Posts from ‘Data Breach’
Good Morning! You’ve Been Breached!
In my many travels visiting customers and IT professionals around the world, I ask a simple question, “What do you do when you have to send a file to someone that’s just too big?” They ask me how big is big? I say too big for your email or even worse, something that is too big for the receiver’s email. These attachments are typically large powerpoint files, spreadsheets, uncompressed images, media files or even databases. With a sheepish grin people usually tell me they use one of the free email services, like GMail, MS Live or Yahoo. However, recently the answer has shifted. I’m now being inundated with business users and IT professionals professing their love for Cloud services such as DropBox.
In all fairness if you look at my iPad (peeling it from my cold dead hands) you will see my Dropbox app and PAID Dropbox account. So it’s unnerving for me to think about the four hours on Sunday when Dropbox left user accounts unlocked and you could access anyone of the 25 million users’ accounts and data… Including mine. Yep, just type in an email address and use any password you want and it’s all yours.
According to Dropbox there wasn’t any nefarious activity but if YOUR COMPANY’S information was on there – legitimately or illegitimately – you just had a data breach. So I was a breach victim… And if I had any Ipswitch IP on the servers, the breach is extended accordingly. To Dropbox’s credit, their business is all about collaboration and file syncing, not governed file transfer or managed data at rest. In the end, some of these types of Cloud services will eventually get enough of it right to secure their future. Some will last, many won’t.
Regardless, how are you going to handle your data breach this morning? I’m headed over to my bosses office to explain my brazen disregard for corporate data. He’ll probably buy me a new iPad2 that’s locked down (wishful thinking) and order IT to set up a more secure way for me to be mobile with my documents (more wishful thinking).
Ipswitch has been cautioning companies about the dangers of private/confidential information being sent through Google (and other hosted and person-to-person services), both from a security and a responsibility perspective.
Last week’s GMail hack further drives home the point that organizations must proactively manage and have visibility into what information is being shared with service providers and how information is being sent between people.
Don’t let your guard down and simply treat the cloud as just another internal resource…. They need to be properly managed and governed just like any other third-party.
Ipswitch’s Frank Kenney recently concluded a 4-part webcast series on integration. It’s not too late to watch a replay of it. In parts 3 and 4, Frank talks through the issue of relying on cloud providers and provides tips for managing and governing cloud and person-to-person interactions.
Google revealed yesterday a targeted phishing attack from China against hundreds of GMail users, including government officials and military personnel. The FBI, Department of Homeland Security, and the White House National Security Council are all participating in an investigation of the cyber attack.
My hope is that this breach will serve as the wake up call that public and private businesses need to start enforcing policies around personal email. 
According to an Ipswitch survey at the InfoSec Europe conference, employee use of personal email is still a major problem. Nearly 70% of respondents send classified information (including payroll and customer info) via standard email every month… And 40% admitted to sending confidential information through personal email accounts specifically to eliminate the trail of what was being sent to whom.
Have you provided your employees with a simple tool to send large and confidential files? Do you have visibility into what is being sent and to whom?? Do you have a documented AND enforced policy around using personal webmail accounts from work computers???
Employees have proven over and over that they will ‘do what they need to do’ in order to be productive. It’s critical that organizations provide simple, safe and auditable tools that enable employees to collaborate and share files. It’s equally important that they govern employee activities to mitigate data risk by increasing visibility, control, compliance and security.
“Google has asked for U.S. government support against censorship, but the government’s response has been to ask companies to take responsibility. If Google does have an ulterior motive, it’s likely to be to pressure the U.S. government to take a more active role in defending U.S. companies in markets like China that present obstacles to fair competition.
Google is urging Gmail users to review their account settings to make sure they’re secure, but Kenney suggested Google could do more to alert users when their accounts are accessed from an unfamiliar IP address or when their accounts have been configured to forward messages.”
Last week’s Sony data breach shattered TJX’s longstanding record for the largest customer data theft ever, a dubious honor that TJX has held since 2007.
The massive Sony breach leaves millions and millions of credit cards at risk. Details still aren’t clear yet, but the Sony breach *may* have included the theft of customer credit card information, as well as other personal information such as billing addresses, usernames/passwords, email addresses, birthdays, and transaction histories.
Did Sony take reasonable care to protect, encrypt, and secure the private and sensitive data of its users?
Did Sony take too long to notify customers that their personal information had been exposed?
Looks like these questions will be answered in a courtroom as the first lawsuit resulting from the Sony security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.
The class action lawsuit seeks seeks a trial by jury and fitting monetary reimbursement…. And the case’s Overview cites “breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information” as cause enough, noting Sony’s “failure to maintain adequate computer data security of consumer personal data and financial data.”
For more information, take a look at the post on the Sony PlayStation blog. I’m sure we’ll be learning more as further breach details are disclosed and as court proceedings advance.
Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches. Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.
Here are a few noteworthy data points:
Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined- 4 million records were compromised in 2010 which is significantly less than the 144 million compromised in 2009
- Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
- 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
- Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component
A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped. This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.
As the Verizon team points out, in the world of cyber crime, knowledge is power. Not only do companies require visibility into the files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.
