If the past month is any indication, the new definition for the dog days of summer has less to do with the heat outdoors and more to do with the number of data breaches hitting virtually every type of organization. These breaches shows that perimeter security is simply not enough to ensure your data remains secure. Here are just a few of the attacks that have not been thwarted:
- California-based San Jose Medical Supply Co. filed a lawsuit against former employees for allegedly disclosing customer information to competitors. The former employees allegedly stole the information and delivered it to two different competitive organizations. This would not have been an issue if the company had put in place fine-grained access controls for privileged users and gathered security intelligence.
- Cedars-Sinai Medical Center in Los Angeles fired six employees for accessing patient records (including Kim Kardashian’s). The organizations that stole this information varied wildly, but virtually none of them were involved in the actual medical care of Kardashian. Had the IT professionals at Cedars-Sinai ‘firewalled’ that sensitive patient data at the source, they could have avoided this problem. In light of considerable regulatory requirements and the economics of moving to the cloud, the healthcare industry needs to put in place best practices to secure sensitive patient data.
- Social Security numbers for tens of thousands of U.S. citizens were made publicly available online after the Internal Revenue Service (IRS) posted them to a publicly visible government website. As more government data is consolidated into centralized data centers, the risk of both accidental and intentional breaches increases. Being able to identify suspicious activity before an extensive breach occurs is critical and Vormetric can help agencies do exactly that.
- Following an attack on its Japanese website, Konami joined Ubisoft and Nintendo as the third video game company within two weeks to be targeted by hackers. The fact that three video game titans got hit within a two-week span really grabbed out attention. It points to the fact that too many of these companies are using outdated approaches to secure sensitive user data; the end result is exposing thousands of users to unnecessary risk.
- And then there was the Apple developer site hack that took the site down for eight days. While it sounds like Apple intended to do the right thing by encrypting data, the fact that security researcher Ibrahim Balic was able to extract personal user information indicates that the data in question may not have been properly encrypted. Our own Alan Kessler and Derek Tumulak addressed this particular incident with BestTechie’s Jeff Weinbein, providing insight on the proper security measures to take in a situation like this. Check out the full article.
- Finally, hackers also targeted OVH—a French web hosting company. The hackers gained control of a system admin’s email account and were able to gain access to its European customer database. In this article, our own Sol Cates underscores the importance of limiting user access to reduce exposure. System admins do not need access to the data itself to perform their function.
I guess the bottom line is that no one is immune to data breaches. Data is the new currency and it has significant street value. The only way to protect sensitive data from both external and internal threats is to take a layered data-centric approach to security. This involves using sophisticated encryption and key management — essentially building a "data firewall” that controls and limits access to that sensitive data — and continuously gathering security intelligence so you can see exactly who is trying to access what data, when and where.
What kinds of organizations do you trust with personal information like your social security number and credit card information?