The notion of a “security breach” is a tale as old as time—think of the mythological Achilles and his heel. Nor is there anything new about “data breach”—think of Nathan Hale stealing American intel for the English during the Revolutionary War. In the last several decades, breaches have also come to refer to the holding of systems/data hostage in exchange for “ransom” (e.g., ransomware and denial of service attacks). Of course, there’s nothing new about a hijacking. Remember D.B. Cooper’s infamous hijacking of a 727 in 1971? Nor is there anything new about the damage a hijacking can leave in its wake. Cooper made off with the present-day equivalent of $1.2 million, disrupted air travel for hours, and kept the FBI spinning its wheels for 45 years. However, as far as extortion-based digital attacks are concerned, the stakes can be the survival of the company, according to Mario Carneiro, Exela’s Data and Technical Security Manager.
The difference between a security breach and a data breach
Whether now versus then, the occurrence of a security breach doesn’t necessarily lead to a data breach; however, the occurrence of a data breach is always the result of a security breach. For example, the Watergate scandal started with burglary but ended up exposing data that ended Richard Nixon’s presidency. In fact, a modern-day security breach is much like burglary—except instead of breaking into a house to steal private property, the “bad guy” breaks into a system housing private information. Just as burglary damages the integrity of the house, a digital security breach damages the integrity of the system. Just as burglary exposes the contents of the house to damage, loss, and exploitation, a digital security breach exposes the data housed in the system to the same. But while the damage from a burglary primarily affects the homeowner (Watergate being an exception), the damage from a digital security breach impacts not only the enterprise whose system’s been breached, but also everyone who entrusted that system with their data.
How one small security breach can lead to a massive data breach
Consider the Equifax breach of 2017. Equifax, as you probably know, is one of three national credit bureaus that calculates credit scores of U.S. consumers. To do so, they use a database of consumer information (e.g., social security numbers, addresses, credit card account numbers, and failures to timely pay balances) provided by banks and other lenders/creditors, who get it from consumers themselves (who provide it in the course of applying for credit). Equifax sells that information to creditors (as well as employers, and others authorized by the individuals to whom it belongs) for the purpose of evaluating the creditworthiness, and verifying the identity, of consumers.
In mid-2017, hackers managed to infiltrate a small piece of Equifax’s system. But that relatively small attack surface opened up unauthorized access to the personal information of close to 145 million U.S. consumers.
145 million consumers, but countless more victims
The information accessed was not only private to the consumers who had provided it, but also would have allowed those with access to impersonate the consumers from whom the information was taken. The information was also crucial to Equifax’s core business and reputation. Accordingly, its exploitation was harmful to:
The affected consumers
Anyone relying on it to make decisions about offering credit
Equifax, itself—not only because that information is essentially Equifax’s crown jewel, but also because of damage to Equifax’s reputation
The reputation of commercial lenders
The credit reporting industry in general
The Equifax breach isn’t even close to the biggest breach in recent history. That distinction arguably goes to the Yahoo breach of 2013-2014. However, it’s a strong example of the complex and far-reaching effects of even a “small” security breach and illustrates how very serious a matter both system security and data security have become.
In the weeks ahead, we’ll be diving in to discover how the “bad guys” get in, how keeping them out isn’t just doable but the essence of what we do every day at Exela, and all the security matters you’ll want to consider when choosing your digital transformation partner. Gotta read it all now? You can download the entire series as a flipping-book here: