Over the past few years, multiple organizations found themselves in the spotlight over massive data breaches. Several tech giants have since, ended up paying enormous sums of money to settle charges of improperly handling users’ data.
These fines imposed on companies should make other organization concerned about data security. In some cases, organizations have taken the punitive measures imposed to heart and made the necessary improvements to enhance data protection standards. Sadly, despite fines and penalties having been imposed on numerous companies, some entities still fail to comply with regulations and end up paying massive amounts of fines.
However, regulatory organizations across the globe are continually expanding their reach. Recently, protecting user data has become paramount, especially amid stringent implementations of regulations. 2018 has also seen several well-known companies added to the ever-growing list of breach victims.
Impact of data breaches
Apart from costing organizations enormous amounts of money, breaches can also result in the loss of private records and sensitive data. Breaches can sometimes affect not only organizations but also its customers and employees.
The data stolen by cybercriminals during a breach can be used by them to make more money by duplicating credit cards, leveraging personal information for fraud, identity theft, and even blackmail. These sensitive data are also sometimes sold in bulk in dark web markets.
Typically data breaches can result in the compromise of information such as username, date of birth, social security number, user identification number, email address, mailing address, physical address, phone number, banking account number, medical information, claims information, and more.
Common causes of data breaches
Organizations can fall victim to breaches not just because of malicious cybercriminals. Some breaches are inadvertently caused by the entities themselves - either due to a lack of proper security protocols or due to a minor internal aberration.
Here’s a list of some of the common causes of a data breach:-
- Physical Theft/Loss of device is a form of a data breach that can be caused either unintentionally due to an oversight or by well-planned, malicious hackers. In this case, the data present in a device becomes vulnerable once the device is lost or stolen.
- Phishing attacks are also one of the major causes of a data breach. Often, users fall prey to malicious phishing emails, which hackers sometimes use to infect an entire organization with malware. Once opened, a phishing email could compromise all the data in the targeted system.
- Stolen/Weak credentials that belong to an employee in an organization can also become the primary cause of a major data breach. Cybercriminals often use compromised credentials to invade corporate networks and steal sensitive data.
- Application/Operating System vulnerabilities can also put an organization on the targeted list of hackers. User data becomes more vulnerable to a data breach/identity theft if you are using software that is not updated regularly or patched.
- Malware attacks causing compromise of the organization’s security can also lead to a major data breach.
- Human error, which includes instances such as sending an email to the wrong recipient, loss of paperwork or responding to a request by accidentally disclosing confidential information, could all potentially lead to a data breach. Organizations must ensure that they train employees to appropriately handle sensitive data.
List of data breaches and fine imposed
In 2018 alone, several major tech giants were slapped with fines for improperly handling user data and failing to report a breach according to regulations. Here is a list of all the major companies that ended up agreeing to pay massive fines and enhance their security after suffering a monumental breach:
- Facebook suffered a massive data breach on September 2018, in which 90 million user accounts were exposed. Although there is no official announcement of any fine being imposed by any international regulatory body, under the terms of GDPR, the company faces a maximum fine of up to 4% of its global annual revenue from the prior year, which could end costing the firm billions.
- Uber confirmed in September 2018, that it will pay a whopping €148 million fine, which was levied on the firm after it was hit by hackers but attempted to hush up the attack. The breach exposed the sensitive user data of 57 million customers and drivers in 2016.
- British Airways may possibly have to pay up a fine of around £500 million over a data breach that compromised 380,000 card payments over a two-week period between 21 August and 5 September.
- The MD Anderson Cancer Centre in Houston, on June 2018, paid $4.3 million in penalties for its lax security. The healthcare center suffered three data breaches between 2012 and 2013.
- Nationwide Mutual Insurance and its subsidiary Allied Property and Casualty Insurance - all of which are based in the US - settled a legal case with 33 states, agreeing to pay $5.5 million dollars. The fine was imposed after the organization suffered a multi-state data breach in 2012.
- Anthem Inc, providers of Anthem Blue Cross and Blue Shield health insurance in the U.S, has agreed to settle a class-action lawsuit of $115 million dollars over a 2015 data breach.
- The Metro Community Provider Network (MCPN), a Federally Qualified Health Centre (FDHC), suffered a data breach due to an insufficient risk analysis and poor preventative actions. As a result, MCPN agreed to pay $400,000 to the Office of the Civil Rights (OCR).
- Recently, on September 2018, the UK Information Commissioner’s Office (ICO) fined Equifax €500,000 for failing to protect the personal information of 15 million UK customers.
Determining the actual value of fines
Every country has its own government regulatory body that imposes fines based on its own set of parameters. However, there exists a set of common criteria that nearly all regulatory bodies could use to determine the impact of the breach and the value of the fine imposed for non-compliance to regulations.
- The cause of the incident - whether it occurred due to a malicious, targeted attack or due to negligence.
- The nature of the incident, the number of people affected, the damage incurred, the duration of the incident and the purpose of the processing.
- Corrective actions taken by the organization to mitigate the damage caused to data.
- Preventive measures implemented by the organization before the incident occurred.
- Relevant incidents in the past and required administrative preventive and defensive actions put forth in event of an incident.
- Cooperation of the organization with government authorities to resolve the incident.
- Customer notifications issued proactively by the organization or a third party.
- Certification of the organization under approved codes of conduct.
- Other factors such as the financial impact on the firm can also be considered.
There can also be other factors that contribute to the determination of the fines imposed by regulatory authorities.
What can organizations do?
Organizations were not always held accountable when it came to data breaches. However, a corrosive and concerning spate of massive breaches, that is continually growing, has resulted in governments taking stringent actions against companies.
Data breach fines are a wake-up call for every organization. Remediating such incidents calls for a proactive approach. Cloud database misconfiguration, as vulnerability lags, unsecure software and system components, and breach response are some key areas that can easily be addressed by organizations. Using detection management and incident response approaches, organizations could vastly improve their security and better protect their corporate and customer data.
Organizations must ensure that they have implemented the appropriate security measures to identify and report data breaches, that comply with data protection laws. Organizations must prioritize these requirements and ensure that the best systems are in place to avoid future breaches.