The Consequences of a Data Breach
Sequent Staff • January 11, 2020
A data breach incurs serious consequences no matter whether a company is big or small. Staff get fired, executives issue apologies, and entire systems are overhauled to ensure that it doesn’t happen again.
What exactly IS a Data Breach?
As the saying goes, to ensure we are ‘all singing from the same song sheet’ let’s first start by defining what we mean by a data breach, also referred to in the industry as a data leak or data leakage. Quite simply put, its any event or activity where data that is or should be protected is accessed by or disclosed to unauthorized viewers. A data breach shouldn’t be confused with a data loss, this is where data can no longer be accessed due to it being deleted or due to a hardware failure or another cause.
When we talk about data in these regards, we are normally referring to information about customers and employees, such as personally identifiable information (PII), health records, social security numbers, bank account records, payment card information. Let us not forget corporate level data, the likes of intellectual property (IP), trade secrets, supply chain information, customer details, product designs, merger and acquisition information, but to mention a few examples.
Data breaches are not always intentional, but the vast majority are caused by human error, be that through phishing attacks or simply sending data to the wrong email recipient. In a 2019 report by Verizon, The Data Breach Investigations Report , it was found that 39% of all reported breaches where the work of organized criminal groups, and 23% were the work of national states or national state affiliated actors.
In this day and age, the age of the digital revolution, a week doesn’t go by where a data breach isn’t making headlines news somewhere in the world. Technology changes at a rapid rate and as fast as security professionals implement measures to protect corporate IT infrastructures, those hell bent on attacking them are able to circumvent them. It is safe to safe that no company or institution is too large or too small to fall victim to a data breach, it’s not a case of if a breach will occur but a case of when. Whilst your organization’s data has a reply or resell value, there will always be someone out there trying to access it and trying to steal it.
The Long Cost of Breaches
The consequences of a data breach are often severe and can have a very long-tail spanning multiple years. Thinking of the four main areas of risk and impact:
Financial Risk: Companies that have the misfortunate of experiencing a data breach are faced with substantial financial losses. These loses take multiple forms, from fines imposed by regulatory bodies, settlement payments to the data subjects as well as the cost incurred to mitigate any further risk by fixing system or procedural vulnerabilities. According to a 2019 market report on the subject, by IBM, the average cost to rectify a data breach is US$ 3.92 million. Companies whose data is breached often see a drop in their valuation and underperformed against the market index for at least three years post the event, as witnessed by the likes of Yahoo, Heartland Payments, Capital One, Vodafone, Marriott International and Health Net.
Legal & Regulatory: Whenever a breach involves any kind of personal information, companies are likely to face class action lawsuits, as experienced with the likes of British Airways where SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman, launched a class action lawsuit for £ 500 million following the 2018 breach. In some cases, authorities can ban companies from performing certain operations, as happened to Heartland in January 2009, when it was deemed out of compliance with PCI DSS and prohibited from processing payments with major credit card providers. The Heartland breach cost the firm a reported US$ 148 million in settlement fees, lawsuits and other remedial costs.
Reputation Risk: Damage to a company’s brand and reputation is a difficult thing to estimate, given that there aren’t any accepted formulae for measuring a brand’s reputation. But it is safe to say that its effects are often long lasting; in order to mitigate reputational damage, high ranking executives are often fired or forced to resign. Consumers, investors, regulators, partners and employees are holding companies accountable for their actions and with-it increasing importance being placed on business ethics and corporate governance companies. A company’s reputation, whilst an intangible asset it’s an asset, nevertheless.
Operational Impact: Data breaches often disrupt normal operations, especially during the investigation process. Moreover, some data breaches involve the complete loss of important data, which is especially painful because it takes time to replicate the data.
So let’s face it: the reason most data breaches occur, is the potential of financial gain for these undertaking the illicit activity. We've all seen the Hollywood films where the stereotypical bank robber wears a ski mask and brandishes a sawn-off shotgun. But in this day and age, it's less risky to actually select sit at your computer with some caffeine, maybe an energy drink like ‘red ball’, others obviously do exist, and hack a bank, penetrate corporate systems or breach government infrastructure. We're all held hostage but how is information getting out there?
Cyber-attacks: Cybercriminals, hackers use various technics to garner access to information that can be leveraged to get access to breach corporate IT systems, including social engineering, phishing, malware and skimming.
