(One) Major cause of data breaches
Over 50% of data breaches are due to published exploits where fixes or patches are available.
The actual percentage varies to which study you refer to. The vulnerabilities may be through the OS, platforms like Java and Flash or applications.
Secure Configuration is essential, one such aspect is patching. Making sure that you’ve employed the most up-to-date software.
The reality is that many organisations do not adequately patch their software and hardware. For many it is an onerous task. They may be worried about introducing issues to their production services or it may be the lack of resources.
The risk is real, whether it is risk to production from using different (updated) software or from crackers exploiting vulnerabilities.
Regression and user-acceptance testing is essential here. There are other mitigation schemes where a staged patching is adopted, where a proportion of servers or instances of the software is patched and then used in production. It could be a test or development units.
I’ve just talked about the value and reasons for patching.
The other considerations are the cost of not patching.
There are many examples, but I’ll just share a couple with you.
Talktalk looses data
Talktalk, a communications company in the UK mobile telephone, TV and broadband market. They lost 157000 customer details in 2015. The vulnerability was on a website that had not been patched for 3.5 years. In the aftermath they lost of more than 150000 customers. Their share price dropped 30%.
Promotions and incentives cost them 35M GBP. Their 2016 profits dropped by 56%. They were also fined 400000 GBP by the ICO. Under GDPR the fine imposed could’ve been more than 70M GBP.
Equifax looses even more data
Moving to a more recent data breach, Equifax. They provide credit scoring services to the public and businesses. Many financial organisations use them to assess the credit-worthiness of individuals and companies.
They hold data on more than 820 million individuals and 91 million businesses.
In 2017, they lost the details of which 145 million people in the USA, at least 400000 in the UK and 100000 in Canada.
Heads Roll
Within Equifax, the chief information officer Susan Mauldin and chief security officer David Webb were retiring and within two weeks Richard Smith, the CEO said he was stepping down after having to explain the breach to a US Congress committee in October.
The market is not impressed
Their share price was trading around 140 USD, then plunged to a low of 94 USD a few days after the disclosure, which is comparable to Talktalk’s share price drop.
The actual financial impact to Equifax is unknown at this time, as it’s still so recent.
The breach was likely to be from a vulnerability that had been publicised and known for months and not mitigated.
The fallout from this incident is yet to settle. There are likely to be class action law suits in the USA and Canada. The respective regulators are likely to be sifting through the post mortem reports and deciding on what punitive measures to take.
Further reading and references
- Talktalk record fine
- ICO’s statement on Talktalk’s breach
- Talktalk fined again (Third party loss)
- ICO comments on Talktalk’s Third party loss
- Equifax data breach
- ICO’s statement on Equifax’s breach
