Deconstructing big time data breaches

Deconstructing big time data breaches: Where the big boys failed and what your business can learn

August 14, 2014 No Comments

These days, it seems not a day goes by without a data breach story appearing in the news. As these security incidents become more prevalent – not to mention more costly – one of the best things that small businesses can do to prevent them is to learn from others’ mistakes.

We see that the biggest enterprises are not infallible to data protection issues like breaches. And we obviously hear about them because bigger brands are newsworthy. This is good for small businesses though, because while their drama unfolds in the media it gives us a very public playbook of how it happened and how they responded, which is a valuable learning experience, again, particularly for smaller businesses.

Let’s face it – although hackers often target firms with vast databases full of customer information, even small companies now house sensitive data that can present a treasure trove for cyber attackers. Technology has changed the way even the smallest startups operate. While a breach at a multi-billion dollar company can result in bad press, hurt revenue, and make for uneasy shareholder meetings, they are rarely company ending events. For a small business, that’s exactly what they can be, company ending events.

For this reason, I wanted to take a look a few of the most recent high profile breaches to see if there was anything that we could learn from them. What was the cause? How were they handled? And the main takeaways for small companies so they can work to keep themselves out of the headlines and instead focus on their customers, their growth and success.

Holy Heartbleed

Unless you’ve been living under a rock for the past few months, chances are you’ve heard about Heartbleed. While this wasn’t so much a data breach as it was an infrastructure vulnerability, the number of online platforms and organizations impacted by this security incident made it one of the most far-reaching in recent memory.

According to Heartbleed.com, security experts discovered that the Heartbleed bug was a significant weakness in one of the most widely utilized cryptographic software libraries today, OpenSSL. Just as a safecracker can use imperfections in a safe’s construction to crack the code and steal the protected loot, the Heartbleed vulnerability made it easy for attackers to gain access to sensitive information supposedly protected by OpenSSL encryption.

Specifically, “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This allows hackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Because OpenSSL was so widely used, the impact of this security incident was one of the largest ever seen. Mashable pointed out that as of mid-April, the list of affected platforms included social media networks like Facebook and Twitter, Web giants like Amazon and Yahoo, as well as email sites like Gmail and Hotmail. Heartbleed also impacted the websites of stores and ecommerce firms, gaming and entertainment sites, financial and government resources, and several other productivity and online apps. Although the list was incredibly extensive, it doesn’t even begin to include all the Web-based sites impacted by Heartbleed. Shameless shelf promotion, CloudEntr was not affected.

In the end, a patch was quickly released for the vulnerable versions of OpenSSL, preventing attackers from exploiting the weakness. However, as Heartbleed.com pointed out, any system that utilizes the OpenSSL encryption is vulnerable to attack until the Fixed OpenSSL update is installed.

So what can small businesses learn from a large-scale infrastructure failure of this kind? This case teaches us one of the most important technology lessons a small business can learn: You can’t plan for everything. Companies and the technology they use are an intricate network of technological dependencies that are largely unpredictable.

No one can forecast just how systems will react, especially when there are so many points where components can fail. Heartbleed isn’t the last failure that companies will experience. However, it does show the value of responding quickly to mitigate the damage.

The companies that best dealt with Heartbleed did not to rely only on a single secure method of encrypting the data flowing in and out of your network. They also ensured that all of their systems were up to date, and all patches were installed as soon as possible.

Targeting Target

Target is another case that can teach small businesses an important lesson. When the breach first occurred, it received nationwide attention as it affected such a large number of people and their credit cards. It seemed that as the days went by, the number of customers whose sensitive data was compromised only grew.

The hackers were able to install malware on the in store point-of-sale terminal that was designed to steal credit card information as transactions were processed. The hackers were able to get access to the infrastructure because of credentials obtained from an HVAC service in what has become the largest and most costly breaches in recent history.

This raises an important question that all small business owners must ask themselves: Do you know who has access to what company-owned data?

