In June of 2014, a group of hackers calling themselves Rex Mundi accessed and downloaded the personal information of over 600,000 French and Belgian Domino’s customers, including their names, email and street addresses, phone numbers, and even their favourite pizza toppings. The culprits turned to Twitter to publicly demand 30,000 Euros (around $40,000) in ransom from the company, or else they would release the stolen customers’ information on the web.
To prove that they actually had this information, the criminals posted sample data online. An embarrassed Domino’s was forced to acknowledge the data breach and to ask customers to change their passwords “for security reasons”. Domino’s did, however, flatly refuse to meet the hackers’ ransom demands.
The good news is that most of the stolen data was not too confidential. Details like names, addresses, phone numbers and email addresses can already be easily found on the web. Financial data, such as credit card numbers, is not stored in the Dominos’ database or anywhere else and therefore was not part of the stolen information.
Rex Mundi is far from the only threat to online security. According to Verizon Enterprise Solution’s 2014 Data Breach Investigation Report, 2013 may be remembered as the “year of the retailer breach“, with at least 63,437 security incidents in 95 countries. Almost 1,400 of those cases were confirmed data breaches in which customers’ personal information was stolen. Others were “cyber espionage” cases where trade secrets or other company information was sold to competitors.
In addition to suffering public embarrassment and experiencing the loss of some of their customers, victimized companies operating in countries that have strong consumer privacy compliance regulations may also be subject to legal action for damages resulting from these kinds of data breaches.
What Can Companies Do?
Backup is the weakest link for privacy at most companies.
Stolen backups are the second leading source of major privacy breaches after the abuse of privileges. And this is especially concerning, since most companies do not encrypt their backups. So every time a new copy of a file is made, the risk of suffering a privacy breach grows.
Changes in technology are forcing IT departments to keep more copies of backups than ever before. Many companies now maintain 30 daily backup copies, plus monthly archives that go back for several years. In addition to granular data backups, they also keep copies of VMs or full-system state backups for disaster recovery purposes. All of this data is usually maintained in two copies: they need one copy at the local data center for fast recovery, as well as another copy at a remote site for major breaches.
From a security perspective, backups are the most sensitive job in any IT department. And yet, the task of backing up the company’s most important digital assets is usually done by junior IT staff with no formal backup training.
The human element will always be the biggest security problem in IT, and it’s not always possible to automate every aspect of how business data is managed, used or accessed. Be careful about how information is shared with employees and how privileges are handed out. (This is an incredibly complex topic, and nobody seems to have the perfect answer at the moment)
From a secure backup perspective, there are three things that companies can do:
1.) Automate as much as possible. Eliminate the human element in order to prevent accidents or malicious actions.
2.) Whenever possible, data should never be stored outside of primary production systems without first being encrypted. Also, backups should never be decrypted while at rest. After the data has been encrypted, all backup media should be stored at a physically secure site.
3.) Assign a backup expert with proper training to monitor the backup process and ensure that all systems are being backed up in the most secure way possible. This can be an internal employee, although it might be easier and more cost-effective to outsource this work to a dedicated full-time secure offsite backup professional.
The Problem Will Only Get Worse
Consumer privacy legislation is getting tighter, and fines are getting larger. This provides more incentive for criminals to blackmail companies.
Exponential improvements in technology will lead to more complexity in the backup process. Today’s business trends are all moving in the direction of paperless, cashless, online and self-serve transactions. All of this can only lead to exponential growth – and increasing sensitivity when it comes to data loss and breaches.
At the same time, as backups are getting more complex, IT budgets are shrinking. IT administrators must do more with less.
Customers have the reasonable expectation that their sensitive information will remain private and protected. The increasing occurrence of data breaches and the corresponding risk of legal action is forcing even small- to medium-sized businesses to think seriously about network security, data protection best practices, and information compliance.
By Anne Matthews
Bio: Anne currently writes for Storagepipe Solutions, a company that provides world-class corporate data protection solutions including online backup and recovery, electronic archiving and business continuity.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.