In the security industry we often talk about industry trends with a detached, generalist viewpoint. It’s only when real incidents happen and follow-on fraud starts occurring that the impact of soaring cybercrime really hits home. This is an underground economy still on an explosive growth trajectory, welcoming new participants, and causing pain for countless victims, every single day.
Three recent incidents in Australia reminded local residents of this new reality. In all three cases, encryption appears not to have been used to protect critical personal information. Those companies may be feeling the financial and reputational impact of these breaches for many years to come. It’s another unfortunate example of what happens to organizations that don’t put data-centric security front-and-center of their risk management strategies.
The three firms in question were telco Optus, wine merchant Vinomofo and retail marketplace MyDeal. Here’s what happened:
Optus suffered perhaps the most damaging breach. Over two million customers were impacted by a September cyber-attack after a threat actor took advantage of major security gaps to steal a wealth of personal and identity information. This included 150,000 passport and 50,000 Medicare numbers, although 900,000 of the total were subsequently found to have expired. Such details can be a valuable starting point for multiple identity fraud attempts. Given that thousands of these records have already been posted online by the presumed hacker, it’s extremely unlikely they were encrypted. The Australian government has subsequently said that the telco should pay for the replacement of victims’ passports.
MyDeal suffered a cyber-attack just weeks later, when an attacker breached its CRM systems to steal information on 2.2 million customers. Customer names, email addresses, phone numbers, delivery addresses, and dates of birth were among the haul – more than enough to craft convincing phishing and other follow-on fraud scams. There was no mention again by the company that these details had been scrambled, meaning they probably have not.
Vinomofo rounds out the trio. Although it has refused to issue a public statement on the matter, reports suggest as many as 500,000 customers could be impacted. Names, gender, dates of birth, home and email addresses and phone numbers could be among the details stolen from a database accessed from a testing platform. The firm did not confirm to customers whether the information was encrypted, only that it was unlawfully accessed and that they should take precautionary steps going forward.
Today’s IT environments are comprised of a complex blend of legacy and digital systems, and security doesn’t always work as intended, or else is implemented and configured incorrectly. In the case of Optus, best practice API security measures like user authentication were apparently overlooked. In the case of MyDeal, a single compromised employee credential gave attackers the keys to the kingdom – access to a huge trove of customer data. To fully mitigate the risk of data loss, organizations must therefore go back to basics, and protect what really matters – not just the system surrounding the data, but also the data itself.
This is the rationale behind data-centric security. It’s all about delivering continuous and comprehensive discovery and classification of data, wherever it resides in the enterprise, and then applying protection in the form of format-preserving encryption, tokenization or other controls. In this way, organizations can benefit from: