Ekaterina Khrustaleva, COO of ImmuniWeb, reveals the risks and consequences companies need to be aware of when it comes to data breaches and stolen credentials.
Data is a very important asset to any organization and enterprise. Every day thousands of companies around the globe collect a lot of data (including sensitive information) on their customers, transactions, and daily operations, and many companies admit that data is one of their most valuable assets. However, even high profile enterprises don’t always put data security first, thus introducing a risk of data loss.
In one of the recent incidents, an anonymous user put up for sale a database allegedly containing personally identifiable (PII) information on one billion Chinese citizens on a hacker forum at the price of 10 Bitcoins, making it the largest known data breach in China to date.
The investigation into the matter revealed that the database belonged to Shanghai police and was hosted on Alibaba’s cloud platform. Moreover, the data was stored using an outdated technology that lacked basic security features (namely, a dashboard didn’t have an option to set a password), making it available to anyone who knew where to look.
After the news broke, China authorities stressed the need to bolster information security “to improve security management provisions, raise protection abilities, protect personal information, privacy and commercial confidentiality in accordance with the law.”
The 2021 T-Mobile data breach is another example of a huge leak of personal data. Hackers gained access to the US telecom giant’s systems and stole data related to over 100 million customers from T-Mobile’s servers. The stolen database that included personal info such as social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, was then offered for sale on a dark web site.
Recently, the company announced it will pay $350 million to customers affected by the breach, plus $150 million “for data security and related technology in 2022 and 2023.” The settlement would be one of the largest data breach penalties imposed in the United States, after the US credit reporting company Equifax $575 million (at least) settlement over the 2017 data breach.
In the last few years, the number of data breaches has significantly increased. For businesses, the impact of a data breach can be extremely serious, including financial losses associated with a security incident, damage to a company’s reputation and customer base, as well as facing regulations and penalties for data breaches, such as those in the General Data Protection Regulation (GDPR).
According to a recent report, since January 2021, Data protection supervisory authorities across Europe have issued a total of almost €1.1 billion in fines, with Luxembourg and Ireland, both having record-breaking fines imposed, replacing Italy and Germany in the top two positions. This is nearly a sevenfold increase from 2020 total.
The highest GDPR penalty to date is the one imposed by the Luxembourg National Commission for Data Protection (CNDP) for €746 million on a US online retailer, the biggest fine so far for non-compliance with the GDPR. This is more than 14 times higher than the previous largest GDPR fine (€50 million) imposed by France’s CNIL on Google.
The most advanced intrusions are rarely detected, and many large companies are not even aware that they were breached. Professional Black Hats have absolutely no interest in their victim becoming aware of the breach, and do their best to stay invisible by thoroughly planning every operation and deploying various smoke-screens to distract attention of security teams.
Especially large companies have a major challenge when detecting intrusions, as cybercriminals usually target their branch offices, partners, suppliers or even shareholders that don’t have such a high level of defense, but have access to the same data.
It’s no secret that data breaches can be devastating for businesses, costing them million of dollars in damages. According to the estimates, the average cost of a data breach is $4.24 million, only slightly lower than an average cost of a ransomware incident ($4.62 million).
As for the root causes of data breaches, researchers have found that web applications are the source of nearly 50% of data breaches, either through a SQL injection (SQLi) or some other vulnerability like Remote Code Execution (RCE) or simple information disclosure.
Another study found that nearly half (46%) of all on-premises databases globally are containing security vulnerabilities, with France (84%), Australia (65%) and Singapore (64%) having higher incidences of insecure databases. A five-year longitudinal study comprising nearly 27,000 scanned databases has revealed that the average database contains 26 existing vulnerabilities, with 56% of issues ranked as “High” and “Critical” severity.
The bottom line? The best defence is prevention. By staying up to date on best security practices and compliance regulations organizations can minimize the risk of data breaches.
There are also a number of cybersecurity measures companies should implement to protect their data from potential attacks, such as separate their database servers from anything else, use firewalls, anti-virus, intrusion prevention, and anti-spyware software, implement employee training on cybersecurity best practices, as well as data-centric approach, which involves tight control on who can read specific files and data sets, and Data Loss Prevention (DLP) solutions.