Unfortunately, data breaches are a near daily occurrence, and while it is not the intention to “name and shame”, each incident presents a learning opportunity for other organizations to glean knowledge to implement in their own businesses to avoid becoming the victims. This week we have picked out 3 cases that we want to take a closer look at.
First up is the huge data leak that saw the personal information, including mobile phone numbers, of over 46 million Malaysian customers dumped on the dark web. The leak is thought to have occurred through various telecoms and public sector websites in Malaysia and the massive databases were discovered on the Dark Web, with floggers said to be selling he records for Bitcoin. Shockingly, the population of the entire country is thought to have been affected.
While exactly how this could have happened is still being investigated, it’s a safe bet to assume that wherever the information on Malaysian citizens and customers of the operators affected was stored, it wasn’t adequately protected. Encryption or tokenization of databases provides the most effective way to ensure data remains anonymous, even if hackers were to get it access to it.
The second story of the week involves the hotel chain, Hilton – which some people might remember suffered not one, but two data breach incidents due to credit card information stealing malware in 2015. However, these incidents weren’t the worst part of the story, because Hilton waited nine whole months after the second breach was discovered to actually disclose the mishap to affected customers. The hotel giant made the news again this week as details of the settlement hit the press in which Hilton was ordered to pay a fine of $700,000 split amongst New York and Vermont where the offenses occurred. Significantly, the amount of time taken to inform customers played just as an important part to the ruling as the failure to reasonably protect customer data.
Hilton should be counting itself lucky that the incidents did not take place this side of the pond after May next year, as the fine it received is paltry in comparison to the 20 million Euros it could potentially cost under the EU General Data Protection Regulation, enforceable after May 25, 2018. If, like Hilton, you may be worried about your own preparedness for GDPR, check out our handy guide.
And finally, the last security story of the week takes us down under, where 50,000 Australian government staff records were affected by a breach which involved - you guessed it - another case of an Amazon S3 bucket misconfiguration by a third party. It was discovered by a Polish researcher who informed the appropriate parties to take remedial action. But it does make you think: if there are good guys out there looking for these things, bad guys are doing it, too. These incidents are becoming a regular occurrence and there is simply no need.
There are a number of options organizations can take to ensure the security of data in cloud services like Amazon. At the very least, companies need to ensure that default settings are made more secure in Amazon. To ensure total security, they should use an encryption gateway like the eperi Gateway to encrypt data before it goes to the cloud and it remains encrypted in use, in motion and when stored. Crucially, the encryption key should remain with the organization itself and not stored within the very cloud service it’s meant to protect. It doesn’t sound like rocket science, but you’d be surprised how often this happens.
