A few years ago, I read the book Black Swan by Nassim Nicholas Taleb (link). The primary thesis is that we are all conditioned to see the future as a natural continuation of today. We do not anticipate or plan for events like Covid-19, a tsunami or a 9–11 style attack or 2008 real-estate crisis. So we keep repeating our acts not unlike ants and bees — assuming tomorrow will be no different than today. This is not wrong for most windows of time. However from time to time something goes awry. A time bomb goes off bringing with it, enormous loss in personal and property destruction. We bereave for a few weeks and get on the treadmill again.
The central argument of the book is that these events by nature are not predictable. We can however make small bets against their occurrence, that could cover us from the downsides — a “hedging approach”. We do this in some situations. It is the reason we buy auto-insurance. We do not anticipate a loss every day, but in case something bad happens, we do not wish to be bothered to make amends.
Let us apply this to data security. When we undertake a project that collects and processes data, what do we see as requirements, from a security stand point? I have done at least 3 or 4 of them in my life. From my personal recollection requirements are written from the perspective of “If everything goes per procedure”
- Who can see and do what actions with what data? Engineering responds with RBACs, ACLs, remotely managed entitlements (from AD/ LDAP) etc.
- Encryption of data at rest and in motion
- Periphery defense, DMZ etc (if it is SaaS).
These are essential. It covers the organization if and when everything goes per the book. But what if things do not go per the book?
- What if the credentials for a data store is exposed?
- What if a data store is misconfigured?
- What if there is an outsider in the network that can act like an insider?
- What if a disgruntled employee becomes an insider threat?
These are not scenarios we are good at imagining. We think that the odds of these happening are too tiny to worry about it. Until it happens. See below, a partial list of organizations that have been compromised in the first four months of this year. As I was writing this today, critical Oil Pipelines are being held hostage by ransomware attacks (link).
What if we can buy insurance against breaches? How much would you pay for it? What if you can buy a software that will prevent data from being compromised even in the event of breach (remember you can’t prevent breach because you can’t predict it. Only thing you can do is minimize impact)? How much would you pay for it?
Check out Titaniam “ Breached, but not compromised”. You can protect your sensitive data and analyze it without ever having to bring it to clear text. The protected data if compromised does not result in material damage. So safe that you would not even have to report to authorities.
Data Breaches during the first four months of 2021 (source)
- January 11, 2021 : Ubiquiti Inc.: Customer names, email addresses, hashed and salted passwords, addresses, and phone numbers.
- January 11, 2021 : Parler: The 70TB of leaked information includes 99.9% of posts, messages, and video data containing EXIF data — metadata of date, time, and location, driver’s license or other government-issued photo ID.
- January 11, 2021: Socialarks: 214 million social media user data from Facebook and Instagram, and LinkedIn. User’s names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name.
- January 12, 2021: Mimecast: Up to 10 percent of its customers used a compromised connection.
- January 20, 2021 : Pixlr: A database containing 1.9 million user records including email addresses, usernames, hashed passwords, user’s country, whether they signed up for the newsletter, and other sensitive information.
- January 20, 2021 : 123RF: Over 83 million user records.
- January 24, 2021 : MeetMindful (dating platform, MeetMindful.com): User’s account details and personal information of more than 2.28 million users registered included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens.
- January 22, 2021 : Bonobos: (Men’s clothing retailer): Over 7 million customer records, including addresses, phone numbers, and account information for 1.8 million registered customers, and 3.5 million partial credit card records.
- January 26, 2021: VIPGames : Over 23 million records for more than 66,000 desktop and mobile users due to a cloud misconfiguration. The leaked user records include usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and data on players who were banned from the platform.
- January 28, 2021 : U.S. Cellular: 4.9 million customer records including names, addresses, PINs, cell phone numbers, service plans, and billing/usage statements.
- February 2, 2021 : “Compilation of Many Breaches” (COMB): A database containing more than 3.2 billion unique pairs of cleartext emails and passwords belonging to past leaks from Netflix, LinkedIn, https://www.linkedin.com/redir/general-malware-page?url=Exploit%2ein, Bitcoin, Yahoo, and more were discovered online. 200 million Gmail addresses and 450 million Yahoo email addresses, etc.
- February 10, 2021 : Nebraska Medicine: Medical information of 219,000 patients including names, addresses, dates of birth, medical record numbers, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information, and a limited number of Social Security numbers and driver’s license numbers.
- February 18, 2021 : California DMV: Drivers’ personal information from the last 20 months of California vehicle registration records, including names, addresses, license plate numbers and vehicle identification numbers (VINs).
- February 20, 2021 : Kroger: HR data and pharmacy records including names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers as well as information on health insurance, prescriptions and medical history.
- February 26, 2021 : T-Mobile : An undisclosed number of customer information including names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.
- March 3, 2021 : Microsoft Exchange: 30,000 organizations across the United States, including small businesses, towns, cities and local governments.
- March 4, 2021 : SITA (supports 90% of the world’s airlines): PII belonging to an undisclosed number of airline passengers including names, traveler’s service card numbers, and status level.
- March 9, 2021 : MultiCare: Personal information of over 200,000 patients including names, insurance policy numbers, Social Security numbers, dates of birth, bank account numbers, and more.
- March 23, 2021 : California State Controller’s Office (SCO):Undisclosed amount of PII.
- March 23, 2021 : Hobby Lobby: Over 300,000 customer’s names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as the source code for the company’s app.
- March 26, 2021 : Cancer Treatment Centers of America: 104,808 patients’ patient names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information.
- April 3, 2021 : Facebook: Personal data of 533 million Facebook users from 106 countries including users’ phone numbers, full names, location, email address, and biographical information.
- April 6, 2021 : LinkedIn: Over 500 million LinkedIn user profiles including names, LinkedIn account IDs, email addresses, phone numbers, gender, LinkedIn profile links, connected social media profile links, professional titles, and other work-related personal data.
- April 10, 2021 : ClubHouse: 1.3 million user records including user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the user, and account creation date.
- April 12, 2021 : ParkMobile: 21 million customer records including email addresses, phone numbers, license plate numbers, hashed passwords and mailing addresses.
- April 19, 2021 : GEICO: Undisclosed number of driver’s license numbers and other Personally Identifiable Information (PII) such as name, address and date of birth.
- April 24, 2021 : Reverb : 5.6 million users’ full names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address, and more.
- April 26, 2021 : Experian: Credit scores of tens of millions of Americans.