In recent months, technology giant IBM accidentally sent their own customers Malware, the Metropolitan Police Force gave away contact details of gun users in the UK and mobile operator Three, failed to control access to customer’s personal details and account details by third parties.
All three of these companies should know better when it comes to the risk of a data breach but it goes to show that all companies are at risk of data breach and should be doing more to combat this risk, especially with GDPR on the horizon.
GDPR is The General Data Protection Regulation and comes into force in Europe in May 2018 but will have a global effect.
In IBM, we trust
Although IBM were most likely one of the first companies to have ever experienced and learnt from a data breach, it seems not even they can avoid a slip up every now and then. This week, IBM have made users aware that USB flash drives containing the initialization tool for some of their Storwize systems “contained a file that has been infected with malicious code”. It is not yet known how many customers may have been affected by this but IBM had been actively distributing the software unknowingly putting their own customers at risk.
Policing data breach
While data breach isn’t usually an area the Metropolitan Police Force would be involved in, leaving that up to the ICO, they are now. For the wrong reasons.
The Data Protection Act in the UK ensures that personal data such as your name and home address must be handled in a safe and secure way. So, when the police are accused of selling or giving away this information for 30,000 people it’s clear that something has gone wrong. In addition, the fact that these 30,000 people are legal gun owners gives, even more, reason for concern.
Three’s a charm
Three are no stranger to data breach having had data for more than 130,000 of their customers compromised by cyber-criminals less than 6 months ago. So being back in the news for another data breach should be a worry.
This time around, customers were presented with each other’s names, numbers and call history when attempting to log into their accounts. According to a spokesperson, “no financial details were viewable” and they will be “investigating the matter”.
Reducing the risk of data breach
Data breach and data loss are costly to organizations; From a monetary sense fines can be levied by the relevant state Information Authority (e.g. the ICO in the UK) and further with reputational damage. Three are a prime example of an organization that will have damage done to their reputation due to data loss. When you look for a new phone provider, it is unlikely that you are going to choose the one known for losing customer data and personal details.
These cases all have something in common in that the companies were quick to confirm that the matters would be explored further and that actions would be taken to ensure breaches would not happen again. This being the case, the sources of the initial breaches are unknown to the public.
Data breaches can come from many sources and it would be difficult for any organization to claim total security against them. However, it has been reported that 25% of breaches involve internal actors compared to 51% involving organized criminal organizations. Of these attacks over half, 51%, included malware which has been a growing threat in IT for the past 18 months.
The threat from internal users should be less than 1 in 4 and Network managers and administrators will have to review internal policies and procedures to lower this, usually starting by limiting who can access data.
Statistics used are from the Verizon DataBreach Investigations Report 2017.