Three sides of the same breach conundrum
The Identity Theft Resource Center recorded 430 data breaches in the first five months of this year. In the past week, North Carolina State University, the FDIC and Amazon also fell into the breach bucket.
While the stories were the same - stolen usernames, passwords and other personal records - the outcomes and reactions highlight three ways that companies and organizations often respond to breaches, with only one the quickest path to redemption.
At North Carolina State, it was discovered that an email account was hacked and a file was stolen that contained the personal data of 38,000 students. The university's report used familiar PR lingo, blaming a "sophisticated phishing scam" and promised free credit monitoring services for one year.
Are there really any sophisticated phishing scams? Verizon's latest Data Breach Investigations Report said 30% of people who were sent test phishing emails opened them, and 13% clicked on the links contained in the emails.
So the university was caught in a number's game, not a sophisticated attack. And as far as credit monitoring, courts are already ruling that such an offer is evidence harm was caused to victims, a fact that could hurt organizations in later legal battles.
There is some yet-to-be-explained reason why a file with 38,000 records was sitting in an email folder, but we haven't arrived there yet. That explanation may be a public shaming, but is certain to trigger improved campus network security, and an effort to restore faith that the university can protect the data it collects.
In the Amazon case, the question is what really happened or didn't happen? The confusion here isn't comforting to end-users, and Amazon is advising changes to usernames and passwords, which is prudent. But breaches are reputation hits and Amazon is right to take a defensive position against a hacker threatening a scarlet letter.
Even after the hacker's resulting data dump, experts were split on the legitimacy of the data. But Amazon still finds itself being guilty until proven innocent because Amazon is defending itself at a time of unprecedented breach activity and when companies are under reporting or concealing breach data.
Symantec's 2016 Internet Security Threat Report noted that breached companies aren't always reporting accurately. "The increasing number of companies choosing to hold back critical details after a breach is a disturbing trend," Kevin Haley, director of Symantec Security Response, said in a release accompanying the report's findings. Will Amazon fit this trend?
In the case of Federal Deposit Insurance Corporation (FDIC), which is in business to preserve public confidence in the U.S. financial system, a series of seven data breaches had the agency in disclosure mode.
The breach involved 160,000 individual financial records from FDIC loan applications that were allegedly downloaded, unknowingly, by departing employees who were transferring their personal data to USB devices. In one case, a departing employee downloaded 49,000 records.
FDIC discovered the breach when the organizations security system detected anomalies in data movement and shut things down, earning the FDIC praise for their preparation, but also a crooked eye for letting employees download data to USB devices. Luckily, the information was recovered and hackers never found the holes at FDIC.
The FDIC is one of a handful of stories about companies escaping more serious consequences, legal or otherwise, based on their level of preparedness for a breach.
In August 2015, the FTC closed its investigation into the 2014 Morgan Stanley hack saying the company had responded quickly and had adequate internal security policies in place. On the flip side, a U.S. appellate court that same month ruled the FTC could sue Wyndham Hotels over computer system hacks. The company was accused of inadequately investing in computer security after it was discovered that 600,000 customer records were exposed in 2008 and 2009.
The court ruling validated the FTC's power to pursue legal remedies from companies it deems to have inadequately invested in computer security as judged by statements made in the company's privacy policies.
Three breach incidents in a short period of time, all with differing dynamics but only one with a defining message. Keep your security systems relevant because breaches are inevitable, and lawsuits are avoidable.