Data breaches like the one that affected Sony aren’t the end of the world if companies are honest with customers who have been affected.
Since the beginning of this year, we’ve seen a large number of mass-scale data losses hitting the headlines in the UK, as major brands including Sony and Epsilon admitted to major data breaches. Incidents of this nature put the identity of customers at risk as hackers are able to access their personal data, sometimes including credit card details, email addresses and passwords.The full details of the security hack that befell Sony last month are still yet to emerge. Initially, the company informed its customers that personal data of up to 70 million people had been stolen. Since then, it’s been confirmed that a second attack on the network took place involving the possible data theft of 25 million further user records, making it one of the biggest data loss incidents of all time. This may seem like a staggering scenario - a household brand like Sony losing information that could be used to defraud an amount of customers exceeding the population of Germany - but large-scale data losses have happened before. Many times.
Just in March this year, US marketing firm Epsilon confirmed that an undisclosed (but substantial) number of records had been stolen, affecting customers of Play.com and Trip Advisor. Even security firm RSA confirmed that some information had been compromised from its servers in April.
No matter what sector an organisation is in, businesses need to fully realise that in storing their customers’ personal and financial data they are responsible for very valuable assets in the eyes of determined cybercriminals - the figure of £46.7m being lost in online fraud in 2010 is a testament to this.
Companies must take this issue far more seriously and should be continuously testing and monitoring defences and making sure that if information is stolen, it is indecipherable, worthless junk to the criminals.
Data breach cases that hit the headlines will of course lead to severe reputational damage; however, this doesn’t mean that smaller, lower-profile companies are safe from these threats. Criminals frequently seek out these companies and target them to quietly steal their money, data and customer records, often without being noticed. The biggest mistake is thinking that you work for a company that is too small and insignificant to be targeted.
By making IT systems harder to hack and protecting data by encrypting it, companies can make themselves a far more undesirable target for crimes of this nature. Sony has attempted to re-assure customers that their credit card details were encrypted. However, the personal information on the PlayStation Network was not encrypted, meaning that the hackers may have access to names, addresses, email addresses, birth dates and passwords. Merely encrypting the payment details in this instance just isn’t enough.
However, the biggest mistake that Sony has made throughout this ongoing fiasco is the lack of honesty and transparency with its customers. More and more information continues to emerge and customers are left unsure of where they stand.
If we compare this to LastPass, who recently issued a statement announcing that it had noticed an anomaly in network traffic - resulting in the unauthorised transmission of data - we can see how companies should react to such problems. As soon as this anomaly was noticed by engineers, LastPass quickly and openly communicated the potential breach with all affected parties, encouraging them to change their master password as a precaution.
While all data breaches are likely to lead to reputational and potential financial damage, if companies follow the example of LastPass, and not Sony, and openly communicate concerns with their customers, they are far more likely to retain the trust of their end-users, minimising the fallout from such attacks.
Carole Theriault is a security consultant with Sophos (nakedsecurity.sophos.com)