With ever increasing data security breaches, you may wonder if it is possible for your data to be safe if it is online. We know it is next to impossible to keep it from being there. How are we supposed to react to a data breach like the one Equifax recently reported?
We were not even given a chance to react for the months that it took Equifax to report it. The single, largest harvest of Social Security numbers ever, potentially included data on over 143 million people in the United States. The odds that your data is included in that group are better than your odds of escaping it. Not only is the size of the data a record, but the quality of the data obtained is unsurpassed by any other breach.
Just in case you are wondering if your personal data may have escaped being hacked and sold to criminals, here are a few of the data breaches that may have swept it up:
Data Security Breaches — 2009 – 2016
- Heartland – 130 million credit cards.
- Citibank – 360,000 credit card holders.
- Tricare – Personal data of 5 million Tricare military beneficiaries.
- Global Payments, Inc. – 1.5 million credit and debit card accounts.
- Target – 40 million credit and debit card accounts, as well as data on 70 million customers.
- Sony Pictures Entertainment – Personal information of about 3,000 current and former employees.
- JP Morgan Chase – Sensitive financial and personal information of 76 million households and 7 million small businesses.
- Home Depot – 56 million credit card accounts and 53 million email addresses.
- eBay – 45 million customer accounts, including personal information.
- Anthem – 80 million patient and employee records, potentially exposing names, dates of birth, Social Security numbers, email addresses, employment information and income data.
- Ashley Madison – 33 million user accounts, including email addresses, first and last names and phone numbers.
Data Security Breaches In 2017
E‑Sports Entertainment Association, Xbox 360 ISO and PSP ISO, InterContinental Hotels Group, Arby’s, River City Media, Verifone, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, America’s JobLink, FAFSA: IRS Data Retrieval Tool, Chipotle, Sabre Hospitality Solutions, Gmail, Bronx Lebanon Hospital Center, Brooks Brothers, DocuSign, OneLogin, Kmart, University of Oklahoma, Washington State University, Deep Root Analytics, California Association of Realtors, Verizon, TalentPen and TigerSwan, Equifax
Tip of the iceberg
The lists above include the largest reported data security breaches. Though it is impossible to know, it is not hard to imagine how many companies large and small have had unreported breaches. Reported breaches from smaller companies are probably too numerous to mention here. The odds are your data is in the hands of people it should not be.
Do we need answers or accountability?
Do Social Security numbers have any value as a unique personal identifier anymore? Does secure identity management even exist anymore? Can we move to biometric identifiers like iris scans or fingerprints, or will data thieves be coming after our eyeballs and fingers?
The world cannot operate without credit and it is not going back to a time before the Internet. But, if this type of data breach continues to occur our trust will be eroded to a point where it won’t matter if the Internet becomes more secure. Companies may never coax their online customers to come back.
Any developer will tell you that login and website security are the most complex problems they deal with. Although, no matter how diligent we are, searching for security vulnerabilities in our code, we only represent a part of the problem. Webmasters, systems admins, and network admins also need to be diligent. Most importantly, companies have to insist that diligence is not sacrificed in their rush to roll out new projects and that it is their topmost concern in their daily IT operations.
We can do better
An alarming percentage of security data breaches could be prevented. Too many times, post mortems find that a fix was known well before the damage occurred. In a post on Equifax’s website – Cybersecurity Incident & Important Consumer Information, they said they have found the culprit in their massive breach:
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
Apache Struts is a framework for creating Java web applications, popular with banks, government agencies, and large Internet companies. The vulnerability was fixed in early March 2017. Equifax said they learned of the breach in May, yet we are just now finding out about it.
Sometimes, mistakes are just stupid. Equifax reportedly used the word “admin” as both the username and password for a web portal used by both employees and customers for submitting credit disputes. Exposure of poor security practices is obviously terrible PR and the bad news tends to multiply once they become public. Even Equifax’s hastily deployed WordPress security monitoring site appears to be hackable.
Software and hardware vulnerabilities are inevitable and they are numerous. But systems can be put in place to monitor and alert vulnerabilities. There are government and private vulnerability databases, as well as alerting systems:
- US-CERT – United States Computer Emergency Readiness Team
- Computer Security Resource Center – National Vulnerability Database
- Exploits Database by Offensive Security
- US-CERT Mailing List and Feeds
- Exploits Database Twitter Feed
When software developers move on to different jobs they take institutional and technical knowledge with them, and they often leave behind poorly documented work. Fixing vulnerabilities can be a heavy lift if applications need reprogrammed and compiled. Regular maintenance is essential to fix them as soon as possible. Other fixes are trivial, but organizations need to know about them.
Companies need to enforce better standards for programming, maintenance, and documentation. All organizations that keep personal data should have systems to make sure that vulnerabilities are monitored and software is regularly updated. There are no excuses.