Blog / Getting Hacked Without Hackers?
Even non-malicious data breaches are a serious problem.
Data breaches are a serious issue. Depending on the type and amount of information involved, the costs can add up quickly. For example, some of you may remember the 2017 Equifax breach. As of early last year it has cost Equifax approximately $2 billion dollars and even now, five years later, the situation still hasn’t been fully resolved.
In many ways what happened at Equifax was a “typical” data breach; someone hacked in and was able to maneuver their way through the network to find and steal an electronic data gold mine. It was very much what most people thing of when they think about a conventional data breach.
The problem with this perception is that data breaches don’t need to be, and in fact often aren’t even the result of, hackers. Not using an email client’s BBC function properly when sending out a mass email has caused multiple breaches in the past, and apparently happens often enough that you can even find legal advice explaining what you to do about the situation.
Need another example of how a breach can happen without a hacker? Just a few after-hours drinks can do it. At least, that’s what happened in a small city in Japan when data was copied to a USB drive for transfer from one data center to another but the contractor went out after work and lost it. That drive contained information on almost half a million residents.
What exactly is a breach if not getting hacked?
Data breaches have been defined in multiple legislations like PIPA, PIPEDA, HIA, PCI-DSS and many others, and they all mostly amount to the same thing, specifically that a data breach just means that you lost control of the data. It doesn’t matter how it happens; loosing control of your data is a breach and you have to act accordingly. In the case of Amagasaki (the aforementioned Japanese city), chances are the USB drive fell out of a pocket, found its way into the trash, and the data will never be seen by anyone. That problem is the data is now somewhere outside of the city’s control. Since control was lost, even though the data likely wasn’t “stolen,” the situation’s considered a data breach.
How do I respond?
Every breach needs to be thoroughly and completely investigated. For legal reasons you need to able to prove your organization:
- understands the situation,
- knows the root cause of the breach,
- took appropriate steps to prevent a similar breach in the future, and
- took appropriate steps to notify everyone affected by the breach.
Having a solid breach reporting policy that outlines the reality of what a breach means to everyone in your organization helps prevent an unwanted breach. It makes people realize that this can happen without any sort of hacking. You need to investigate any breach and potential breach situation and treat them as a high priority situation. If you need help planning your breach reporting policy, investigating a breach, or securing your data, contact a TRINUS cybersecurity expert for some stress-free IT.
The week’s slice of Shakespearean wisdom comes from his play Julius Caesar, where you’ll find this particular quote: “The evil that men do lives after them; the good is oft interred with their bones.”
Courtesy your friendly neighbourhood cyber-man.