Due to our technologically advanced society, people often assume the strategies IT experts put in place to prevent database hacks are increasingly effective.
Despite the fact security techniques and applications are becoming more robust, mistakes are made, and shortcomings exist.
An investigation of some of the most prolific hacks of 2017 reveals the time to take decisive action against database hacks is now.
In late February 2017, news broke that 760 gigabytes of private data related to New York’s Stewart International Airport were made available online. A tech blogger discovered the blunder, contacted the airport and was told only one outsourced IT specialist handled all operations at the facility. The blogger got in touch with that worker and learned the airport had tested backup software and, while doing so, opened a port on the airport’s firewall.
Ultimately, the tech blogger made an educated guess and concluded the opening in the firewall probably caused the information leak. However, it’s surprising that the data — which included passwords and emails — was not encrypted. This occurrence is a case in point for why it’s smart to distribute information security duties to multiple individuals and protect the data they handle.
It’s not hard to imagine how severe the consequences could have been if a malicious hacker had discovered the vulnerability rather than a well-meaning blog writer. Disabled firewalls leave companies and their assets vulnerable to people who intend to wreak havoc.
Statistics compiled from government and industry sources indicate over 90% of cyberattacks happen due to stolen employee information. Phishing is the most common method hackers use to take credentials, and some of the sites they build to lure users are incredibly realistic.
After its massive data breach that affected 143 million people, Equifax dominated headlines for a different but related reason: Insufficient proofreading and site testing meant that a link the company provided for customers to determine if their data was compromised pointed to a look-alike, bogus site.
In that case, an everyday individual created the internet destination out of concern and didn’t steal data. But, the fact that Equifax itself directed visitors to a fake site shows how easily hackers can do the same — and employees or other members of the public can fall for the trick.
Evidence shows that approximately 85% of companies that try to create a configuration management database fail at the task. Sometimes that’s because they store data in multiple places and don’t handle it uniformly in each location. Even more commonly, companies manage their assets from the bottom up. That means they start gathering data without intentions for how to use it.
The more data a business possesses, the more attractive a hack becomes to people who want to exploit that information. That’s why it’s crucial for companies to decide what kind of data they require and how to keep it safe before obtaining it. If they instead fail to prioritize their processes for best results and choose the proper security measures, database hacks could occur before business leaders even realize it.
Hackers can also gain access to private information if encryption devices are not turned on. Clothing retailer Forever 21 found that out the hard way and published a news release confirming cybercriminals accessed credit card details associated with the company’s customers for seven months.
An investigation carried out by Forever 21 found encryption capabilities on devices used to log payment transaction were not always activated during the breach period. The lapse allowed the hackers to gain entry to the credit card database, then install malware that could read data associated with the cards.
The company also confirmed the extent of the attacks at each affected store varied. Sometimes, the encryption was only disabled for several days, but in other cases, the vulnerability was present for the entire duration of the hack. It is also unclear whether Forever 21 stores outside of the United States — which use different payment systems — suffered from breaches.
Although data gets stolen for various reasons, the fact remains that businesses literally cannot afford to show a lack of vigilance regarding database security. Data breaches erode consumer trust and are costly to the targeted companies — both in terms of money and reputation damage.
Plus, businesses that do not plan for the worst while upholding stringent security practices to minimize or prevent damage increase the likelihood of scrambling to react rather than proactively preventing issues.
As some of these case studies indicate, keeping hackers out of databases can be as simple as mandating training that helps employees recognize phishing attempts or keeping firewalls activated.
Photo by skeeze