Cybercrimes and data breaches make personal info vulnerable

Beware of online scam artists

Merdies Hayes | 8/23/2019, midnight
In our fast-paced, online-obsessed world, it may be easy to forget how...

In our fast-paced, online-obsessed world, it may be easy to forget how simple it is to have your private information exposed to nefarious purposes. A common worry among consumers these days is the threat of a data breach which could result in financial havoc and years of personal turmoil if your private information is exposed for the world to see and exploit.

A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve personal health information, personally identifiable information, trade secrets or intellectual property.

Common data breach exposures include—but are not limited to—personal information such as credit card numbers, Social Security numbers and healthcare histories, as well as corporate information (e.g. customer lists, manufacturing processes and software source codes). Data breaches can be particularly harmful to business because if anyone who is not specifically authorized to view sensitive information disseminates such classified details, the organization charged with protecting that data could easily lose millions—or billions—of dollars.

Exploiting weak passwords

Data breaches can be brought about by weak passwords, missing software patches that are exploited, or the most common occurrence among the public, a lost or stolen laptop computer or mobile device. As well, users connecting to rogue wireless networks that capture log-in credentials or other sensitive information in transit can also lead to unauthorized exposures.

While hackers and cybercriminals often cause data breaches, there are also incidents where enterprises or government agencies may inadvertently expose sensitive or confidential data on the internet. These are commonly called “accidental data breaches” usually involving organizations misconfiguring cloud services, or failing to implement the proper “access controls” such as password requirements for what are termed “public-facing” web services or applications.

In May, Rep. Elijah Cummings (D-Baltimore) introduced H.R. 2545, also known as the Data Breach Prevention and Compensation Act of 2019. The bill was written to help create an Office of Cybersecurity at the Federal Trade Commission for supervision of data security at consumer reporting agencies. It would also establish standards for effective cybersecurity at these consumer reporting agencies, and impose penalties on credit reporting agencies for cybersecurity breaches that put sensitive consumer data at risk. A similar bill, S.1336, was introduced in May by Sen. Elizabeth Warren (D-Massachusetts).

Use commonsense security practices

There really is no definitive security product or control that can prevent a data breach. The most reasonable means for preventing data breaches involve commonsense security practices. This includes well-known security basics, such as conducting ongoing vulnerability and penetration testing, applying proven malware protection, using strong passwords/passphrases, and consistently applying the necessary software patches on all systems. A “patch” is a piece of software designed to update a computer program—or its supporting data—to fix or improve it.

Most data breaches occur in the banking industry, followed by the healthcare sector and the public sector. A report this year issued by Verizon Data Breach Investigations found that incidents reported from Nov. 1, 2017 through Oct. 31, 2018 revealed that the financial industry was hit with 927 incidents of which 207 were confirmed cases of data disclosure. In healthcare—where most of the breaches were attributed to internal factors—466 incidents were reported with 304 confirmed cases of data disclosure. In the public sector—where a reported 79 percent of breaches were blamed on state-affiliated “bad actors” (basically foreign government spies)—there were 23,399 incidents of which 300 were determined to be confirmed data breaches.