The aftershocks of a data breach can be catastrophic to a business, whether it’s the loss of sensitive information such as customer records, or the business’ intellectual property finding its way into the wrong hands. What is certain, is it will have a detrimental impact to the bottom line in one way or another.
The actual cost is often difficult to quantify. Especially when it comes to intellectual property as it is difficult to know how the information has been used and what the opportunity and potential may have been. However, there are occasions when the cost is all too transparent.
This was demonstrated last December, when during the important Christmas shopping period, Target reported a data breach that had compromised the details of up to 110 million customers. Last week, Target announced its Q4 figures which all too clearly told the story of the devastating aftermath of this data breach – just about every key metric was down on the same period last year – and its profits and share price had fallen significantly. Already, $61m can be attributed directly to the cost of the breach, and analysts are speculating that it could cost towards $1bn in the end, when items such as notifying those affected, credit checks, insurance and so on are factored in.
The recent Barclays Bank customer records leak also highlights the financial consequences as the bank faces penalties from the Financial Conduct Authority (FCA), which can impose unlimited fines, and the Information Commissioner’s Office (ICO), which can impose fines of up to £500,000. For many businesses the financial impact may not be on the same scale, but still, when the economic conditions are challenging to start with, what business can afford to throw money away on a data breach that could have been avoided if a data loss prevention strategy had been in place?
There have been two data breaches to note in the news in the last week or so that show the diverse nature of the causes of leaks, and the risks they pose to businesses and their customers. The perception is that data breaches are targeted malicious attacks by criminal gangs, but this isn’t always necessarily the case.
First to hit the headlines was Tesco’s Club Card data leak. This wasn’t a targeted attack on Tesco’s website itself, but an opportunistic attack using usernames and passwords of at least 2,000 Tesco’s customers obtained from other hacked sources. Customer details along with the corresponding voucher value appeared online, and unsurprisingly, many of the vouchers have been redeemed by the criminals.
The cause of this breach is down to customers using the same username and password for multiple accounts – Tesco has responded quickly to educate and help customers address this issue – but it highlights that prevention of data leaks is more than simply technology; end-user education and best practice is imperative and this incident goes to show that this access point onto a network is a weak link if not managed well.
Second is the Aviva insurance data breach which has resulted in the arrest of two employees. It is alleged that these members of staff were selling customer details to third parties resulting in nuisance calls from personal injury companies. So again, not a malicious attack by a criminal gang, but the result of an internal threat.
This incident reinforces one of the key questions an organisation must ask itself – ‘how sure is the business that it can detect and respond to someone taking sensitive data from its network?’
The end result in both these cases is that customers have been inconvenienced and may feel a betrayal of trust, which despite swift remedial action, could impact the bottom line.
Earlier I noticed this tweet on my twitter feed:
Ubertooth release: https://t.co/cCYHNf34Yc I know it’s been a long time coming, I promise not to leave it so long next time.
— Dominic Spill (@dominicgs) February 20, 2014
So I thought I would walk you through the update, which has improved Operating System support, improved Bluetooth Low Energy (BTLE) support, and GitHub integration to make community development easier….
For years, patients’ hospital data has been available for researchers to be able to understand how well hospitals are performing. This data has also led to some of the most important medical discoveries when it comes to disease management and control.
The NHS’s proposed plans to add anonymised GP records to the data base in order to add further value has caused much controversy: so much so that the project has been pushed back to the autumn of this year. http://www.bbc.co.uk/news/health-26239532
The key component in the delay of this project seems to have been a lack of communication to the public, with many commentators concerned about how the data might be used, and the risk of being able to identify individuals from the records: http://www.bbc.co.uk/news/health-26239532
This highlights the need to secure data of this type against breaches and misuse by any party. Obviously, securing the records of tens of millions of patients is a huge challenge – but protecting that data must be the main concern and priority for this project. While the benefits of such a project seem to be very compelling, in terms of the possible breakthroughs in medicine and treatments, the public needs to feel safe in the knowledge that their records won’t fall victim to a data breach, no matter how anonymised the data is.
The recent media coverage of the Barclays’ data breach (http://www.computerweekly.com/news/2240214060/Barclays-under-scrutiny-after-leak-of-27000-customer-records) shows that even older customer data from defunct businesses and subsidiaries can have real value if it should fall into the wrong hands.
For a well-known brand, a data leak like this is hard to stomach, particularly if its customers have suffered financially. But the bigger consequence is one of trust and reputation which we all know takes a lifetime to build and only a second to lose.
This instance involved a deliberate theft of customer records for criminal purposes which only came to light because of a whistleblower. And while many data breaches don’t have such catastrophic consequences, how many companies can answer the question ‘how sure are we that we can detect and respond to someone taking sensitive data off the network?’ Probably not that many at all.
Even if the answer is yes, it probably wouldn’t have helped in this case as the data was attached to a company that is no longer trading; so it wouldn’t necessarily have been stored on the network.
The whole lifecycle of data must be considered. From when it is created to when it is disposed of, and everything in between. That includes when devices such as laptops and USB sticks come to the end of their useful lives, and when staff move to different roles or subsidiaries, or exit the business, as they are all too often the cause of data breaches.
The only way to protect business critical, private or sensitive data is to have policies in place that are rigorously followed by staff, and control who has access to the data in the first place.