Let's look at the big "cyber" data breaches that have affected millions of Americans over the past 10 years.
Target Corporation 2013
Home Depot 2014
Sony Pictures 2014
Federal Office of Personnel Management 2015
Equifax 2017
Facebook 2018
Marriott International 2018
Capital One 2019
Federal Emergency Management Agency 2019
We see some common patterns:
1. Persistent negligence - when those in charge ignore the warning signs.
2. Denial - the first sign of weakness.
3. Mis-directed priorities - when the bottom line matters more than security.
In each of these cases, the initial weaknesses that allowed the cyber-attack and subsequent data exfiltration were known, yet ignored. Here are some of the highlights:
Target 2013
HVAC vendor falls prey to email phishing campaign, November 2013
Company lacks enforceable password policy
Corporate network using unpatched systems with "worse than weak" security configurations
Hackers to implant malware that is able to traverse the corporate network
December 2013, hackers easily traversed the corporate network and installed malware on the Point of Sale systems. They stole around 40 million credit card numbers and personal information from 70 million customers. Only after the fact, did Target Corporation spend the money to hire a security team to audit their corporate network and promote a security plan.
Home Depot 2014
Home Depot management notified about the failure to encrypt Point of Sale data, 2009
Employees reported major in-store sales device flaws to management, 2010
Security department warned management about lack of anti-virus software, 2014
Management refused to address data security concerns due to cost
During the 5-year timespan from when the Home Depot management knew about critical security flaws in their corporate network, the credit card records from over 56 million individuals was stolen.
OPM 2015
Department of Homeland Security discovers malware on an OPM server, July 2012
No measures are taken to remove this or any other malware until April 2015
During the 3-year timespan of gross negligence and miscommunication between those in charge, over 21 million sensitive personnel records, including background checks and fingerprints, from over 4 million individuals were stolen.
Equifax 2017
Website weakness discovered and reported to management, March 9 2017
Left unaddressed until July 29
During that timespan, hackers were able to implant malware and steal 143 million social security numbers, dates of birth, addresses, and driver's license numbers. Adding insult to injury, Equifax offers customers another website, for free, but this new website is also easily hacked.
What's the message? Do NOT ignore the warning signs. Do NOT deny the facts. Greed does not always pay off - sometimes you really DO have to spend on resources that might not be part of your short-term profit plan.