Safer Internet Day: How much of a risk are data breaches?
The average cost of data breach rose to $4.24 million in 2021, a 17-year high, according to the latest IBM Cost of Data Breach Report
Data breaches have become frequent. The problem was compounded in 2021 when there was an upward trajectory in hackers gaining unauthorised accesses to user data on websites and online platforms. The impact of the breaches is broadening too, data shows.
The average cost of the data breach rose to US$4.24 million in 2021, up from $3.86 million the previous year. It was a 17-year high, according to the latest IBM Cost of Data Breach Report.
Remote work has accelerated the cost and the impact of the data breach. Social media networks, shopping websites, video game platforms, hotel chains, airlines, restaurants as well as food delivery, and financial institutions have been targeted and they remain vulnerable.
Data is the oil of the 21st century, British mathematician Clive Humbly said in 2006. The phrase has really caught on as the digital economy has grown.
Data breaches over the past few years show how priceless data is. According to security company Norton, a data breach is a security incident in which information is accessed without authorisation. “Data breaches can hurt businesses and consumers,” says the security company’s description for data breaches.
“In 2021, we saw a shift in the identity crime space. Too many people found themselves between criminals and organisations that hold consumer information. We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud,” says Eva Velasquez, president, and CEO of the Identity Theft Resource Centre in the US, in the latest Annual Data Breach Report.
There seems to be a shift in how data breaches are being deployed from phishing for data to ransomware. “Malware installs itself onto a victim’s machine, encrypts their files, and then turns around and demands a ransom (usually in Bitcoin) to return that data to the user,” says security company McAfee in its description of ransomware.
The idea is to get hold of the user data on an online platform and then earn money out of it. This is done either by selling it online or demanding money from the platform that has been attacked.
Ransomware isn’t new. “Over the past 18 months, the Sophos Rapid Response Team has been called in to investigate and remediate hundreds of cases involving ransomware attacks,” says security company Sophos in the 2022 Threat Report. “There have been significant changes to the ransomware landscape over this period: the targets have shifted to ever-larger organisations, and the business model that dictates the mechanics of how attacks transpire has shifted.”
Their data suggests as much as 79% of the incidents were because of a ransomware attack. Other elements such as miscellaneous malware (5% including spyware, trojans, adware, and virus) are significantly lower in comparison.
Some of the biggest data breaches in 2021 involved popular brands, across industries. Facebook confirmed in April that an attack allowed hackers to get hold of the account data of 533 million users in 106 countries. The vulnerability that allowed it has since been fixed. Microsoft-owned LinkedIn professional network said in June that a hacker got access to data of 500 million users, including phone numbers and email addresses.
Automaker Volkswagen said hackers accessed details of over 3.3 million customers including mailing addresses, phone numbers as well as vehicle information. “This included information gathered for sales and marketing purposes from 2014 to 2019,” said Audi and Volkswagen in a statement. It added a vendor had left data unsecured.
The US-based Colonial Pipeline faced a ransomware attack using a VPN account with a compromised password. The damage included a halt to fuel supply on the mainline, which led to fuel shortages in large parts of the US. Hackers demanded $5 million in Bitcoin, which was paid after some negotiation though most of it was recovered later.
In July, 2,000 companies globally, whose networks and computers were managed using the Kaseya VSA software, were infected with ransomware. A well-known criminal gang known as REvil took responsibility for the attack and said the operation infected over a million systems.
In November, a bug was found in the Log4j package used in Java, a cross-platform software used in almost a billion devices. The vulnerability was nicknamed Log4shell, and it allowed attackers access to do nearly anything they wanted on affected systems.
The vulnerability has remained a persistent headache for organisations, security experts, and users since. “Attacks can also be automated and scanning for this bug has already been ongoing for a while and has been used to install malware like coin miners and ransomware,” said Snorre Fagerland, technical director, Norton Labs.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the Microsoft Threat Intelligence Center said in the updated guidance this January.
What do you do when an app or website or service has suffered a data breach? Corrective steps are needed to ensure there is no further damage, particularly financial losses. If online identity on any website or platform has been compromised in a data breach, immediately change the passwords – even more so if they are being shared on another online account.
Enable two-factor authentication, or 2FA, as an additional protective measure. Even if the password and log-in details end up with hackers, they will hit a roadblock if this has been enabled.
If the data breach has hit your bank or financial institution, generate a new password for an online banking identity. Enable, if available, the option to generate an authentication OTP, or one-time password, before you are allowed to log in to your banking accounts. Most banks enable this by default.
If any service that you use and has your credit or debit card details is hit by a data breach, reach out to your bank, and get these cards blocked. The bank will issue you replacement cards, with new numbers and identifiers, within days.
Blocking the credit and debit cards potentially after a data breach will prevent misuse or fraudulent payments. Examples of such services where credit and debit card details are saved for recurring subscriptions include OTT streaming, music streaming, or shopping websites.
Keep an eye on your scores with credit information companies operating in India. These include Cibil and Experian. If anyone has tried to get a loan or a new credit card issued with your identification, it may show up in these logs under recent activity. Often, credit agencies send a notification (email or SMS) if your credit score has been accessed. That is a giveaway that someone is attempting to get a payment tool issued with your identity.