015 was on track to be the worst year in data breaches. These probably aren’t words you want to hear, but it’s the inconvenient truth. Today, I’d like to take a look back at the 2015 Data Breaches, look at some statistics, some specific examples, and more importantly, what we can do this year to prevent these sorts of data breaches.
First, we should discuss breaches in a little more detail. Breaches are caused when a non authorized user gains access to secure information on a corporate network. There are a number of ways these breaches can happen, including exploiting system vulnerabilities, using targeted malware, gaining access with improper/forged credentials – that’s just to name a few. Once an attacker gains access to the network, there are four phases in the breach:
- The incursion
- The discovery of data
- The capturing of data
- The exfiltration of data.
It’s true that Data is King. Now, let’s go over some data of our own.
2015 Data Breaches – Details
According to a paper published by Verizon in collaboration with major players in the security industry, there were 2,122 confirmed 2015 data breaches across the globe. You might be thinking, “well, that’s not a very big number when all is said and done.” Well, to my fellow American citizens reading this, according to ZDNet, almost every American has been affected by at least one data breach this year. <citation>.
Do you think I’m bluffing? Let me hit you with some specific examples of the most recognizable 2015 data breaches.
Did you buy your child a toy from VTech last year? Breached. Go to Vegas and stay at the Trump hotel? Breached. Support an artist on Patreon? Breached. T-Mobile customer? Breached. Buy/sell some stocks on Scottrade? Breached. Get your photos printed at a CVS, Walgreens, or Costco? Breached. Are you a government employee? Breached. Pay your taxes last year? Breached. Oh, and always a favorite of mine – did you cheat on your spouse in the past year? Yeah, you were breached. You were also subject of a blog entry by yours truly. This is not an exhaustive list.
It might seem like a hopeless situation to some people. Even the smallest vulnerability can be exploited and lead to the exposure of precious data. Admittedly, it’s a difficult job to have data totally secured in the modern age when it’s under a constant barrage of attacks. However, that is not an excuse give up or slack off when trying to prevent these attacks from happening. It is important to remember that data breaches can always be prevented. Here, i’ll outline some ways to do just that.
Preventing a repeat of ‘the worst year for data breaches’
- If you are an employer, crafting an encryption policy that employees must abide by is a good step to take.
- Laptop theft is a real problem. If a laptop is stolen and the data is not encrypted, your organization could be in for a disastrous fallout.
- Perform regular vulnerability assessments to identify potential threats/backdoors. It is important to stay up to date on the latest patches available from your security and OS manufacturer for both stability and security purposes.
- Change the way in which you handle data. Don’t collect information from a user beyond what is necessary, keep the number of places that you store the data to a minimum, and thoroughly purge the data when you no longer have a need for it
Data breaches are an evil we, as players in the security and IT industry, must take a leading role in educating how to prevent them, and when they occur, how to effectively respond and minimize potential losses. As more and more data is stored online, the threat for large attacks increases. 2016 can be (and should be) the year that bucks the trend of increasing cyber attacks. It’s an uphill climb, but that is never an excuse for not taking action.