Yes, it’s happened again. By the time you’re reading this, the recent Capital One data breach has probably already faded from the headlines. In a way, the “oh, it’s happened again” attitude is an indicator of how numb and jaded we in the information governance and data security industries have become. To recap, in March of this year, a hacker gained access to credit card applications for over 100 million U.S. and Canadian Capital One customers, giving her access to bank account numbers, social security numbers, Canadian social insurance numbers, as well as other personal information such as bank balances and credit scores.
This particular breach wasn’t instigated by some anonymous North Korean spy agency, as was the case with the 2014 Sony Pictures attack. In this instance, we have the actual name of the perpetrator – Paige Thompson, a former Amazon Web Services employee who was able to exploit a misconfigured firewall and then bragged about it on social media. This latest incursion follows similar thefts from Target, TJMaxx, Equifax, Citigroup, Staples, Ashley Madison, Anthem Blue Cross… the list goes on and on. It’s just another thing that happens. And although the breach occurred in March, it went undetected until July 19th. Think about it. It was four months before anyone even realized it had happened, and even that was largely because Thompson had largely exposed herself online. As more details have become available, and an indictment has come down, Capital One wasn’t the only Amazon Web Services customer that may have been targeted.
Part of the indictment reads:
“It was part of the scheme and artifice that Paige A. Thompson used, and created, scanners that allowed her to scan the publicly facing portion of servers rented or contracted from the cloud computing company, and to identify servers for which web applications firewall misconfigurations permitted commands sent from outside the servers to reach and be executed by the servers.”
Not surprisingly, attacks on financial services – and credit card data in particular – are most common, although any form of personal information theft is equally egregious. The sheer numbers of individuals directly or potentially threatened by these data breaches – attacks on large and prestigious institutions with millions of customers each – makes it hard to comprehend how each of us (or at least someone we know) hasn’t been adversely touched by these crimes.
On a personal level, we all understand the importance of monitoring our financial transactions for unusual activity and checking credit reports on a timely basis. That’s sensible and requires a minimum of effort. Unfortunately, monitoring and documenting only helps after a breach has occurred. Of greater consequence, though, is what can we as information technology professionals, do to protect our employers and customers?
Here are some great tips, courtesy of The Hartford Steam Boiler Inspection and Insurance Company:
- Keep Only What You Need. Inventory the type and quantity of information in your files and on your computers. Reduce the volume of information you collect and retain only what is necessary. Don’t collect or keep information you don’t absolutely need. Minimize the number of places you store personal private data. Know what you keep and where you keep it.
- Safeguard Data. Lock physical records containing private information in a secure location. Restrict access to that information to only those employees who must have access. Conduct employee background checks. Never give temporary workers or vendors access to personal information on employees or customers.
- Destroy Before Disposal. Cross-cut shred paper files before disposing of private information. Also destroy CDs, DVDs and other portable media. Deleting files or reformatting hard drives does not erase data. Instead, use software designed to permanently wipe the hard drive, or physically destroy the drive itself. Also, be mindful of photocopy machines, as many of these scan a document before copying. Change the settings to clear data after each use.
- Update Procedures. Do not use Social Security numbers as employee ID or client account numbers. If you do so, develop another ID system immediately.
- Educate/Train Employees. Establish a written policy about privacy and data security and communicate it to all employees. Require employees to put away files, log off their computers and lock their offices/filing cabinets at the end of the day. Educate employees about what types of information are sensitive or confidential and what their responsibilities are to protect that data.
- Control Computer Usage. Restrict employee usage of computers to business use. Don’t permit employees to use file sharing peer-to-peer websites or software applications, block access to inappropriate websites and prohibit use of unapproved software on company computers.
- Secure All Computers. Implement password protection and ‘time-out’ functions (requires re-login after periods of inactivity) for all computers. Train employees to never leave laptops or PDAs unattended. Restrict telecommuting to company owned computers. Require the use of strong passwords that must be changed on a regular basis. Don’t store personal information on a computer connected to the Internet unless it is essential for conducting business.
- Keep Security Software Up-To-Date. Keep security patches for your computers up-to-date. Use firewalls, anti-virus and anti-spyware software; update virus/spyware definitions daily. Check your software vendors’ websites for any updates concerning vulnerabilities and associated patches.
- Stop Unencrypted Data Transmission. Mandate encryption of all data transmissions. This includes data ‘at rest’ and ‘in motion’. Also consider encrypting email within your company if personal information is transmitted. Avoid using Wi-Fi networks; they may permit interception of data.
- Manage Use of Portable Media. Portable media, such as DVDs, CDs and USB “flash drives,” are more susceptible to loss or theft. This can also include smartphones, MP3 players and other personal electronic devices with a hard drive that ‘syncs’ with a computer. Allow only encrypted data to be downloaded to portable storage devices.
Software tools such as Sherpa’s Altitude platform can be instrumental in helping you get a firm handle on the data residing in your systems. If you’d like to learn more about how to locate sensitive information in your organization or other strategies for effective data governance, contact us. We offer a range of solutions to identify and classify data across your enterprise – in email, file shares and beyond – with the capability to move, copy, quarantine or delete it.