Are enterprises becoming more complacent about data breaches?
Jim Barkdoll, Titus CEO, talks about the challenges enterprise-level companies are facing with being more proactive about data breaches.
Though we’re only in the first month of the year, there have already been a number of data breaches. There have been so many in fact, that you probably didn’t notice two smaller breaches that happened this week, impacting “Town of Salem” gamers and Minnesota drivers, respectively. While these events may not have impacted the same number of people as the Marriott breach, the responses of each organization indicate that enterprises may be becoming desensitized to breaches that don’t aren’t at the level of a Marriott or Yahoo catastrophe.
Don’t worry – it didn’t include credit cards
On Jan. 3, BlankMediaGames admitted a hacker stole the personal details of 7.6 million users of the browser-based game, “Town of Salem.” And while the company eventually did secure the back doors that evidently enabled hackers to access user information, the company’s response to the event is concerning. In a blog post addressing the hack, users were told, “To clarify, we do not handle money. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don’t have access to that information.”
That response gives the impression that users need only be concerned if their financial information has been compromised. While credit card information in a hacker’s hands is dangerous, hackers can do a lot with other personal details. Case in point – the “Town of Salem” hacker did get access to usernames, passwords (in the phpass, MD5/WordPress, MD5/phpBB3 formats), email addresses and IP addresses. The hacker could use this information to access other accounts or sites associated with each email address.
Don’t worry – those companies are authorized to get that info…even if we sent it by mistake
While “Town of Salem” users were scrambling to change their passwords, Minnesota drivers encountered a different problem altogether. It seems that the addresses of 1,500 people who registered their vehicles with the state were inadvertently provided to three companies, even though these people had requested their information be kept private.
The three companies that received this information – Experian, Polk and Safety First – are authorized to receive that information by the state. In fact, the Minnesota Department of Public Safety (DPS) said in an email that “there was no data breach,” and there’s no indication “that private data has been accessed or used unlawfully.”
That characterization is incorrect for a couple of reasons. The term ‘data breach’ doesn’t only apply to bad actors willfully accessing information with the intent to do harm. Data breaches also happen when people mistakenly access or share data, which is the case here. Preventing these inadvertent errors or ‘fat fingered mistakes’ are one of the reasons customers turn to TITUS.
This incident also undermines one of the things that regulations like the General Data Protection Regulation (GDPR) and the upcoming California Consumer Privacy Act strive to enforce – good data stewardship. Even though the three companies named above are authorized to receive sensitive information about Minnesota drivers, they received the information of 1,500 people without their consent. That is significant.
Taking it seriously
The picture I’ve painted above admittedly seems grim. Whether initiated by an international hacker or by an inadvertent internal error, any misappropriation of data is serious and should be treated as such. But there is hope. Spurred to action by GDPR, national and state governments worldwide are targeting data privacy through legislation including the California Consumer Privacy Act and India’s forthcoming Personal Data Protection Bill. These regulations will force enterprises to take a stringent look at how they deal with data to ensure sensitive information is fiercely protected.
Beyond that, I believe that 2019 will be the year enterprises start to prioritize good data stewardship. The more enterprises I speak to, the more I see this shift. Though many seek out data protection solutions like ours to comply with regulations, as they implement a complete data protection strategy, the organization becomes more mindful of identifying sensitive data and applying appropriate protection.
The lesson here is simple – sensitive information can be more than just financial information and enterprises have a responsibility to deploy a data protection strategy that ensures every piece of information they collect from customers and end users is protected.