It seems as if the most recent data breaches – like those at the Office of Personnel Management (OPM) and insurance company Anthem – are tinged with the personal. That is, attackers are seeking sensitive personal information that they can use further down the line for heaven knows what.
It almost makes you long for the good old days when large breaches were almost exclusively in the domain of retailers like Target, Neiman Marcus and Home Depot.
Of late, though, breaches have branched out. Their widening circle is scooping up a greater variety of data, attackers are craftier and patient (like the shark in Jaws, they're willing to lie in wait until the time is right), and the breaches are more sophisticated…and inevitable.
In fact, a recent Gartner report says that “prevention is futile in 2020,” and Rep. Ted Lieu (D-Calif.) voices the often-repeated assertion that there are two types of companies – those which have been breached and those which don't know they've been breached.
Both could pay a hefty price. The Ponemon Institute put the average total cost of a data breach at $3.79 million – an increase of 23 percent over the past two years – and most organizations are paying a much higher toll in the longer term effects of lost intellectual property, namely reputations tarnished and inevitable lawsuits from angry customers, financial institutions and partners.
Tod Beardsley, principal security research manager. Rapid7
Fengmin Gong, co-founder and chief strategy officer, Cyphort
Ken Griffin, director of IT operations and services, Harvard Business Publishing
J. Trevor Hughes, president and CEO, International Association of Privacy Professionals
Jeffrey Ingalsbe, CISO, Flexible Plan Investments
John D. Johnson, global security architect, John Deere
Tim (TK) Keanini, CTO, Lancope Sarah Lahav, CEO, SysAid Technologies
Steve Martino, vice president and CISO, Cisco
Miller Newton, president and CEO, PKWare
Kymberlee Price, senior director of researcher operations, Bugcrowd
Richard Rushing, CISO, Motorola Mobility
Arieh Shalem, CISO, Orange
Yan Zhu, software engineer, Yahoo
When Chris Valasek, former director of vehicle security at IOActive, and former Twitter executive Charlie Miller, both now on Uber's security team, found a vulnerability in late 2013 to 2015 vehicles with a Uconnect feature, Chrysler Fiat was compelled to issue a voluntary recall of nearly 1.4 million Dodge, Chrysler and Jeep vehicles for a software update or risk attackers gaining access to cars whose IP addresses they could have uncovered. The carmaker, along with entertainment system provider Harman, now faces a class-action lawsuit.
Car companies. Banks. Government agencies. Insurance companies. Retailers. Casinos. Travel companies. Airlines. Attackers are hitting nearly everything these days. Truthfully, no one is immune. While some organizations stalwartly refuse, or just aren't able, to see themselves as “data companies,” all are engaged in the gathering and distribution of information. Or, as happened in the breach of Target, they offer entre into another company that is.
Even hyper-vigilant organizations with almost limitless IT resources can still get hit, says Larry Ponemon, chairman and founder at the Ponemon Institute, pointing to JPMorgan Chase, which had data from 76 million households and seven million small businesses exposed in a data breach last year. “They were not able to contain what some would argue was a fairly unsophisticated malware attack,” he says. Which doesn't bode well for those hit with more savvy attacks, often from unknown and unanticipated attackers.
Breaches are being planned and executed from all quarters – nation-states, hacktivists, bored teenagers, domestic criminals, corporate spies, nearly every group imaginable has thrown its hat into the data breach ring.
Alarmingly, PII of children is high ticket because of its longevity and children's relatively blank slates – they haven't established credit histories, they're not monitoring their credit profiles and the like. The consequences of that stolen data can follow them for life, which is what makes the recent hack of VTech that much scarier.
Attackers on Nov. 14 stole a database from the popular Hong Kong-based educational toymaker that contained the information of nearly five million people, including more than 200,000 children.
“In a worst case scenario, this means that the stolen data could be used to build profiles of children that include their name, age, parent's name, home address, and from chat logs, information that only a trusted adult would know, such as a child's favorite toy and the name of their siblings,” Christopher Budd, global threat communications manager at Trend Micro, writes in a December blog.
While Budd notes that there was “no indication that the worst case has happened” – since the attacker “claims they are holding the data securely and won't sell it” and no information has yet shown up on the black market – “that could always change.”