Cyber Security Attacks Which Could Have Been Prevented
In recent years, there have been a number of cyber security attacks carried out on reputable organisations. Each time, millions of customers’ personal details ended up in the wrong hands. These attacks were successfully carried out as result of careless data handling by the data controllers themselves.
Cyber Attacks on Reputable Organisations
We can all recall the eBay cyber-attack in March of 2014 where hackers managed to steal a small group of employee logins. This gave them access to eBay’s (News - Alert) corporate network along with 145 million customers’ personal information. Hackers were able to access details such as the names, dates of birth, home addresses, phone numbers, email addresses and encrypted passwords.
TalkTalk is another reputable organisation that was recently affected by a Distributed Denial of service (DDoS) attack. An attack which involved hackers disabling a number of TalkTalk’s networks as a distraction tactic whilst they managed to steal thousands of customers details including bank account numbers and sort codes.
Protecting Important Organisational Data
With such a massive scale of data breaches occurring from time to time we need to take a look at the various ways we can work to protect organisational data.
Some of the ways employers can protect organisational data:
- Setting simple access right controls to limit read access across important network drives
- Setting a 2 step verification process for logging into organisational networks
- Implementing physical security controls such as CCTV & DDS security cameras on company premises
- Managing passwords (i.e. set systems to only allow strong passwords with a combination of special characters & numbers)
- Managing the destruction of sensitive company documents (i.e. using a shredder to destroy documents)
PCI Data Encryption
In 2004, American express, JCB international, Discover Financial Services, Visa Inc. and MasterCard (News - Alert) Worldwide formed the Payment Card Industry Security Standards Council. This group worked together to incorporate technical requirements for each of their data security and compliance programs. Some of these requirements include implementing strong access control measures, regularly monitoring and testing networks.
TalkTalk admitted that they did not encrypt consumer data such as credit card details and telephone numbers. When interviewed about this TalkTalk’s CEO Dido Harding said; ‘it was not encrypted, nor are you legally required to encrypt it’.
Whilst this statement is true, more could have been done to avoid this attack. They should have tested their systems regularly and monitored it more closely. At least some of the financial data for their customers should have also been encrypted. This would have minimised the effect of such a security breach. As a direct lender who handles personal customer data, we are required by law to encrypt some of the data we handle. We follow the Payments Card Industry Security Standards and regularly test our networks to ensure we meet all compliance regulations.
Limiting our Social Media Transparency
Nowadays, we are so transparent on social media and even list our employment information for all to see. All too often, hackers impersonate work colleagues once they have access to such information displayed on social media profiles.
We need to ask ourselves the following questions:
- Is it really necessary to list all your projects, job title and the company you work for on your Facebook (News - Alert) profile?
- Can your full date of birth be found on social media? It could be worth just showing DD/MM (date/month) information here.
- Is your Facebook profile set to public? It could be worth setting your Facebook profile to private.
It’s really worth thinking about the kind of information we put out there for everyone to see.
It is fair to say that not all security systems are perfect and attacks of this nature do happen to even the most careful.
Each of these cyberattacks have taught us a valuable lesson that consumer data in whatever form needs to be protected in a way that will reduce the chances of a security breach.
Cyber criminals are developing increasingly sophisticated tactics to infiltrate corporate networks. Organisations need to apply encryption to sensitive data and stop these data leaks before they can start.
Let’s work tirelessly to build effective and secure systems so that these cyber-attacks can one day be a thing of the past.
Author the Author
Frederic Nze is the CEO and Founder of Oakam, a fintech company that provides simple financial services for people who find it difficult to borrow from banks.
Edited by Peter Bernstein