Lessons from the World’s Largest Data Breaches

Posted 28 February 2019 1:29 PM by Torey Hunt

Data breaches have been dominating the headlines over the last few years prompting an intense awareness towards data privacy and protection. From breaches at major hotel chains, airlines and retailers to hospitals and social platforms, consumers are left wondering who they can trust their personal information with.

With so much confidential data left unsecure, the pressure is on for businesses to take control of this content and ensure they don’t suffer a fallout that impacts their overall reputation and bottom line.

Let’s analyze some of the largest data breaches in history to see how these massive repercussions could have been prevented by discovering and safeguarding the sensitive information within enterprise data stores.

The largest data breach to date

More than five years after suffering the largest data breach in history – an August 2013 incident in which hackers accessed the names, email addresses and passwords of every single Yahoo user, three billion accounts in all – the total costs are still unclear for Yahoo. We also have yet to see the full impact of any legal implications, along with repercussions to their brand reputation and business overall. In January 2019, a U.S. judge rejected the company’s proposed settlement of a $50-million payout plus two years of credit monitoring for some users, saying the deal was not sufficiently transparent.*

It’s the latest bad news for the beleaguered company, now owned by Verizon: when the breach was initially disclosed in the lead up to the Verizon sale, Yahoo’s purchase price plunged by $350 million. And while the aftermath of the breach may be fascinating for tech-watchers, it’s also a compelling cautionary tale for any industry that handles personally identifiable information (PII).

Bigger, costlier data breaches

Large as it was, it’s hard to call the Yahoo data breach a complete outlier, as the size and costs associated with such events continue to increase. Even still, there are few signs of these malicious activities slowing down in 2019.

Already this year, a security researcher exposed “the mother of all breaches,” otherwise known as the Collection #1 data breach** that included more than 700 million unique emails and 21 million unique passwords.

Accordingly, regulators are cracking down harder on companies that fall short on PII compliance. In January, France fined Google 50-million Euros*** for improper disclosure to users about its data collection practices, as regulated under the General Data Protection Regulation (GDPR).

The case for improved PII compliance

As breaches and fines for poor PII security compliance become the norm, there’s a clear business imperative for stepping up PII data discovery and protection.

But for many businesses, the challenge related to PII compliance isn’t actually protecting the sensitive information itself – it’s determining what sensitive data they have in their possession, and where it’s located.

Within organizations, the vast majority of data is unstructured, meaning it exists in formats that are incompatible with standard PII data discovery processes. For businesses that pre-date the digital era, part of the challenge in identifying sensitive information and enabling PII protection is that the majority of this data is stored in piles of physical documents. But even digital-born businesses have PII data discovery challenges because they possess vast amounts of unsearchable data, whether due to the fact that it’s nested in email threads, exists in formats that can’t be readily searched or other issues. If such files contain sensitive information, they may be a ticking time bomb when it comes to PII compliance.

Improving PII data discovery

Companies can reduce their risk of regulatory penalties and exposing sensitive customer information in the event of a breach by reducing their PII compliance footprint. What does that mean? It starts with conducting an audit for PII protection, taking steps to identify all sources of PII within corporate data stores, including converting unstructured documents into searchable formats.

Once sources of PII have been identified, they must be dealt with according to internal and regulatory PII compliance policies. This means redacting unnecessary and/or duplicate PII, and cordoning and securing files that contain sensitive information to achieve PII security compliance.

Wrap up

While data breaches and fines for PII security compliance infringements may seem like the new normal, the tremendous fallout can be prevented. To avoid the high costs of exposing sensitive customer data, enterprises must take decisive action to discover sensitive information within their data stores and enact PII protection measures. To get started in achieving PII compliance, take Adlib’s Data Discovery Assessment to discover what data you have and where it resides before your company becomes the next data-breach headline.

*Details on Yahoo breach
**Collection #1 data breach
***Details on Google’s penalties

Tags: