Data are considered gold in this age of digital information. As long as valuable data exist, there will always be interested parties who will attempt to steal and use these data to exploit other people.
Therefore, information security is an important aspect of today’s technology-driven and -powered world. IT security should never be compromised. Statistics shows that 90 percent of business losses come from IT network security lapses.
Furthermore, IT audit should be routinely conducted in an IT infrastructure, preferably by a third-party provider, to identify critical points of improvements or undetected errors within.
Security breaches come with heavy consequences that affect organizations long after they have recovered from data loss or theft.
Nobody Wins in a Data Breach
The truth is, nobody wins in a data breach. Not only hackers but also companies are held liable when a security breach happens and valuable data are lost or stolen.
Companies can be held liable since it is their responsibility to protect data within their company, most especially personal information, whether it’s from their employees or their customers.
When a data breach happens, companies still stand to lose the trust of their employees and customers even if disaster recovery is swift.
Take a look at these three cases of security breaches and what we can learn from the situations:
1. Sony Pictures Entertainment’s Devastating Hack
On November 24, 2014, Sony Pictures Entertainment’s computers were hacked by a group called the Guardians of Peace, who pledged not to stop until Sony Pictures was destroyed.
The hackers shut down the e-mail system, wiped every hard drive clean, and went away with a huge cache of private company data.
Pivotal pieces of these valuable data were later uploaded to torrent sites, and e-mail communication among top Sony honchos, private conversations in meetings, and strategies were revealed.
The most devastating act involved the stealing of personal information of employees, which included their social security numbers. The employees were also threatened and terrorized by these hackers for nearly a month.
Sony faced a lawsuit from its employees, as they claim their information weren’t adequately protected. A settlement about the breach was reached recently.
Months after the breach, Sony still deals with the aftermath, as WikiLeaks published around 30,000 documents from the breach in April this year.
What we need to learn: Organizations can take extra steps to secure the information of their employees and customers. It would also be advisable not to have all of these data in one infrastructure. E-mails should be also stored in a different cloud or database, especially when it concerns internal e-mail communication.
2. Morrisons Staff Insider Security Breach
Morrisons’ employee payroll data have been stolen and exposed to the Internet in an insider security breach in March 2014.
Information such as staff salary details, insurance numbers, and bank details were published, thereby exposing the employees to potential fraud in the long run.
What we need to learn: Did you know that internal security breaches, whether intentional or by neglect, happen more often than external hacks? Even if it was unintentional, internal security breaches are damaging. So, securing operations, administration (people), and third-party vendors should be done. Audits should also be run regularly, and monitoring should be conducted consistently.
3. Ashley Madison Data Breach
Ashley Madison, a Canada-based online dating service and social networking service marketed to people who are married or in a committed relationship, was hacked by a group called the Impact Team that downloaded highly sensitive, financial, and identifying information of its 37 million users. These included some high-profile US and UK government officials and high-level executives.
A lawsuit was made by a man who claims to have suffered from emotional distress because of the leak. He claimed that the company didn’t do enough to protect its client information, knowing that the site runs on absolute confidentiality and privacy.
What we need to learn: The breach could have been prevented if the company had taken extra and needed precautions, such as data encryption, to protect further the information of its users.
Security breaches, unfortunately, have been occurring in frighteningly increasing numbers these days. Companies should have a plan that includes awareness, prevention, countermeasures, and recovery.
Learning vicariously from the cases we shared should also serve as an eye opener to increase the need for better information security and audit.