In a recent statement, the world’s first Internet domain name provider, Network Solutions, revealed that they were the target of a data breach. The company announced that an unknown third-party acquired unauthorized access to some of their computer systems starting in late August 2019. The organization said that they have informed the relevant authorities and are conducting a thorough inquiry.
What kinds of data were affected
Fortunately, Network Solutions encrypts the credit card details stored on their site, meaning that no financial information was compromised. However, personal information such as names, addresses, phone numbers, email address, and information about the services that were provided to the named account holder are still valuable to cybercriminals. The fact that both current and former Network Solutions customers had data leaked means that many people might be unexpectedly impacted.
While it is great to hear that Network Solutions encrypts passwords and that they believe that passwords were not compromised as a specific result of this incident, personal data was not subject to the same level of data protection. With an ever-increasing attack surface, it is almost impossible for organizations to make their perimeter and their systems impenetrable, which leaves sensitive data vulnerable once the perimeter is breached.
How they responded to the breach
Once Network Solutions discovered the unauthorized access, they immediately began collaboration with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted. They informed the authorities as well as affected users and as an additional precaution they required all users to change their passwords.
How to mitigate the effects of breaches
The more sensitive data an organization has, the more critical it is to protect that data. A ‘security-first’ policy employing a data-centric approach helps ensure that the data itself is protected throughout an organization.
Applying security measures to the data itself can nullify the consequences of breaches because the extracted information is useless to the attacker. However, classic encryption, while an effective method of data protection, can be extremely burdensome to system resources. This could be part of the reason why many companies don’t encrypt all sensitive data and instead prioritize things like passwords or payment information.
With modern data-centric security approaches like tokenization or format-preserving encryption, it is possible to secure and de-identify data sets with minimal impact to existing applications and processes. That way, there's no need to prioritize which type of sensitive data get protected and every organization can mitigate the risk of losing personal data by protecting all of it throughout the enterprise. What's more, tokenization can even enable organizations to analyze and process while it's still in a protected state.