Learning from Mistakes: What These 4 Big Data Breaches Teach Us

Nobody is perfect. Everyone makes mistakes, and anyone can fail -- especially in the business world.

IBM’s "2015 Cost of Data Breach Study" shows that the average total cost of a data breach is $3.8 million, representing a 23 percent increase since 2013. The cost for each lost or stolen record increased 6 percent, from a consolidated average of $145 to $154.

Several companies also have been sued for their negligence in preventing these attacks. Data breaches are huge failures, but taking a look at these four big ones can teach us a thing or two about how to better secure our data.

1. Home Depot

The largest home improvement chain in the world suffered a breach that resulted in compromised credit and debit card information for 5.6 million Home Depot customers in September 2014. Then in November of that year, about 53 million email addresses were stolen. The company said that the hackers used a third-party source to enter the Home Depot network, and then installed malware affecting the self-checkout systems.

This data breach involved credit and debit cards, along with customer’s personal information. Most of these breaches occur where the “swipe and sign” or magnetic strip method of reading a card was used.

The United States is one of the slowest in adopting the chip-and-PIN technology, where a chip is embedded in the card and requires a PIN for authentication. This technology is almost impossible to reproduce, and expensive at that, making it harder for hackers to commit fraud. But the key word is “harder.” Hacker technology is always evolving; thankfully, the current skill sets taught within the information security and cyber security fields are up to the challenge of keeping up with hackers’ latest crime technology.

2. Sourcebooks

In October 2014, there was a breach of Sourcebooks' shopping cart software. Data stolen included credit card numbers, expiration dates, billing addresses, names, etc.; PINs were not stolen.

Businesses that rely on shopping cart software are particularly vulnerable to hackers because it is tricky to get it right the first time. Especially for smaller businesses, it’s best to outsource your shopping cart’s handling of credit and debit cards to an experienced and reputable third party.

3. Community Health System (CHS)

In August 2014, CHS announced that information from almost 4.5 million patients was stolen through a cyber attack that originated in China. Hackers stole Social Security numbers and other personal data. It’s suspected that they took advantage of the Heartbleed Bug. Human error in developing the software expected to secure private information allowed hackers to use the bug to steal data. In order to prevent this kind of attack in the future, Fixed OpenSSL must be deployed by users and service providers as it becomes available.

4. Sony

If the Sony data breach taught us one thing, it is that no organization is safe from hackers. The breach outed employee information, the salaries of famous actors, medical information, and even movie scripts. There are questions about this breach because, as Adrian Sanabria of 451 Research says, “You should definitely be able to detect somebody copying 40GB of data systematically.” In 2005, an audit revealed that Sony had several security weaknesses, including access controls that weren’t strong enough.

Lessons to Learn

It’s clear that the kinds of data breaches and the solutions to preventing them are varied, but here are a few takeaway lessons from these four data breaches:

1. Have a well-designed business process. Plan and design your business process, and make sure all your sensitive information has been documented and has a safeguard in every step of the process.
2. Encrypt mobile devices, laptops, and removable media. Encrypt your devices to assure that no data will be stolen in the case of theft or loss. Encryption is a process that uses mathematical algorithms that help to convert sensitive information into unreadable forms.
3. Avoid accidental publishing to the web or email. It seems obvious, but accidentally sending confidential information in an email is a huge security concern.
4. Have appropriate access control. Conduct regular security audits, and keep a list of those who have approved access to sensitive data.