1 of 26

Experiencing M I S

Tenth Edition

Chapter Extension 14

Data Breaches

2 of 26

Study Questions

C E 14.1 What is a data breach?

C E 14.2 How do data breaches happen?

C E 14.3 How should organizations respond to data breaches?

C E 14.4 What are the legal consequences of a data breach?

C E 14.5 How can data breaches be prevented?

C E 14.6 What is your role in I S Security?

3 of 26

Costs of Handling Data Breaches

C E 14.1 What is a data breach?

A data breach happens when an unauthorized person views, alters, or steals secured data

During 2020 more than 37 billion records were stolen in 3,932 data breaches
It’s likely that nearly everyone lost their records at least once in 2019

A single data breach in the U.S. costs an organization $3.9 million
The average cost of losing a single record is $150

4 of 26

Costs of Handling a Data Breach

C E 14.1 What is a data breach?

Direct Costs

Notification
Detection
Escalation
Remediation
Legal fees and consultation

Indirect Costs

Loss of reputation
Abnormal customer turnover
Increased customer acquisition activities
Additional $1.4 million per incident in U.S.

5 of 26

What Are the Odds?

C E 14.1 What is a data breach?

28% chance of experiencing a data breach over any given 24-month period.

6 of 26

Well-Known Data Breaches

C E 14.1 What is a data breach?

Figure C E 14.1 Well-Known Data Breaches

While Edward Snowden and Bradley Manning may have gotten more press because they stole classified documents, the data breaches shown in the figure directly affected the lives of billions of people.

Long Description:

The vertical axis of the graph represents the number of records stolen ranging from 0 to 1,200,000,000, in increments of 200,000,000. The horizontal axis of the graph represents the years from 2008 to 2021, in increments of 1 year. The number of records stolen in the different companies are approximately as follows: Heartland Payment Systems Inc.: 2009, 100,500,000; LinkedIn: 2012, 180,000,000; Adobe Systems: 2013, 175,000,000; Ebay Inc., 2014, 170,000,000; Yahoo Inc.: 2014, 480,000,000; MySpace: 2016, 380,000,000; Friend Finder Network: 2017, 400,010,000; Equifax: 2017, 168,000,000; Marriott International, 2018, 485,000,000; Twitter: 2018, 360,000,000; Under Armour: 2018, 175,000,000; First American Corp.: 2019, 910,000,000; Facebook: 2019, 585,000,000; Indian citizens: 2019, 300,000,000; Canva: 2019, 190,000,000; Sina Weibo: 2020, 580,000,000; Estee Lauder: 2020, 500,000,000; Microsoft: 2019, 190,000,000; Tetrad: 2020, 175,000,000. All values are approximated. The coordinates are a circle with a circle for First American Corp being the largest and that for Tetrad being the smallest.

7 of 26

The Largest Data Breaches

C E 14.1 What is a data breach?

Three largest data breaches are so enormous that they would have caused the other data points to be unreadable by comparison
Some mega data breaches include Yahoo! Inc. (3 billion), Keepnet Labs (5 billion), Advanced Info Service (8 billion), and C A M 4 (10 billion)

8 of 26

Why Do Data Breaches Happen?

C E 14.1 What is a data breach?

67% are hackers trying to make money from:

Personally identifiable information (P I I)

Names, addresses, dates of birth, Social Security numbers, credit card numbers, health records, bank account numbers, PINs, email addresses

Rogue internal employees
Credit card fraud, identity theft, extortion, industrial espionage

9 of 26

Attack Vectors

C E 14.2 How do data breaches happen?

Attack vectors

Phishing scam
Trick users into donating funds for a natural disaster
Exploit new software vulnerability

10 of 26

Hitting Target

C E 14.2 How do data breaches happen?

Lost 40 million credit and debit card numbers to attackers (December. 18, 2013)
Less than a month later, announced additional 70 million customer names, emails, addresses, phone numbers stolen

Total 98 million customers affected

Stolen from point-of-sale (P O S) systems at Target retail stores

11 of 26

The Target Data Breach

C E 14.2 How do data breaches happen?

