Do you remember that infamous Equifax breach? The one where hackers stole the personal information of 147.7 million US citizens? We wrote a blog post about the incident a few years back.
Whether or not you remember the case, the first thing you should notice that the case is still relevant – almost two years after it was discovered. One of the reasons is that US authorities have taken a stricter approach to data breaches, and now that GDPR has been in force in Europe for over a year, the consequences of a data breach reach beyond the initial public outcry, temporary dip in the stock price and perhaps a couple of IT guys being fired.
Let’s have a look at the Equifax case along with a couple of others by going through some questions organizations should be asking themselves.
Authorities on both sides of the pond are handing out fines that have a serious impact on the bottom line of the companies. One recent example is Equifax, which is reportedly facing a hefty fine of $700M for the lack of proper security measures. It has also become apparent that one of the reasons this hack was so successful was that the hackers got ahold of stolen credentials which allowed them to move laterally inside the network and gain access to valuable data. Read more about what this means here.
Another example is British Airways who is likely to be fined £183m for their “poor security arrangements”. Although the proposed figure might still change if and when BA appeals the case, as the fine currently stands, it amounts to 10% of expected net profits of the company.
It also looks like the trend is up, since “Those reporting attacks that cost 10 million USD/EUR/GBP or more almost doubled from last year — from 7% in 2018 to 13% in 2019”, as stated by Security Boulevard.
National authorities and regulators are not the only ones who demand justice in breach cases. Companies can also face legal action from local authorities in addition to the fines imposed by governmental regulators, as quoted in this article.
“Equifax has agreed to pay at least $1.4 billion to settle multidistrict litigation brought on behalf of 147 million U.S. consumers and pay millions more to resolve civil complaints brought by the federal government and multiple state attorneys general over its massive 2017 data breach.”
These are not the type of figures you want to be presenting to your shareholders, investors or the general public. Besides, private citizens are becoming more aware of how valuable personal data has become and how important it is for organizations to govern and monitor how it is handled. For example, GDPR allows EU citizens to seek compensation for damages.
All the time the company is under all kinds of scrutiny, it diverts attention and resources from what these companies really should be doing – running their daily operations and concentrating on serving their customers. Instead, they’ve been litigating, settling, hiring lawyers, spending internal time and resources on matters that could have perhaps been avoided by paying a bit more attention to their cybersecurity strategy.
We believe companies should not leave cybersecurity only at the hands of the IT or even the cyber security teams. Proper cyber hygiene should be a board level topic. The consequences of ignoring these topics always are.
We have more than 25 years of experience in the field of cybersecurity, access control and securing data-in-transit. We can help you:
Joe Scaff, CEO, Chief Sales Officer
P.S. I highly recommend the ISACA guide on Secure Shell governance and the KuppingerCole Executive view on our product, PrivX®.