In the space of two short weeks, eBay’s ticket selling site StubHub and online bookmakers Paddy Power joined the already long list of 2014 data breaches. And, as always, important lessons can be drawn from these two events.
In the first instance, and typical to almost every breach, what unites both is that personally identifiable information was stolen – including individual customer names, usernames, addresses, email addresses, phone contact numbers and dates of birth. But, what distinguishes the StubHub breach is that this compromise was not as a result of the company’s servers coming under assault, but that the hackers had used login details and passwords obtained from previous attacks. We have long warned that personal data nabbed in one heist can be used to design other, more insidious socially-engineered cyber-attacks; this breach was a final confirmation of such an eventuality. That’s also one of the reasons that yesterday’s Russian hacker report is important. The black market thrives on this sort of loot!
Let’s turn now to the Paddy Power case. Last Friday, the Irish bookmaker revealed that some 649,000 customers were affected by a breach that took place in 2010. Given it took almost four years for the event to come to light – there has been the potential for other cyber-attacks to have been launched with Paddy Power customer data in the meantime. The significant amount of time it took for details of the incident to be released is not as rare an occurrence as you might think: only a few weeks ago Australian daily deals site Catch of the Day notified its customers of a breach experienced three years ago.
From a compliance point of view, both these cases will add further urgency to the need to reclassify all data as ‘sensitive’ and add more weight to the mandate for tighter breach notification laws. Given the most recent draft of the proposed EU Data Protection Regulation stipulates that data controllers are obliged to notify the relevant privacy regulator of a breach within a 72 hour period, businesses across the board need to be ready to respond to breach incidents much faster, or face the adverse consequences.
Ultimately, these two news stories making headlines in such quick succession of one another confirms that businesses are continuing to be targeted for customer data. As such, organisations must start appreciating the value of the sensitivity of the information they collect. The only solution for businesses looking to stay out of the headlines with bottom-line and consumer trust intact is to ensure they have encryption and access controls in place, along with security intelligence solutions that are capable of providing continuous, real-time monitoring of their IT systems. Only by doing so will they be alerted to unusual or anomalous behaviour and access patterns as soon as they happen, which may indicate an external attack or a malicious insider, and respond as necessary. Indeed, it’s important to remember that aside from the raft of fraudsters, opportunists, hacktivists and organised crime syndicates out there, trusted ‘insiders’ can present as much of a risk to data as anyone else.