Figure C E 14.2 Target Data Breach

Attackers first purchased malware designed specifically for the attacks they planned to carry out. Then, they used spear phishing, or a targeted phishing attack, to infect a Target third-party vendor named Fazio Mechanical Services. Attackers placed a piece of malware called Citadel on Fazio’s system to gather keystrokes, login credentials, and screenshots from Fazio users.
The attackers used the stolen login credentials from Fazio to access a vendor portal (or server) on Target’s network. The attackers escalated privileges on that server (i.e., took over the server) and gained access to Target’s internal network.
Attackers compromised an internal Windows file server. From this server, the attackers used malware named Trojan.POSRAM (a variant of BlackPOS) to extract customer data from POS terminals.
Customer data was continuously sent from the POS terminals to an extraction server within Target’s network. It was then funneled out of Target’s network to drop servers in Russia, Brazil, and Miami. From there, the data was collected and sold on the black market.

Long Description:

The diagram shows the eight steps involved in the process of a target data breach as follows:��Step 1: Money (from Attackers to Malware Writers)�Step 2: Malware (from Malware Writers to Attackers)�Step 3: Phishing Malware (from Attackers to Fazio Mechanical Services)�Step 4: Stolen Credentials (from Fazio Mechanical Services to Attackers)�Step 5: Stolen Credentials and Malware (from Attackers to Vendor Server )�Step 6: Malware (from Vendor Server to Windows Server)�Step 7: Malware (from Extraction Server to POS Terminals)�Step 8: Stolen Data (from POS Terminals to Extraction Server)�Step 9: Stolen Data (from Extraction Server to Russia, Brazil, and Miami)�Step 10: Stolen Data (from Russia, Brazil, and Miami to Attackers)��The servers, Vendor Server, Windows Server, and Extraction Server, the steps from 6 through 8, and POS Terminals are marked together as “Target’s Network.”

12 of 26

The Damage

C E 14.2 How do data breaches happen?

Attackers sold about 2 million credit card numbers and PINs for about $26.85 each (total $53.7 million)
Cost Target $450 million

Upgraded P O S terminals to support chip-and-PIN cards
Increased insurance premiums, legal fees, credit card processors settlement, pay for consumer credit monitoring, regulatory fines
Lost sales, 46% drop in next quarter revenues

13 of 26

Collateral Damage

C E 14.2 How do data breaches happen?

Payment processing industry

Shift to E M V-compliant smart cards forced replacement of 800 million payment cards and 14 million P O S terminals at a cost of $7 billion

Consumers

Enrolled in credit monitoring, continually watch their credit, and fill out paperwork if fraudulent charges appear on statements

Increased insurance premiums, stricter controls, and more system auditing for organizations similar to Target

14 of 26

Responding to Data Breaches (1 of 2)

C E 14.3 How should organizations respond to data breaches?

Respond Quickly

Stop hackers from doing more damage

Exfiltration or illegally transferring data out

Immediately notify affected users

Plan for a Data Breach

Walkthroughs, business continuity planning, computer security incident response team (C S I R T)

15 of 26

Responding to Data Breaches (2 of 2)

C E 14.3 How should organizations respond to data breaches?

Get experts to perform an effective forensic investigation
Identify additional technical and law enforcement professionals needed
Be honest about the breach

16 of 26

Best Practices for Notifying Users of a Data Breach

C E 14.3 How should organizations respond to data breaches?

