- Thomson Reuters
- There’s one common thread across several high-profile data breaches we’ve seen in recent years, and it involves the way affected companies manage servers that store sensitive data, says professional “white hat” hacker Marc Rogers.
- The Capital One breach from July is among the most recent examples. The suspected hacker is said to have obtained data about the credit card company’s customers and applicants by taking advantage of a firewall misconfiguration in the firm’s cloud infrastructure.
- Companies should first get a better understanding of the type of data that’s out there to prevent similar breaches from happening in the future, says Rogers.
- Visit Business Insider’s homepage for more stories.
Data breaches appear to be all the more common in recent years, with major firms across industries such as healthcare, social media, and finance falling victim to hackers. And such intrusions are becoming an increasingly costly problem for companies to fix; the cost of a data breach has risen by 12% over the past 5 years, according to data from IBM Security published in July.
The circumstances behind a data breach will always vary depending on the situation. But there is a common thread that can be found across several recent hacks, including the Capital One breach from July, according to Marc Rogers, a white-hat hacker and head of cybersecurity at Okta, an enterprise identity management firm.
For several companies that have been impacted by data breaches in recent years, the issue boils down to how these firms are managing the servers that are being used to store sensitive information, says Rogers.
“That’s probably the most common vector that I’m seeing across all of these breaches, is that companies don’t seem to know what data assets are out there,” Rogers said when speaking with Business Insider. “And consequently, there [are] a lot of insecure systems hanging on the internet that can be readily accessed.”
Take the Capital One breach as an example, which impacted 100 million people in the United States and six million people in Canada. Suspected hacker Paige A. Thompson is said to have obtained the sensitive information about Capital One customers and credit card applicants by exploiting a firewall misconfiguration in the company’s cloud infrastructure.
Security company Suprema, which operates a biometrics platform called Biostar 2, also fell victim to a hack that exposed the fingerprints of more than one million people as well as unencrypted usernames and passwords, The Guardian reported in August. That data breach can also be traced back to the way the compromised information was stored and managed, as the report said it was found on a publicly accessible database.
Boosting the security of the servers that store such information could dramatically cut down on the number of data breaches, according to Rogers.
“If we just got rid of that, I think you’d reduce the number of breaches we’re hearing about by at least half,” said Rogers.
At the same time, lawmakers are pressing for action to be taken in order to prevent a data breach like the one that impacted Capital One from happening again. United States senators Ron Wyden (D-Oregon) and Elizabeth Warren (D-Massachusetts) wrote a letter to the Federal Trade Commission in October calling for an investigation of Amazon over the Capital One leak, since the affected data was stored using Amazon Web Services. In the letter, Wyden and Warren accuse Amazon of failing to implement the same level of security in its cloud services as other tech firms like Microsoft and Google.
But experts have previously said that the responsibility to secure data should rest with the company itself, not the cloud-service provider.
“Step one in terms of mitigating these issues is [to] get out of this false sense of security that cloud users have, that Amazon will take care of it,” Ameesh Divatia, CEO and cofounder of data protection firm Baffle, previously told Business Insider.
Rogers says companies should start by getting an understanding of what data is out there by conducting a scan of their company’s public IP space and external assets. Doing so could help firms see if there’s any data out there that isn’t protected by a password, or is perhaps guarded by a default password that may not be strong.
“I’m getting used to hearing companies say ‘we had no idea that was out there,'” Rogers said. “Well somehow, these companies need to better track things.”