Another week, another major data breach

There’s an old adage in the media industry about rating the newsworthiness of a story – “dog bites man” versus “man bites dog”. The implication is a story that is unusual or has a much greater impact would garner a lot more interest from readers than would an article that’s your average, run-of-the-mill news article. Unfortunately, we may be coming to the point soon where major, large-scale data breaches could fall into that latter category of news.

According to published reports, authorities are investigating coordinated cyber-attacks carried out against JPMorgan Chase and several other financial firms this month that resulted in large amounts of data, including checking and savings account information, being stolen. JPMorgan is just the latest in a string of high-profile data breaches that have been reported this month. Last week, Community Health Systems Inc., which owns, leases or operates more than 200 hospitals in 29 states announced that it suffered a cyber-attack earlier this year resulting in the information of more than four million patients being compromised. Just two weeks ago, Supervalu, which operates more than 3,300 grocery stores across the country said that it is investigating a breach that may have affected more than 1,000 of its stores. Among some of the other businesses targeted by hackers this year include Neiman Marcus, P.F. Chang’s and Goodwill Industries.

And on and on it goes. Target, which suffered a massive data breach late last year that included the theft of millions of customers’ debit and credit card numbers, is still reeling from the impact of the attack. The retailer recently reported that it has thus far incurred $148 million in breach-related expenses

The level of sophistication involved in the attack against JPMorgan, which reportedly originated in Russia, has led some to believe that the hackers were aided by the Russian government, possibly in retaliation for the sanctions levied against it by the U.S. for their hand in the ongoing conflict in Ukraine.

“The Russians performed a zero-day attack to gain initial access to the network. By definition, this means they leveraged a vulnerability, or flaw, that was previously unknown,” said Greg Kazmierczak, CTO of Wave Systems Corp. “There is no such thing as fool-proof security; especially when the attacker is a well-funded, highly-skilled, and highly motivated nation-state."

Other experts agree that the capabilities demonstrated by the hackers who were able to infiltrate JPMorgan’s network were well-beyond that of a typical cybercriminal.

“JPMorgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and process to shield themselves from nation-state’s ability to access their systems at will.  The lesson to be learned is that the financial services sector needs to up its cyber security game to move up from commercial security to military-level security,” said Philip Lieberman, president of Lieberman Software.

Nonetheless, that doesn’t mean there aren’t steps organizations can take to better protect themselves. Some data security experts are even advocating for the elimination of passwords in favor or newer, more secure forms of authentication.

"Hackers, whether they're from Russia or Rochester, will always steal passwords.  It's a fact of life that the companies that store them and the users who use them can no longer avoid.  There's a simple, clear solution to this problem that will soon become the norm: don't use passwords,” said Scott Goldman, CEO of TextPower. “Other forms of authentication are available and should be employed by any company with data that's worth stealing - and that's every company.”  

However, others argue that these types of breaches are unpreventable and only by employing a higher level of encryption can data be better protected.

“Most risk analysts preach that securing the perimeter or endpoint is the most secure way to prevent breaches, but the hackers are winning handily against that lone barrier. Part of that reason is the fact that the most serious breaches come from within and not outside the perimeter. The reality is that there is almost no way to prevent the intrusion and to avoid your data getting stolen,” said Richard Blech, president of Secure Channels Inc. “The answer is to secure your data with the highest level of encryption possible and render said stolen data completely useless to the thief. With unhackable encryption wrapped around your data, the hacker is left with a bunch of useless bits and bytes.”   

Ulf Mattsson, CTO at Protegrity, said that there are three things companies can do to better protect themselves against the threat of data breaches:

  • Become more data-centric. Start by protecting the data itself through tokenization.
  • Move beyond single-factor authentication. You must offer your customers more sophisticated ways to protect their information. The data access policy should be driven at the enterprise level not within traditional data silos.
  • Enforce a strict data protection policy and get control over your own data: who’s accessing it, who’s monitoring it, who’s storing it, etc.

"Attackers will always find new ways to access sensitive data - and companies can be certain that they will face a data breach at some point. We can't beat the hackers, but we can make it incredibly difficult for them to get what they want. Truly, the only way to secure data today is through tokenization and a data-centric approach to information security. If a company's most valuable asset is its’ data - then why not take steps to protect it at its core?” said Mattsson. “Traditional, perimeter-based security is no longer enough to fight against the world's most sophisticated criminals. Tokenization can effectively be used to secure sensitive data fields, including payment card numbers and expiration dates, across the entire data flow. The attacker will only find unusable data and this approach can help to protect sensitive data against a range of future attacks."

No matter what side of the spectrum you fall on when it comes to what organizations should be doing to better protect themselves, one thing is clear; people are becoming more and more desensitized to these events and have begun to develop “breach fatigue.”

In an interview with SIW earlier this year, Michael Bruemmer, vice president of Experian Data Breach Resolution group, said that while one in about every four consumers received a breach notification letter in the mail last year, they’re not taking them as seriously. “They concerned about being spammed. What do I need to do? The letters are unclear and they just cast them aside instead of doing something with them,” he said.

While stories about major data breaches may not have reached the level of “dog bites man” just yet, they are perilously close to becoming incidents that are to be expected, which is a dangerous thought to consider.