For several years now, government agencies and companies have experienced massive data breaches exposing our most sensitive information. But it seems the general population of users affected by the breaches simply shrug them off. This article takes a closer look at the major breaches and their impacts.
During my experience as a CISO for iconic American companies, military and government agencies, my “go-to” source for data breach information was the Privacy Rights website. The site collects and reports data breach information going back to 2005 which can be sliced-and-diced by year, breach type, and organization type. I would use these data points in my various management presentations to emphasize cyber security-related risks and also focus on breach trends (e.g., losses due to portable devices, etc.) to develop security budgets and strategies. I also augmented Privacy Rights data with the latest Ponemon Institute’s Cost of Data Breach studies.
Over the last 13 years, the Ponemon Institute “has conducted an annual Cost of a Data Breach Study in order to measure exactly how much lost and stolen records could cost companies around the world.” Including Privacy Rights and Ponemon data in my security presentations went a long way in opening management’s eyes data breaches in general and their associated costs.
However, it seems that the public at large has been desensitized to these “mega” data breaches (breaches that involve 1 Million or more records). There doesn’t seem to be much in the way of accountability although some CEO’s, CIO’s and CISO/CSO’s have lost their jobs in the wake of a data breach. Let’s look in more detail at several significant data breaches:
- 2014 Office of Personnel Management (OPM) Data Breach is arguably one of the most egregious of recent data breaches in terms of the sensitivity of data that was compromised. Attackers exfiltrated 4.2 Million personnel files and security background investigation on 21.5 Million individuals including 5.6 Million fingerprint files. As early as 2005, OPM’s Inspector General (IG) warned the “despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity and adequately secure high value data.”
Now we find that three years after the OPM breach a February 2018 article states that despite being given $11 Million by Congress to improve its cybersecurity the OPM IG’s “latest management report on the IT modernization initiative, auditors called into question the agency’s planning process. The IG says OPM continues to make the same mistakes that plagued its recent unsuccessful ‘shell’ initiative.”
And in June 2018, “a woman admitted in federal court this week that she used the identities of OPM breach victims to take out fraudulent loans through a federal credit union. It appears to be the first criminal case involving OPM data that the Justice Department has publicly disclosed.” Since I held security clearances throughout my career, my personal data was also compromised, and I was notified and provided with credit monitoring. In the aftermath of the data breach, OPM Director Katherine Archuleta and the CIO, Donna Seymour, resigned.
- 2017 Equifax Data Breach saw the entirely preventable compromise of sensitive personal data of 148 million Americans including names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. Credit card numbers of approximately 209,000 consumers were also breached. As a result of the breach, Equifax’s Chief Security Office, Chief Information Officer, and Chief Executive Officer all “retired”. If we look at Equifax’s stock prices, we see that concurrent with the September 2017 disclosure of the breach, the September 15, 2017 market close experienced a precipitous drop in stock price of $92.98 from a September 1, 2017 closing price of $141.59. However, one year later, the stock price on September 14, 2018 closed at $136.68, only a 4% decline. Equifax may face future fines from U.S. agencies such as the New York Department of Financial Services, the Federal Trade Commission and the Consumer Protection Bureau.
- 2013, 2014 and 2016 Yahoo Data Breaches – if the OPM data breach was the worst in terms of the sensitivity of data compromised, the Yahoo breaches were the worst relative to the numbers of records breached. “In October 2017, Yahoo! updated its assessment of the hack, and stated that it believes all of its 3 billion accounts at the time of the August 2013 breach were affected.” Yahoo was subsequently acquired by Verizon and in the wake of breach disclosure and due diligence analyses, it was determined that Yahoo’s “reputation wasn’t damaged beyond repair”. Verizon stuck with the “deal but lowered its original offer by $350 million”.
- 2014 Home Depot Data Security Breach - 56 Million debit and credit card numbers were stolen from its customers between April and September 2014. As the result of the breach, Home Depot reached a settlement to pay a minimum of $19.5 million in consumer lawsuits, a requirement for the company to improve its data security efforts and to hire a chief information security officer, and pay legal fees for impacted customers, which could cost more than $8.7 million. On September 5, 2014, Home Depot stock closed at $91.61 and one year later closed at $114.42 on September 4, 2015. The stock has been on a steady climb and on December 31, 2018, the stock closed at $171.82 or a 47% increase in the four years since the breach was disclosed.
- 2014 - 2018 Marriot/Starwood Data Breach - September 2018, Marriott launched an investigation after receiving an alert from an internal security tool that triggered on an unauthorized attempt to access the Starwood guest reservation database. The investigation revealed that there had been unauthorized access to the Starwood network since 2014 and hackers exfiltrated financial and personal information of more than 500 million guests from the Starwood guest reservation database. On September 4, 2018, Marriott stock closed at $126.55 and at year’s end December 31, 2018, closed at $108.56 a 14% decline.
I personally dislike the phrase “new normal” since it seems most every aspect of life is not normal at all. The phrase implies that we should just sit back and accept the “status quo”. Our personal, private and financial data are not only stolen, but also commoditized and sold by social media platforms. A December 31, 2018, Electronic Frontier Foundation article suggests that “In the United States, 2018 may go down as the year that government began to get serious about privacy.”
We can only hope that the onslaught of continuing data breaches will result in serious privacy proposals on the legislative floor. But given the current political climate – don’t bet on it.
Regardless, incident response has become more important than ever. Get in touch to learn how CISOBox can help.
Share This Article