2015: The Year The Data Breach Got Personal | ExtraHop


#1
Mike Sheward is a Product Manager for Security at ExtraHop Networks and long list of certifications to go after his name, including CISSP, HCISPP, CCFP, CISA, CISM, CEH, CHFI, OSCP.

2015 will go down as another landmark year for big time data breaches. Once relegated to the pages of industry publications, and shared like traditional war stories amongst groups of information security professionals at community events, data breach stories are now almost a permanent fixture in the mainstream media.

Of course, major breaches are not a new thing. In prior years we've seen some sizable events that have all, in some way, gone down in the annals of information security history. What made 2015 any different?

It was the year data breaches got personal.

Your Credit Cards, Your Medical Records, Your Life

By now, many of us have had to replace a credit card, because it was at risk as the result of a breach. It's frustrating, it's inconvenient, and it seems to be happening with increasing frequency.

On the positive side, because of the increased frequency, responding to a compromised card record has become relatively run of the mill. Cards can be cancelled and reissued within a couple of days. The potential damage caused by a stolen card is a known quantity.

Other types of stolen record are not as easy to respond to, or mitigate the risk associated with their loss. I'm talking about records containing deeply personal information, which have become the target of choice for malicious actors.

The Most Personal Data Breaches Of 2015: Health Insurers

In February, Anthem, the second largest health insurer in the US, announced it had suffered a breach involving just under 80 million records. These records included social security numbers, dates of birth, addresses, contact information and employment information for Anthem customers, and indirect customers. This data is everything a person with malicious intent would require to perform identity theft.

Another major US health insurer, Premera Blue Cross, reported a similar breach affecting a potential 11 million people.

If you spend a short amount of time browsing the black markets of the Internet, it's easy to see why healthcare records are being targeted. A stolen credit card number fetches at most a couple of dollars, a record including a social security number can be sold for $10 or more.

Your Fingerprints and Your Love Life

In June, the US Office of Personnel Management, the agency that processes security clearances for the US government, reported that it had been the victim of a cyber attack. Highly sensitive personal information, regarding people with access to the most sensitive information the US government has in storage, was now in the hands of an unauthorized party with malicious intent. The total number of records stolen was around 21 million, and this included 5.6 million sets of fingerprints (really bad news if you're a secret agent).

In July, a very different kind of service, but one that stored just as much sensitive information was compromised. Ashley Madison, an online dating site that specializes in catering to married folks who wish to engage in extramarital activities, found its entire user data based leaked online. The parent company elluded to the fact that whoever leaked the information had some degree of internal access.

Whatever your opinion of the site's clientele, it is worth noting that the release of the data had a very tangible impact on the lives of those who were exposed by the breach. Many were shamed publicly on social media, and there have even been reports of suicides linked to the breach.

So what do these examples teach us about data breaches in 2015?

Data can be a lot of things, but one thing it isn't anymore is a mere splattering of 0's and 1's that happened to be stored together. Data represents people's lives, their identities and their livelihoods. If you're involved in handling or processing such data, you must begin to think of data in these terms.

As attackers and breaches get more personal, so too must the defenders and their security strategies. Security professionals must come out from the trenches, and work closer with other areas of the business than ever before.

Everyone has something at stake when it comes to security.


This is a companion discussion topic for the original entry at https://www.extrahop.com/community/blog/2016/year-data-breach-got-personal/