[BreachExchange] Lessons Learned from 2019’s Biggest Data Breaches
Destry Winant
destry at riskbasedsecurity.com
Thu Mar 5 10:15:19 EST 2020
https://securityboulevard.com/2020/03/lessons-learned-from-2019s-biggest-data-breaches/
With more than 5,000 data breaches and over 7 billion records exposed,
2019 was the worst year on record for breach activity. According to
research from Risk Based Security, the number of data breaches within
just the first nine months of 2019 increased 33% over the previous
year. Retailers, medical providers and public entities experienced the
most data breaches due to misconfigured databases, unsecured endpoints
and the accidental exposure of sensitive data on the internet.
Let’s take a look at some of the biggest data breaches of 2019.
Facebook Failed to Secure Accounts
In March, an internal investigation at Facebook found that hundreds of
millions of account passwords were being stored in plain text.
Unfortunately, this wasn’t the only security lapse for the social
network. Just one month later, Facebook data containing more than 540
million records was exposed online in a public database. The data,
which included personal details such as names and Facebook IDs, was an
easy target for cybercriminals as it resided on Amazon cloud servers
without any protection.
Capital One Data Stolen by Hacker
In July, Capital One fell victim to a data breach that exposed data
from more than 100 million U.S. citizens and 6 million Canadian
residents. About 140,000 U.S. Social Security numbers, 1 million
Canadian social insurance numbers and 80,000 bank account numbers were
stolen by a hacker. This will reportedly cost Capital One $100 million
to $150 million as it continues to investigate the data breach.
First American Financial Corporation Under Fire
First American Financial Corp. was under fire for exposing 885 million
customer records that included bank account information, Social
Security numbers, images of drivers’ licenses and mortgage records.
The real estate title insurance company was storing sensitive
documents from 2003 to 2019 on a website that could be easily accessed
by anyone who had the correct URL. While the impact of the exposure is
still being investigated, recent scams regarding escrow fraud could be
related to this breach.
American Medical Collection Association Forced to File Bankruptcy
Approximately 20 million patients had their data exposed when medical
bill collector American Medical Collection Association (AMCA) was
hacked. Multiple class action lawsuits were filed against AMCA and its
contracting clients over the breach of patients’ payment data, Social
Security numbers, medical information, birth dates, phone numbers and
addresses. Ironically, the debt collector was forced to file for
bankruptcy protection in the aftermath of the disastrous data breach.
Protect Networks with Data Encryption, 2FA and Credential Management
According to Juniper Research, the cost of data breaches will rise to
more than $5 trillion in 2024 from $3 trillion each year, an average
annual growth of 11%. This will be driven primarily by increasing
fines and penalties as regulations tighten.
As cybercriminals show no signs of slowing down in 2020, organizations
must do their part to protect confidential information and customer
privacy by implementing proper security measures. Encryption
technology, commonly used by enterprise virtual private networking
(VPN) software, is the only reliable way to protect sensitive data
such as credit card details, home addresses and Social Security
numbers. Since encrypted data is encoded, it can be accessed only with
the correct key, usually using symmetric or public key encryption.
Data treated this way is impossible to decipher, effectively rendering
it unintelligible to cybercriminals.
Two-factor authentication (2FA) is another reliable way to reduce the
risk of data breaches. Two‐factor authentication makes use of at least
two types of authenticating data from three different attributes:
something you know, such as a password, PIN or certificate; something
you have, such as a token, phone or smart card; or something you are,
such as a fingerprint, face recognition or iris scan.
Credential management also offers an added layer of security as it
allows organizations to issue, track, update and revoke user
credentials as business processes and policies evolve. With a
centrally managed VPN, organizations can securely and efficiently
manage their remote access VPN network from a single point of
administration as the number of users and/or endpoint devices changes.
Overall, we can learn valuable lessons from the security lapses that
left networks and servers vulnerable in 2019. Communications and
sensitive data must be encrypted while in transit and at rest;
two-factor authentication should be enforced to protect company
networks; and credential management is crucial to prevent unauthorized
access. With a VPN in place, customers’ personal information can be
stored securely within internal databases and cloud applications.
More information about the BreachExchange
mailing list