Data Privacy Day: Data Protection Lessons from the 2010s
Today is “Data Privacy Day” – and while it seems like there is a day for nearly everything we hold dear (hello national grilled cheese day!), this particular date commemorates the 1981 signing of the first legally binding international treaty on data protection.
Data protection standards have come a long way since 1981, especially in the last couple of years with GDPR and CCPA – two regulations that extend the rights of individuals to better control and protect the use of their personal data in the evolving digital landscape. It’s generally believed that GDPR and CCPA are laying the foundation for further groundbreaking regulations.
And it makes sense. According to Business Insider, “of the 15 largest data breaches in history, 10 took place in the past decade.” These breaches collectively resulted in the loss of nearly 4 billion records. So, as we embark on a new decade, let’s take a look at some of the data breaches of the 2010s that helped shape stricter consumer data protection.
Uber Breach – While it was disclosed in 2017, Uber suffered a breach in 2016 that exposed personal information belonging to 57 million drivers and customers. Attackers stole names, email addresses and phone numbers and demanded a $100,000 ransom. To add insult to injury, Uber also was fined nearly $150 million for not disclosing the breach earlier.
Lesson Learned? Don’t store code in a publicly accessible database. Uber data was exposed because the AWS access keys were embedded in code that was stored in an enterprise code repository by a third-party contractor.
Equifax Breach – Several tech failures in tandem – including a misconfigured device scanning encrypted traffic and an automatic scan that failed to identify a vulnerable version of Apache Struts – ultimately led to a breach that impacted 145 million customers in the US and 10 million UK citizens.
Lesson Learned? Get security basics right. Despite cyber attacks becoming more targeted and damaging, organizations are frequently still ignoring the security basics. Patches need to be applied promptly and security certificates need to be maintained. This breach also inspired elected officials to push for legislation to tighten regulations on what protections are required for consumer data and influenced an increase in executive accountability.
Facebook’s Cambridge Analytica Breach – Cambridge Analytica, a British political consulting firm, harvested the personal data from millions of peoples’ Facebook profiles without their consent and used it for political advertising purposes. The scandal finally erupted in March 2018 when a whistle blower brought this to light and Facebook was fined £500,000 (US$663,000), which was the maximum fine allowed at the time of the breach.
Lesson Learned? Protect user data (or pay up). Lawmakers claim Facebook “contravened the law by failing to safeguard people’s information” – and suffered the consequences. Now the United States Congress is placing additional pressure on Facebook to stop the spread of fake news, foreign interference in elections and hate speech (or risk additional, larger fines).
Ecuador Breach – Data on approximately 17 million Ecuadorian citizens was exposed due to a vulnerability on an unsecured AWS Elasticsearch server where Ecuador stores some of its data. While the sheer scale of this breach made it headlines news, the breadth of exposed information really made everyone stand up and take notice. Exposed files included official government ID numbers, phone numbers, family records, marriage dates, education histories and work records. In addition, a similar Elasticsearch server exposed the voter records of approximately 14.3 million people in Chile, around 80% of its population.
Lesson Learned? Adhere to the shared responsibility model. Most cloud providers operate under a shared responsibility model, where the provider handles security up to a point and, beyond that, it becomes the responsibility of the customer. As more and more government agencies look to the cloud to help them become more agile and better serve their citizens, it’s vital they continue to evolve their cloud security strategies to proactively protect against emerging threats – and reinforce trust among the citizens who rely on their services.
Desjardins Breach — The data breach that leaked info on 2.9 million members wasn’t the result of an outside cyber attacker, but a malicious insider – someone within the company’s IT department who decided to go rogue and steal protected personal information from his employer.
Lesson Learned? Be proactive in identifying unusual or unauthorized behavior. While insider threats can be more difficult to identify, especially in a case where the user has legitimate privileged access rights, it’s important to be able to consistently monitor for unusual and unauthorized activities. Even more critical is the ability to automatically remediate potentially risky behavior (think: putting a temporary hold on permissions) to help reduce the amount of time it takes to stop an attack and minimize data exposure. This breach showed that a defense-in-depth security strategy that includes privileged access management, multi factor authentication and database activity monitoring has never been more crucial.
These incidents are just a small sample of the numerous data breaches that occurred in the 2010s. Any organization that collects or stores customer information can learn from these incidents and the many more like them. Not prioritizing data protection or simply doing the bare minimum can lead to regulatory non-compliance fines, or worse – the destruction of customer confidence and brand damage. Listening to the lessons of the past can help us prepare for a more secure future.