(My) Top 5 Data Breaches of 2014… and what we can learn from them
I have to start out by saying that it was very difficult to choose only five data breaches that have been announced in 2014 to highlight. However, it is not so much about the details of the breach but rather about the lessons we can learn from them. Below are my top five data breaches of 2014 that have occurred thus far this year that have proven to be valuable data security lessons.
1. Coca Cola: In the beginning of the year Coca Cola announced that the personal information of 74,000 former and current employees, contractors and suppliers were exposed when over 50 laptops, most of which were unencrypted, were sold over a five year span by the employee who was supposed to be destroying the assets.
This case is my favorite because it demonstrates the need for a process. It is no longer only about the physical act of destruction, but rather the process in getting it to the shredder – who signs off, where are the assets located, where are they moving to, whether they have been wiped, etc. Without a systematic process, companies have no method to assure them that every asset has successfully gone through every stage within the process.
When it comes to destruction of IT assets, without a process in place, it is close to impossible to ensure that 100% of the assets that were meant to be destroyed are indeed destroyed. Companies are still relying on a Certificate of Destruction to show which assets are destroyed but that does not show which assets weren’t destroyed; and that is the gap you leave yourself susceptible to if you don’t have a process.
Another lesson to be learned: Don’t let one person be in charge of destroying your company’s laptops… or else this could go on for 5 years!
2. Information Commission’s Office (ICO): To be expected, the details of this case are vague and minimal, but quite recently the ICO announced that it had a security incident.
This is irony at its finest – the company that you call to resolve a data protection complaint has suffered a data breach. I had so many analogies for this, I couldn’t even pick one! But sticking to the theme of the post, the lesson learned is that everyone is at risk, and a data breach can happen to anyone. Companies need to constantly be evaluating their current processes for gaps and implementing processes where they feel as though they are susceptible to risk, so they can prevent a breach instead of react to one. Companies just can’t afford to think they are invincible anymore and find themselves reacting.
3. eBay: This year eBay announced unauthorized access to its corporate network and even though the hacked database did not contain financial information, the majority of eBay users were encouraged to change their passwords.
The eBay breach demonstrates how a data breach drastically impacts a company’s customer base. This is similar to the Target breach in that customers are uneasy and hesitant to restore trust in a retailer after a widespread data breach, and revenue is directed affected as a result of the breach. Unlike Target, eBay is an online retailer and lacks any face to face interaction with their customers, therefore, they have to think of other ways to hold onto current customers and not let the breach deter new customers.
4. Variable Annuity Life Insurance Company : A former financial adviser at the company was found in possession of a thumb drive that contained details on well over 700,000 of the company’s customers.
I could have easily used this as an example for the need to implement secure and proper procedures for protecting data from employees who are leaving a company, however, I decided to use it to demonstrate that there is no IT asset too small that needs to be accurately tracked. If it contains value or data (usually it will contain both!), it should follow a process throughout its entire lifecycle to ensure sensitive data does not get into the wrong hands. IT assets may take different routes depending on the asset class, so it is important to implement standardized processes for all so you can take the guesswork out of how to manage them all properly.
5. Park Hill School District: Last but certainly not least, a school district comprising of eight cities and towns in Missouri exposed personal information of more than 10,000 students and employees. A former employee took a hard drive home and when he connected it at home, the files ended up on the internet.
You could insert any small business in this number five spot, because the takeaway is that just like there is no asset too small, there is no company too small to experience the ramifications of a data breach. Some of the largest and most prestigious companies are all over the media for their breaches, but smaller companies, even as small as a school district or a five person chiropractor’s office, can experience a breach. When it comes to personal information and the impact that a customer feels when they find out their information has been exposed, it does not matter who the company is and how big they are. Every company needs secure and effective processes.
Data breaches are impacting customers in a whole new way. My advice is that companies learn from the mistakes made by others and evaluate their current processes to see where they are leaving themselves susceptible to risk. Check out B&L Associates’ products for safeguarding offline media and assets to see how and where we can help you prevent a breach!