Figure C E 14.3 Best Practices for Notifying Users of a Data Breach

Best Practice	The Right Way	The Wrong Way
1. Be transparent in your activity and demonstrate that you are getting the word out.	Directly email every affected user with details about the data breach, and include a popup advisory on the company’s most visited page.	Include a vague reference in a rarely-read press release that includes plenty of technical jargon.
2. Follow your normal media routine.	Notification is sent to local reporters that usually report on the organization as well as a typical press release.	Only send the notification to a small number of users.
3. Avoid absolutes.	State that, so far, the data breach has affected a certain number of users but the investigation is still ongoing.	State that the breach only affected a certain number of users, and no more.
4. Avoid misleading statements.	“We are investigating the possibility of lost credit card data.”	“We don’t have any evidence that credit cards have been compromised.” But you’ve received notification from a credit processor that an investigation is under way.
5. Don’t attempt to withhold key details.	“It appears that at least 40 percent of user accounts were compromised.”	“I can’t comment on the number of accounts compromised at this time.”
6. Stay focused and concise.	Give a brief, concise, and factual statement about the data breach.	Provide extraneous details about failings of internal backup, off-site data policies, and unrelated criminal investigations.

17 of 26

P C I D S S Standards

C E 14.4 What are the legal consequences of a data breach?

Figure C E 14.4 P C I D S S Standards

Blank	P C I D S S Requirements
Build and Maintain a Secure Network and Systems	1.Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data	3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program	5. Protect all systems against malware, and regularly update antivirus software or programs. 6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures	7. Restrict access to cardholder data by businesses on a need-to-know basis. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks	10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.
Maintain an Information Security Policy	12. Maintain a policy that addresses information security for all personnel.

18 of 26

Regulatory Laws Govern the Secure Storage of Data in Certain Industries

C E 14.4 What are the legal consequences of a data breach?

Federal Information Security Management Act (F I S M A)

Requires security precautions for government agencies

Gramm-Leach-Bliley Act (G L B A), a.k.a., Financial Services Modernization Act

Requires data protection for financial institutions

Health Information Portability and Accountability Act (H I P A A)

Requires data protection for healthcare institutions

Payment Card Industry Data Security Standard (P C I D S S)

Governs secure storage of cardholder data

Family Educational Rights and Privacy Act (F E R P A)

Provides protection for student education records

19 of 26

Preventing Data Breaches (1 of 2)

C E 14.5 How can data breaches be prevented?

Use countermeasures software or procedures to prevent an attack
Better phishing detection software
Better authentication (i.e., multifactor authentication)
Network intrusion detection system (N I D S) to examine traffic passing through internal network
Data loss prevention systems (D L P) to prevent sensitive data from being released to unauthorized persons.

20 of 26

Preventing Data Breaches (2 of 2)

C E 14.5 How can data breaches be prevented?

Figure C E 14.5 Suggestions for Preventing Data Loss

21 of 26

Your Role in I S Security

C E 14.6 What is your role in I S security?

The security of every system depends on the behavior of its users.
If the people component of an I S does not follow the security procedures component, then the quality of the H W, S W, and data security components is meaningless.
Usernames and passwords are the first line of defense for most information systems.
Proper password creation and protection measures are vital.

22 of 26

Common (Weak) Passwords

C E 14.6 What is your role in I S security?

Figure C E 14.6 The Most Commonly Used Weak Passwords

23 of 26

Passwords and Password Etiquette (1 of 2)

C E 14.6 What is your role in I S security?

12+ characters.
Does not contain your username, real name, or company name.
Does not contain a complete dictionary word in any language.
Different from previous passwords used.
Contains both upper- and lowercase letters, numbers,

and special characters (such as

24 of 26

Passwords and Password Etiquette (2 of 2)

C E 14.6 What is your role in I S security?

Never write down your password.
Never ask someone for their password.
Never give your password to someone.
“do-s i-do” move—move away so another person can enter password privately

Common professional practice.

25 of 26

Active Review

C E 14.1 What is a data breach?

C E 14.2 How do data breaches happen?

C E 14.3 How should organizations respond to data breaches?

C E 14.4 What are the legal consequences of a data breach?

C E 14.5 How can data breaches be prevented?

C E 14.6 What is your role in I S Security?

26 of 26

Copyright

This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.