With technological advances on the rise, there come more people who try to steal sensitive information. Sadly, 2015 saw many companies fall victim to aggressive hacking attacks, with the resulting damages amounting to millions of dollars. Let’s look back at two of the worst data breaches from last year, and how you can learn from these companies’ mistakes:
VTech Learning Lodge
Known for producing children’s educational toys, VTech Learning Lodge was attacked by hackers on November 14, 2015. Customer data included was collected from at least five million adult customers and hundreds of thousands of children. What made the situation worse was that hackers could figure out where the children lived by linking their information with that of their parents’.
The Problem: Australian security expert Troy Hunt examined VTech Learning Lodge’s security measures and concluded there were a number of major security issues. The brand’s account registration process did not implement SSL/TLS (Security Sockets Layer/Transport Layer Security), an encryption process that many consider to be essential for protecting personal information. VTech also claimed to use password encryption, but Hunt found that the brand used an incredibly weak algorithm called MD5. According to Hunt, passwords produced by MD5 could be cracked in little to no time.
Identify thieves are getting smarter and smarter. Instead of targeting general websites for sensitive information such as social security numbers, which they could sell on the black market, some have zeroed in on healthcare websites that are rife with that kind of data.
Anthem, the second largest healthcare provider in the USA as well as the largest health insurer in the Blue Cross and Blue Shield Association, was breached on December 10, 2014. To make matters worse, this attack wasn’t detected until January 27, 2015, nearly a month and a half later. A database administrator found suspicious queries were being run using his credentials, despite the fact that he didn’t start any such process in the first place.
The Problem: Though many speculated that the breach was a result of a complicated attack, it appears that this attack succeeded through using phishing methods, based on the fact that the query was run using legitimate credentials. Dave Kearns advises companies to implement systems that can conduct stricter behavioral analyses of all logins, whether for internal employees or for outsiders, in order to catch any suspicious activity before it’s too late. Another way to strengthen the company’s defenses would be to activate context-aware access control, which would identify several factors about a login and authentication session, including the time, date, and location.
Unfortunately for businesses, many more companies had their data compromised, and it seems like cyber attackers won’t stop targeting new ones any time soon. When you run a business, you don’t just hold your own information, but that of your customers’ as well. Now that you’ve seen the weaknesses in other companies’ cyber security measures, it is your enterprise’s responsibility to ensure that the same violations won’t happen to your own employees and customers.