Although many security experts sing the importance of vetting third-party vendors, this is usually unrealistic for smaller organizations. Mom and pop shops and startups simply don’t have the time or resources to thoroughly evaluate the security measures used by their partners and service providers. Their time is better spent on instead keeping track of what outside firms have access to their networks. It is critical to know which users have access to the network both internally and externally. By understanding who has the ability to open sensitive business information, smaller groups can work to prevent an intrusion of this kind.

eBay: A classic breach with a government twist

The eBay case illustrates a classic breach, one that can easily take place in any type and size of business. However, this kind of security incident would have a larger and more damaging effect on a smaller company.

According to The Motley Fool, eBay’s data breach was even bigger than Target’s, affecting the personal customer records of 233 million eBay users. It was discovered after the fact that not only was lax security a problem here, but many experts also took issue with how eBay handled the event.

All the information that hackers were able to expose – customer names, shipping and email addresses, phone numbers and even birthdays – was stored in eBay’s system without encryption. Such a protection measure is a requirement for all companies dealing with customer data, causing many security experts, including Trend Micro’s Rik Ferguson, to call the eBay event “inexcusable.”

Even more worrisome is the fact that the breach began a full three months before it was discovered, and even after the company found the infiltration, it waited two weeks before alerting its customers and the public. Even then, eBay did not follow common practices to notify its users that their phone numbers, addresses and birthdates had been compromised. CISOTech noted that eBay simply slapped a banner on its homepage urging users to change their passwords due to the breach. CISOTech contributor Shannon Perry noted that not only was changing her credentials difficult, it was concerning that eBay was treating such a far-reaching security event in this manner.

“That morning, I logged onto eBay myself and changed my password (after almost ten minutes of trying to figure out how); that evening, I found no indication of anything abnormal at eBay.com,” Perry wrote. “Naturally, one does not have to look far to find indignant customers on forums and social media – many eBay users did not receive an email about the breach and think that a temporary banner on eBay’s home page is [sic] an inadequate response.”

Due to these questionable practices, several authorities are now investigating the eBay breach, including the Federal Trade Commission and other legal groups in Connecticut, Florida and Illinois. While eBay noted that there hasn’t been any unauthorized activity on the affected accounts, it may still have to stand up to the rigors of a joint investigation by a number of state and federal authorities.

The Motley Fool also noted another fatal flaw in eBay’s response to the breach: the fact that they failed to learn from other high-profile breaches occurring recently. The importance of bolstering data protection is widely considered common knowledge now, especially after seeing the results of other security incidents.

“In other words, eBay could have easily afforded a security upgrade, but failed to do so even after watching Target and Adobe go down in flames,” Motley Fool contributor Leo Sun wrote. “It’s a simple matter of procrastination and a short-term view of the bottom line – the larger the business is, the harder it is to upgrade its IT infrastructure.”

Obviously eBay’s reputation was considerably damaged by the event, especially as groves of impacted customers felt slighted by how the company dealt with the breach. However, the company is still processing countless transactions a day, continuing to operate as usual. The same could not be said if this type of breach had occurred within a small business. The truth of the matter is, smaller companies don’t have the support or resources to survive a breach that compromises the majority of their customers’ sensitive information. In this way, such an event could cause the collapse of a company.

The online auction giant clearly did not handle its breach as well as it could have. Small businesses can learn a great deal from this case, including a major don’t of data breaches: Don’t wait. The company waited to deal with the breach, waited to notify customers, and waited to improve its encryption and data security until an incident occurred. Now they are left holding the bag, struggling to recover from the incident. Small businesses should note that if and when a breach occurs, they must deal with it immediately, and notify customers as soon as possible to ensure they have the chance to better safeguard their personal data.

Overall, there are several lessons that small businesses can learn from the security incidents of large enterprises. Understanding that technology can be complex and unpredictable, knowing who has access to sensitive information and not waiting to act on a breach are all critical aspects to keep in mind. By following these guidelines, small businesses can effectively mitigate their chances of a malicious intrusion.