A Data Breach a Day; Or So It Seems

Every time I turn on the news it seems we are hearing about another serious data breach where customer information is being compromised and the organizations in question are very slow to react.  I will admit that given my profession, my ears are much more finely attuned to this type of news. Even so, I am surprised at the rate at which stories of serious data breaches seem to be appearing in the news.  Not only is the frequency of these stories becoming more prevalent, but the information being compromised seems to be increasingly sensitivity. First, we learned of RSA potentially losing the seed values for what’s likely the most common two-factor authentication tool, the SecurID now we’re headed into even darker territory.

The latest in the string of these incidents is taking place in my own back yard at the Commonwealth of Massachusetts. I am personally disappointed to learn of the loss of an unknown number of clients’ personal data – names, addresses, social security numbers and more - since Massachusetts has long been a bellwether, along with California in issues of data protection with laws such as MA 201 CMR 17. It is unsettling to see a data breach of this scope not only take place,  but also to see it caused by a virus which had already been in the wild for some time – though the State officials quoted will tell you it’s “new” and “advanced” – sound familiar?  The bit of good news I can find in this story is that the Commonwealth does seem to be trying to get in front of this breach and has been forthcoming with specifically what data has been compromised. 

­­­Unfortunately, the compromised data represents a perfect mix of everything an identity thief would need to commit fraud. To put the matter into perspective, it would appear now that the breach in Massachusetts while much smaller when compared to that of Epsilon, has exponentially greater fraud potential. To make matters worse it seems as I write this, there is “no mechanism available" to estimate that scope of the breach or, who specifically has been affected by it. It seems as though the visibility the Commonwealth has into its systems and the way in which both access and activity are tracked are severely lacking. The result? Some of the parties whose information is compromised may only realize when they start to receive unknown queries from creditors or find they’ve received a negative credit report as a result of identity theft made possible by the compromised information.  It is notable the department impacted by the breach, the Department of Unemployment Insurance, makes a rather bold statement that the breach is no longer active despite the fact that previous attempts to eradicate this same virus - W32.QAKBOT -  in their environment were unsuccessful.

After watching and reading the news coverage regarding this breach there were a few thoughts that came to me.  As of today, I believe we have not heard the last of this issue.  We know the Commonwealth does not yet have the means to measure the damage done by this breakthrough, so I believe their PR and legal teams will be responding to this issue for some time to come. I can only hope that the IT, information security, and GRC teams are currently devising a plan to understand what controls can be put in place from avoiding a repeat of this scenario and its related collateral damage.

So what are the lessons to be learned? While breaches will continue and more companies will have more “CNN moments” the test of any information security and risk team’s mettle will be in its response. Keys to a solid response are simple in design yet complex in deployment:

• Strengthen the ability to monitor applications for suspicious activity (i.e. access to servers containing PII, odd traffic patterns)
• Strengthen policies to tightly control which users have access to what data, and keep a detailed log of access. A complete audit trail is an invaluable asset in determining the reach of the breach and will inform a proper response.
• Establish and implement policies which spell out in detail what systems contain information that are and are not subject to compliance and sensitive to breach. Undertaking such a data classification project will ensure that the organization is on the path toward actively limiting access to users and compromised systems to this information. 
• Process plays a key role as well, and a primary task should be detailing how logs are obtained, archived and reviewed. Early detection is one of the best tools to limit the damage such an action will cause. Being proactive is reliant on solid policy on which all team members are trained and up-to-speed.

Another interesting outcome concerning the recent spate of data breaches is a renewed call for a Federal data breach reporting law.  I believe that like anything there are advantages and disadvantages to a Federal law.  Certainly, having one Federal law that everyone follows would make things simpler when it comes to reaction and management but, as we saw in Massachusetts, a very good law in place will not prevent data breaches when departments are simply managing to compliance. Best practices are rooted in risk-based planning with an eye toward business – not technology – impact of a breach.