News broke overnight that California Pizza Kitchen has suffered a significant data breach, exposing the SSNs of its current and former employees.
Currently, the breach is under investigation and the cause is unknown. The company discovered a disruption on September 15. The Office of the Maine attorney general disclosed that a total of 103,767 current and former CPK employees have been affected by the incident.
<p>Enterprises definitely have an obligation to their customers to keep private and sensitive data safe and secure. We take for granted the assumption that they will also protect PII gathered from current and former employees, most of whom have rendered good and faithful service to the organization. Good employees deserve no less. Such is not the case, unfortunately, in light of the recently disclosed data breach involving California Pizza Kitchen (CPK). Threat actors gained access to CPK’s data environment and ultimately to files containing highly sensitive information including the SSNs of employees and other types of PII. Over a 100K data subjects ultimately could be negatively affected.</p>
<p>The incident demonstrates the dangers in assuming that traditional controls such as perimeter security alone can protect against unwanted access to and subsequent disclosure of PII. Only data-centric security is able to ensure that hackers can’t leverage, profit from, or even weaponized sensitive data. By protecting the data itself through tokenization or format-preserving encryption, organizations can make sure that even if protected information travels outside of protected boundaries or falls into the wrong hands, sensitive data is still safe and secure in an obfuscated state. While CPK got burned on this incident, your organization doesn’t have to be—the special of the day for any enterprise wanting to avoid this situation should be data-centric security.</p>
<p>Every business like California Pizza Kitchen possesses valuable PII data which makes them a prime target for attackers. To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene. Ongoing training can help defend against threats such as phishing or other social engineering attacks that often lead to breaches.</p>
<p>Breaches can also stem from credential-based attacks. If enterprises are still using passwords, the likelihood of a breach only grows. Businesses need to eliminate passwords for good and move to multi-factor authentication solutions that defend their essential data.</p>
<p>The California Pizza Kitchen (CPK) data breach is yet another reminder that employers need to take action in order to protect their employees from having their critical information stolen. </p>
<p>The solution to preventing incidents like this is two fold: training and technology. Training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices. The problem is, much of these training efforts are little more than an exercise in box ticking, covering the basics with employers then assuming their staff will remember what they need to do on every single occasion in the future when they are exposed to risk. </p>
<p>People should understand that protecting their organisation from the impact of a security breach isn’t just about always applying every element of their training on every single occasion, it’s also about raising the alarm if a breach may have occurred without fear of punishment. Whether they are right or wrong, employees should be encouraged to always raise the alarm if something doesn’t feel right. </p>
<p>On the technology side, taking a proactive, zero trust (never trust/always verify) approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical. It’s also far more efficient and cost-effective than relying solely on your employees.</p>