Yahoo has announced that 500 million of its customer accounts have been compromised. The hacker, who investigators suspect was state-sponsored, made away with usernames, hashed passwords, email addresses, telephone numbers, birth dates, and other private information. At this time, it does not look like any payment card information was stolen.
The breach, which appears to have occurred two years ago, will likely qualify as the biggest data theft of all time in terms of the number of accounts that were affected. High-volume attacks like this have dominated the news over the past year, including one that affected 70 million Target customers at the end of 2014 and another that impacted 80 million customers of Anthem, a health insurance provider, earlier this year. The Anthem attack is believed to have been perpetrated with the support of the Chinese government to help China learn how to set up and expand its health insurance industry.
Companies of all shapes and sizes face increasing threats due to cyber attack. Hackers have a significant financial incentive to attack organizations, as each piece of confiscated personal information carries a handsome bounty. A single social security number can fetch $30 on the open market; a date of birth can garner $11. A single bank account number can earn the hacker $300. Hackers stand to gain a lot of money, which is why they engage in these sorts of heists.
Evidently, hackers have been quite successful at carrying out such attacks. According to the NetDiligence 2015 Claims Study, the average cost of a data breach today is $674,000. That average penalty doubles for healthcare records. The average cost per lost customer record is a whopping $964. Clearly, this is a lucrative market, and the effects on organizations can be crippling.
Not all breaches are caused by hackers. While 31% of them have been traced to hacker activity, malware such as viruses and worms that spread through a system are the culprit in 14% of the cases. And an organization’s employees are to blame 11% of the time. For some employees, that unconscious reflex to click on a link proves too tempting, and that simple mistake can significantly harm their employer.
When an organization experiences a large data breach, responding properly is critical to limiting the damage done to its customers and to its reputation. An appropriate and disciplined response needs to be conducted at all levels of the organization. Tom Drez, a Lewis Computer Science alumnus who now works as Chief Information Officer and Chief Security Officer at Christian Brothers Services, recently gave a presentation to Lewis students called “Cyber security, cyber risks, and data breaches: Oh my!”. In it, he described the appropriate response to a data breach as one that involves all C-level officers. The CEO needs to notify the Board of Trustees of the organization. The CFO needs to work with the company’s cyber security insurance broker and act as the liaison to the broker for the claim processing so that its assets and those of its customers can be properly protected. The organization’s general counsel must be notified and consulted to gauge the extent of the company’s liability. The COO or communications department head must notify the affected constituents, a Herculean task when you’re talking about 500 million victims. A call center must be set up to respond to inquiries from the victims, again a mind-boggling task when you’re talking about a huge data breach like this. The CIO and the technical team need to conduct an investigation to determine the extent of the damage and how to prevent it in the future.
The response is complex, but it has to be done quickly, consistently, and decisively. For this reason, it is increasingly common for organizations to have a carefully crafted Data Breach Protocol established ahead of time, so that they can respond as nimbly as possible when these kinds of events occur. Data Breach Protocols need to become as commonplace as business continuity and disaster recovery plans.
Computer systems are technically complex productions that interface with unpredictable, fallible, and sometimes devious humans. That’s quite a nourishing recipe for hackers to feed on as they work to gain the riches that stolen data can earn them. The Yahoo breach, although the biggest so far, likely won’t be the biggest for long, and by no means will it be the last. It probably won’t even be the last breach to be reported this month.