Not even the biggest companies in the world are 100% secure from a data breach. From the Equifax data breach of 2017, to the Capital one data breach in 2019, millions of private records containing consumer and confidential data were compromised in the biggest data breaches. Even one of the biggest tech giants, Google+, was the victim of a cyberattack that compromised the data of 52 million users.
Information breaches affect all industries. From Netflix, to Dunkin Donuts, to organizations within the health care system, everyone is vulnerable. With news surfacing all the time about password breaches and the subsequent impact as a result of password reuse by individuals on other sites, we thought it would be prudent to discuss the collateral damage from an end user’s perspective.
It seems as if every day there is a new data breach of which enterprises and consumers should be aware. To maximize the impact of Cybersecurity Awareness Month 2019, we decided to compile the most talked about breaches happening right now in a blog series to educate readers on how a data breach impacts the end user.
Data Breach – Why should we talk about it?
For those who haven’t followed the recent news on password breaches and their fallout as a result, here is a brief summary. Consider Yahoo, which had 3 billion user records compromised, including:
- Email addresses
- Usernames dates of encrypted passwords
- Encrypted security questions
A lack of strong security measures and ultimately, several forensic investigations later, they realized the biggest cyberattack involved all user records. That’s an awful lot of information to compromise. According to the 2017 Verizon Data Breach Investigation, 81% of data breaches were due to insecure passwords. With all the data breaches involving login credentials, one would think that people would keep stronger credentials. But that’s not the case.
Once hackers compromise private data through account hijacking, bad actors can choose to disclose consumer data, such as on the Dark Web. Once public, compromised data can be used later for a large scale, very targeted attack.
Data Breach Big Picture
The number of people with Internet connectivity reached over 3.9B as of 2017. Whether it is banking, shopping, healthcare accounts or social media, the shift to online transactions and personal interactions has resulted in almost every one of these individuals having at least one account that requires access via a username and password. As of 2016, the average internet user had 26 online accounts and only 5 common passwords that are used to access these accounts.
With so many users with accounts and a disparately low number cyber criminals are continuously incentivized by a potentially enormous monetary reward to illegally access and hijack accounts, impersonate users and/or steal information or money. Once an attacker accesses a different account from the one that was first compromised, depending on the type of account, the impact could be anywhere from mild to severe with no recourse for the user.
Data Breach User Recourse
There are some laws that protect a user’s confidential data, such as SSN or Medical Information, but it is limited to a certain extent. Different organizations contain different policies that enforce consumer privacy within the organization and through government regulations. However, there is no one overarching cybersecurity regulation to set the standards to which all organizations must adhere. Rather, each state and local municipality enforces its own regulations.
What is noteworthy is that not all user data is treated as confidential under the law. This leads to companies treating various types of data differently, which in case of a data breach, they may or may not have any legal obligation to protect the user or even notify them about the breach.
The issue comes up about vulnerability disclosure. If users applied the same passwords on multiple sites, the chance that their data will be compromised may occur again is raised. Hence, if someone steals their financial information, medical information and other types of confidential data or posts something inflammatory on their social profiles, it’s the end users who will suffer and the companies, by law, cannot be held accountable.
This is only one of many examples of collateral damage from a data breach – the data being the username and password. In the following posts in this series, we will analyze the collateral damage from other data breaches related to various types of user data including Medical Information, SSN, PII and more.
ThreatModeler Will Help Your Organization to Mitigate the Collateral Impact of a Data Breach
We look forward to explaining the impact that a cybersecurity breach has in coming posts, not only from the perspective of an organization, but also the impact of the end user. The first in the series will cover the collateral damage of an electronic health records data breach. ThreatModeler can help organizations in the major industries to establish and maintain transparency, including with third-party software vendors, and help to remediate the collateral damage of a data breach by preventing them. Request a free evaluation of the ThreatModeler platform. You can also contact us to speak with an application threat modeling expert today.