Every year, the data security breaches that small, medium, and large businesses suffer from become larger and more extreme than the year before. The IT solutions that are put in place (or that are neglected) never seem to be enough to combat the increasingly cunning criminal hackers. The biggest, most publicized hacks affect huge corporations or government entities with millions of records. This can cause small businesses like those here in Amarillo, Texas to mistakenly believe that they are immune to hackers when in reality, the biggest data breaches of the year can teach small businesses some valuable lessons.
As a recap, here are some of the biggest security breaches of 2015:
Anthem: This hack affected 78.8 million Anthem customers (plus 8.8 to 18.8 million non-customers) and broke records as the largest healthcare breach to date, according to Healthcare IT News. The data stolen was highly sensitive and included names, birthdates, social security numbers, and addresses.
Lesson learned: Employees are the weakest link in the security chain. It was found that hackers got into the Anthem system by obtaining at least one (and possibly five) of the system administrator's login credentials by using social engineering and phishing. Once inside the system, it didn’t matter if the sensitive data was encrypted or not.
Ashley Madison: As one of the most publicized hacks of the year, the breach of cheating website Ashley Madison affected 37 millions users of the site, according to Fortune. The hackers published the results of their breach online, exposing millions of cheating spouses. This big problem with the Ashley Madison hack was that many of the users affected by the breach no longer had accounts with the website. The business promised to permanently delete their information if customers deleted their account. However, they did not. Many marriages were destroyed and some of the users even committed suicide.
Lesson learned: It’s not all about money anymore. The hackers in this case were not looking to steal bank account information or social security numbers. Their primary goal was to expose cheating spouses and punish what they saw as a moral wrong. If someone thinks your company is up to no good, they might attack you.
Premera Blue Cross: 11 millions members of Premera had their sensitive information stolen when attackers infiltrated the information technology system of the insurance company. In addition to names, birthdates, and social security numbers, the hackers also made off with bank account information, according to the Huffington Post. The attacked affected employees of Starbucks, Amazon, and Microsoft, among other companies.
Lesson learned: The healthcare industry is the greatest data breach target in 2016. Healthcare organizations such as insurers and care providers house some of the most sensitive information about a person. This information is valuable to hackers because they can sell it or they can use it for insurance and prescription fraud. It is vitally important for those in the healthcare industry to keep security high on the priority list.
VTech: The maker of electronic children’s toys was hacked this November. It was especially scary because it was the first to affect children specifically. The breach affected 6.4 million children and 4.9 million parents, according to iDigitalTimes. Luckily, the breach was not carried out by a criminal hacker but was done by a man who was concerned by VTech’s lack of security and wanted to prove a point. Once the hack was known, VTech quickly went to action to tighten up security. If the hacker was evil, he would have the names, passwords, download history, IP address, and children's’ gender and birthdates to do whatever he pleased with. Photos, voice recordings, and parent-child chat logs were also stolen.
Lesson learned: Almost all companies are now tech companies. Almost every single business takes in the data of customers and often keeps that data on file. It then becomes your responsibility to keep that information safe from criminal hackers. Many companies that are new to the idea of having so much technology will not be thinking about security. However, you need to. The VTech hack shows that.
Office of Personnel Management (OPM): The personal information of 21.5 million United States citizens was stolen this year, many of whom currently or formerly worked government jobs or are in the military, according to iDigitalTimes. Many of the victims were those that applied for security clearances or those who had a background check. The fingerprint records of 5.6 million people were stolen. The data that was breached contained highly sensitive information including the names, birthdates, etc. as well as relationships, mental health status, and past addresses of victims. The perpetrators of the attack have yet to be discovered, however, many believe that the Chinese government is to blame. Nevertheless, having this data in the hands of any criminal could be devastating to the U.S. government in cyber warfare. The OPM provided the victims with identity theft protection which will cost the American taxpayers $133 million.
Lesson learned: You can’t ignore and put off updating old technology and employing proper security tactics. The OPM was told by security researchers for months that they needed to tighten up security but they failed to do so. They also knew about the hack for 6 months before alerting victims. Overall, the OPM failed miserably when it came to preventing the attack and reacting to it afterwards.
T-Mobile/Experian: Customers of T-Mobile suffered from a financial information breach when T-Mobile used third party credit application processor Experian. T-Mobile had to share information such as birthdates, names, driver’s license numbers, and social security numbers with Experian to process credit applications so customers could get financing. However, hackers breached the servers of Experian and stole the data.
Lesson learned: Be wary of using third party vendors and applications. If you keep the data of your customers and you have to send it to a third party, be careful. Use only reputable, tested applications and companies that have a commitment to security and compliance.