While 2018 saw its share of data breaches, according to Experian’s annual Data Breach Industry Forecast report, this year’s top cyber-threats have lessons for both corporate IT management and data center operators. Michael Bruemmer, VP, Consumer Protection at Experian, warns that cyber-criminals always seem to be one step ahead of new protection measures, and a top cloud vendor breach is a matter of when, not if.
Grant Kirkwood, CTO and co-founder, Unitas Global, is of the same opinion, recently stating in an interview with Data Economy that “Enterprises should approach multinational cloud deployment by assuming and planning for the worst. This way, a contingency plan will already be thought through should any issues or concerns arise.” Cameron Bahar, CTO of data protection company Veritas, believes the prevention strategy lies in the risk profile, “My advice is to be aware of what you have and the risk profile associated with that data. If you don’t know, then if somebody comes in and steals that data, you’re exposed and your brand image gets tarnished.”
Recent data breaches are a reminder for vigilance for the industry, especially with the costs to enterprise and service providers. Below are some of the recent data breach announcements that have made headlines so far this year.
International hackers attack Citrix
An Iranian-linked hacker group called IRIDIUM broke into the IT systems of multinational software company Citrix, and downloaded at least six terabytes of sensitive internal files. The FBI alerted Citrix to the attack on March 6th. Citrix CSIO Stan Black wrote a blog post confirming the breach.
Citrix has a large portfolio spread across different sectors in the business and government IT markets. Its customers include the White House, the FBI, 99% of the Fortune 100, and 98% of the Fortune 500. According to Charles Yoo, president of cybersecurity firm Resecurity, the data stolen by IRIDIUM was focused on assets related to NASA, aerospace contracts, Saudi Arabia’s state oil company and the FBI. The files were accessed through a brute-force tactic called ‘password spraying’, which exploits weak passwords.
Citrix believes the hack was contained within its corporate network and that customer data was not compromised. The enterprise software giant said it is fully cooperating with the FBI probe, and has also hired an external security firm to help investigate the cyber-intrusion.
Servers without password protection expose sensitive data
IT security and cloud data management company, Rubrik, unwittingly exposed tens of gigabytes of sensitive customer data that goes back to October of last year. The database itself was running on a hosted Amazon Elasticsearch server without a password, making it vulnerable to anyone who knew where to find it. Rubrik pulled the server offline within an hour of being alerted by TechCrunch.
The State Bank of India, the largest financial institution in a country of close to 1.4 billion people, also failed to protect a server with a password, exposing the financial data of millions of its customers — including bank-to-customer text messages, account balances, recent transactions, partial bank account numbers and phone numbers.
Confidential health data leaked in Singapore
In January, the private information of 5,400 Singaporeans and 8,800 foreigners diagnosed with HIV was stolen and published online in Singapore. According to a statement by Singapore’s Ministry of Health, the leaked data included names, phone numbers, addresses and HIV test results dating back to 2013.
The culprit is believed to be a HIV-positive US citizen and partner of the former head of Singapore’s National Public Health Unit, who was convicted for falsifying his partner’s medical records to allow him to enter the country. Until 2015, foreigners with HIV were not allowed entry into Singapore.
Deer breaks into the server room of a data center in North America
A deer recently slipped past the guards and biometrics of an unidentified data center in North America that was being decommissioned for relocation. One source tweeted photos and explained, “The deer made the hole apparently through [a] glass window when it got spooked.”
The four-legged intruder made it into the server room before the sheriff and animal control were called. According to Chris Thomas, founder of the CyberSquirrel1 project, this is not unusual — at least 2,524 animals have “broken into” critical infrastructure since 2013.
Whilst some, if not all, of the above breaches could have been prevented, even with certified best-practice cyber-security strategies and programs in place, data breaches can still occur. A Data Protection Act in Ohio has taken the unprecedented move of seeking to protect companies from being sued after they have suffered cyber-attacks.
The legislation went into effect in late 2018, and states that an organization may qualify for “safe harbor” under the Ohio law if the company can prove it followed best practices, which include creating a cybersecurity program that falls under one of eight such frameworks: two NIST frameworks, FedRAMP, ISO 27000, HIPAA, Graham-Leach-Bliley, FISMA, and the Center for Internet Security Critical Security Controls framework.
Given the law is still relatively new, it will be interesting to analyze the impact of the changes when it is first tested in the courts and whether other states follow suit.
– – –
Like to know more? To keep up-to-date with data center and service provider news, join Cloudscene for free via the ‘Subscribe’ box on this page. If you’d like to add your data center to Cloudscene or want to find out how you can claim your profile on our site, please reach out to our team.