A Year in Review: What We Can Learn from Major Data Breaches in 2021
Your organization can learn a thing or two from some high-profile data breaches. Protecting your company’s sensitive information from hackers requires vigilance, the right tools, and staying a step ahead.
The Colonial Pipeline
Remember back in April when it became tough to get gas for a while? Thanks to a ransomware attack on the computers that controlled the Colonial Pipeline, hacker organization Darkside managed to bilk the company out of $2.3 million in Bitcoin. Yes, the ransom got paid. And it all came down to one password.
Because the company’s VPN did not have multi-factor authentication, there was no extra step to keep the hackers out once they found out the password. Because of this, the pipeline that controlled 45% of the east coast’s petroleum supply was inoperable, and gas prices rose six cents per gallon across the country.
The lesson: Set up multi-factor authentication for any interfaces that have that much control of your business. Fingerprints, retinal scans, ID cards, anything you can add as an extra layer of protection keeps data out of thieves’ hands.
Facebook, Instagram, and LinkedIn
April was a bad month for cyberattacks. Around the same time when the Colonial Pipeline was shut down, 533 million Facebook users’ information got leaked online. Then, 200 million profiles were accidentally leaked from Instagram, LinkedIn, and again Facebook by Chinese social media startup Socialarks.
While the vulnerability that led to the first leak for Facebook was on their end (and Facebook has said they’ve patched), the Socialarks leak was due to their use of an unsecured ElasticSearch database that had no checks for passwords of any kind.
The lesson: Using open-source, outdated, or non-updated software can lead to security breaches. Use secure, up-to-date software to avoid such vulnerabilities.
Yes, the grocery store. Thanks to the out-of-date software Accellion, makers of file transfer software called FTA announced that they had massive data breaches. Despite repeatedly patching FTA, the leaks continued from December 2020 well into January 2021. While there were many affected businesses, such as New Zealand Reserve Bank and Singtel (a Singapore-based telecom carrier), Kroger was the most high profile.
The result? A class-action lawsuit against Accellion. Oh, and Kroger also ended up paying $5 million in damages. Even though it wasn’t their software that caused the leak (they’re a grocery store, not programmers), they were still culpable in the eyes of the law.
The lesson: The tools you use to store and transfer data can land you in hot water if they’re inadequate to prevent theft.
In September, hacker collective Anonymous leaked 180GB of data from domain registrar Epik. Epik stored data it scraped from WHOIS on their private servers. The information contained belonged to customers and non-customers alike. Unlike the examples above, an individual did not even have to be involved with Epik in any way, and they still had their private information, including contact information and passwords, leaked to the public.
Much of the data in Epik’s possession was saved unencrypted and even in plaintext. Anonymous also stole disk images, which contain all the files on specific storage drives, from Epik’s servers.
The lesson: Don’t leave sensitive data lying around waiting to be discovered. If you need it, secure it. If you don’t need it, shred it.
Secure Your Data by Shredding It with SEAM in South Dakota
If your sensitive data is sitting in storage drives or physical documents, it’s time to shred! Secure Enterprise Asset Management (SEAM) is a member of the National Association for Information Destruction and is ISO 45001 certified to wipe your unwanted documents and drives from existence completely. Contact SEAM today and save yourself the Sioux Falls headlines.