Theft or loss of devices: We all have mobile devices, from laptops to smartphones, and thumb drives to external hard drives. Whilst losing a device might well be considered human error, these devices are susceptible to being stolen. Additionally, when they are broken or at the end of their life, is data being wiped and the device disposed of correctly, more often, they are not. All these devices contain huge amounts of data and if it ends up in the wrong hands, we have a breach.
Employee data theft or data leak: Employees, especially those who are departing soon, might deliberately access protected information without authorization with malicious intent.
Human errors: Wherever we have a human touch, mistakes can and do happen. If we look at the findings in Verizon’s research, they found that 38% of data breaches involve employee negligence and human error. Examples being the accidental distribution of sensitive data to the wrong email recipient or data being placed on unsecure servers.
What Data Are They Looking For?
Data only becomes a target when it is of value to a third party. The growing number of data breach events that we are witnessing only serve to highlight that traditional approaches to protecting sensitive data are no longer fit for purpose. The cybercriminals behind data breaches are constantly evolving their methods of exposing weaknesses and that evolution has been dramatic over the past two decades. Unfortunately, industry hasn’t kept up with the pace of change and until the data and information that the cybercriminal can harvest through a data breach event has no replay or resell value, attacks will continue to make the headlines. Some data has more value than others and with it there are different levels of risk to a business. The different types of data include the following:
Personally Identifiable Information (PII): This is information that, when used alone or with other relevant data, can identify an individual. PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.
IT Security Data: This includes lists of usernames, passwords, encryption keys, security strategies and network structures.
Financial Information: This includes debit and credit card numbers and expiry dates, bank account details.
Health Information: This includes details on health conditions, prescription drugs, treatments and medical records.
In some jurisdictions, where #2, #3 and #3 above relate to an individual, this data would also be classified as Personally Identifiable Information as it could be added to other data in order to successfully recognise an individual.
Intellectual Property: This includes product specifications, scientific formulas, proprietary software, copyrights, trademarks, patents and trade secrets.
Competition Information: This includes data on competitors, market studies, pricing information and business plans.
Legal Information: This includes documentation on court cases the company may be pursuing, legal opinions on business practices, merger and acquisition details and regulatory rulings.
In some jurisdictions, where #2 and #3 above relate would also be classified as Intellectual Property as they both pertain to trade secrets.
As we look at all these seven points, each attracts the attention of third parties for whom the data has value. A company’s competitors, through corporate and State espionage, could utilise this data to develop similar products and services, block plans for mergers and acquisitions and generally remove any competitive advantage. From a personal, financial and health data perspective this could be sold for sales and marketing use or indeed fraudulent purposes. IT Security Data is a target in its own right as it is the key to unlocking the rest and providing unauthorised parties to gain access in the first place.
Major Data Breach examples:
Data breaches can cause devastating financial losses and affect a company’s reputation for years. From a loss of consumer trust and a resulting downturn in sales to regulatory fines and cost of remediation, data breaches have far reaching consequences. 2019 saw several sizeable fines being issued, suggesting that global regulators are serious about clamping down on companies who aren’t protecting their systems and the data contained within them.
What's the Solution?
When it comes to security, companies have invested significant amounts in measures to protect the perimeters of their technology infrastructure but when these security measures are breached there is little to no counter measures to protect the data, both at rest or when it is in transit from one system to another.
There are two methods or tools that have historically been deployed to protect data, encryption and permissioning. Encryption is where we take information and apply a mathematical algorithm to it, the result being, that to the naked eye the information t looks nothing like the original data set. Reverse the maths, using an encryption key and we get back to the original data. Permissioning is where I will let you see the data if you can tell me some specific username and password. So, if you tell me the magic word, I will tell you the secret. Both methods have been around for a long time.
Encryption can be broken; maths is a universal language. Permissioning, is normally password based and simplest way to be the human and extract the password is to ask them, hence the huge numbers of phishing attempts we see.
What is needed is a new data-centric solution that empowers companies’ tighter control over who and what can read and process data sets. We have a new, new kid on the block that is now coming to the fore and offers this kind of control, tokenization. Tokenization is neither encryption nor permissioning. So, and that's making a whole new challenge for the bad guys.
Tokenization as with encryption, we have a secret, the data, and we want to replace it with something that doesn’t have any meaning to the bad guys. The difference with tokenization being that it just replaces the original information with a random value, no mathematical link between the secret and the value.
The challenge now becomes one for the good guys too, how do you get from the random value to the secret, if it truly is a random value? The magic of tokenization is a table that maps the secret to the random value, then operationally that mapping table gets locked in a vault, the token vault.