It’s not a distinction worthy of celebration, but this year is on track to be the worst on record for data breaches. There were 54% more data breaches reported by midyear 2019 than were reported by midyear 2018, according to research done by Risk Based Security.
Thousands of breaches have occurred already this year. The biggest have affected millions of consumers. Affected companies face SEC fines and other financial losses, and the damage to their reputations could be even more costly. While the causes differ from case to case, some of this year’s biggest breaches highlight the critical role of data destruction in a company’s security policies.
The Year So Far
Finance and healthcare are two of the sectors most often affected by data breaches. A massive security failure at First American Financial Corp. was discovered this year, when a real estate developer by chance found that he could manipulate URLs on the company’s site to access other documents. That mistake made 885 million files accessible, many of which were records of wire transactions made by people who were buying or selling property.
In June, Quest Diagnostics announced that the data of 12 million of its customers had been compromised. The breach actually happened at the American Medical Collection Agency (AMCA), a third-party billing company that does business with Quest. While the scope of the breach is smaller than some others, the nature of the stolen information makes Quest’s breach a potentially devastating one. The data included personal medical information, Social Security numbers and financial data. Details about how the information was accessed haven’t yet been shared.
Just after the Quest breach was announced, another company reported its customers’ data had also been compromised by AMCA. LabCorp (which, like Quest Diagnostics, does medical testing) announced that unauthorized users accessed AMCA’s web payment page between August 1, 2018, and March 30, 2019, accessing the personal information of as many as 7.7 million people. The affected data included personal, financial and medical information.
While attacks by outsiders are the cause of many major breaches, some can also be attributed to employee error. Earlier this year the Federal Emergency Management Agency confirmed that it had accidentally shared with a contractor the personal information of more than two million disaster survivors. The data that was shared could have exposed those survivors to identity theft if it had been accessed on the contractor’s computer network.
The Biggest Threats This Year
Of all the data breaches that have affected customers during 2019, no company has suffered a bigger blow than Capital One. The credit-card behemoth was hacked in July by Paige Thompson, a software engineer who had previously worked for Amazon Web Services, which hosted the affected database. Capital One says that the breach involved the personal information of more than 100 million people. Specifically, anyone who applied for a Capital One credit card between 2005 and 2019 was affected. Thompson stole 140,000 Social Security numbers, 80,000 bank account numbers and more than a million Canadian social insurance numbers. The hacker was easily identified by the FBI, and subsequently arrested, because she posted in various online channels about the attack. She was able to access the files because of a weakness in a firewall.
Finally, a security failure with potentially devastating implications was uncovered in the UK in mid-August. Researchers discovered that security company Suprema, which operates a biometric security platform called Biostar 2, had failed to encrypt much of the data in its databases. The researchers found themselves able to access nearly 28 million records. In addition to sensitive information like passwords and security clearance records, the unprotected data also included fingerprint and facial recognition data of Biostar 2 users.
The researchers reported that the security failure would have allowed them to edit administrator accounts or steal users’ biometric data. Because biometric data can’t be changed like a password can, the affected users could have been plagued by lifelong identity theft issues if the vulnerability had been discovered by cybercriminals rather than researchers.
The Takeaway About Data Destruction
While the details of major data breaches are different, they all highlight the same lesson: A single oversight can trigger a massive security failure. That’s why following data destruction best practices is so critical. Making one old hard drive or one stack of sensitive files accessible to outsiders could be all that’s needed to access one of your databases or accounts.
All data thieves need is a way in. Data destruction is how you keep them out.
Prevent a devastating breach by keeping your data as secure as possible. Northeast Data Destruction can help. Contact us today to learn more.