Takeaway lessons from someone else’s breach

There were a lot of high-profile data breaches last year—from Target and Nieman Marcus to Evernote and the Federal Reserve website. Hackers are getting more sophisticated and we’re seeing more and more breaches make the news. While this may make you nervous, it also means that more and more, you can learn how to protect yourselves by watching how others deal with security breaches and where they went wrong.

Encrypt

Last November, CorporateCarOnline suffered a data breach. They lost 850,000 records including customer credit card numbers and personal information of clients. Even if your clients don’t include Donald Trump and Tom Hanks (or other A-list celebrities, which this one did), a security breach like this is a big deal.

The information stolen was in a plain text document. That plain text document contained the credit card information for a number of high-limit or no-limit American Express cards, not to mention personal information that tabloids would love to get their hands on, and that’s at the innocent end of the implications. Information lost included flight information and even future dates of travel for high-profile clients that would be of interest to corporate spies or perpetrators of espionage.

Hackers would have likely been happy to work very hard to decipher the information stolen from CorporateCarOnline, but they didn’t have to.

The lesson here? Simple. Encrypt your sensitive data.

Communicate

Details about the Target breach that happened during the busiest time for holiday shoppers keeps trickling in. Millions of Target customers had their credit card information stolen when Target’s point of sale card swipers came down with a bad case of malware. The breach went undetected for two weeks.

Since the breach went public, Target has repeatedly revised information shared publicly about the scope of the breach both in how many people were affected and how much information was lost. Changing their story is hurting Target’s credibility.

Just recently, Target has been emailing customers affected by the breach with information, but that information must be accessed by clicking a link, a common tactic used by hackers. These official emails will make it difficult for customers to distinguish between the real and the fake, putting them at even more risk of credit card theft.

The lesson here? Communicate, quickly, honestly and clearly.

Patch

The Department of Energy lost personal information about 104,000 employees, past and current, when a hacker broke into an outdated publicly accessible system. Information included bank accounts for employees with direct deposit, names, social security numbers and more, all unencrypted.

Although publicly accessible, the database was built for use by the DOE’s CFO. The software had not been updated although updates had been purchased.

The lesson here? Patch, don’t wait.

Every breach brings new understanding and new lessons about how to protect and react when data loss occurs. Unfortunately, no company is in this alone; all are vulnerable. Learn from others and share what you know. Collaboration is key to keeping ahead of the cyber-criminals.