Data Security Breaches for Problems and Solutions †Free Sample

Question: Discuss about the Data Security Breaches for Problems and Solutions. Answer: Introduction: On October 2015, hackers were able to gain access to T-Mobile and Experian data records. Following the attack, the two companies were sued by aggrieved customers whose records were severely exposed. In fact, according to Forbes Tech (2015), over 15 million customer records were exposed in the attack. So, why the two companies? T-Mobile uses Experian (a credit tracking company) to process its credit requirements including applications. Therefore, a breach of the records held by these companies exposed sensitive data on financial transactions. In essence, the data breach was conducted on Experian Plc. Servers where over 15 million T-Mobile customers had applied for credit applications. Moreover, the hack was an isolated incident that occurred over a short period of time. An exact time frame was never revealed, however, any customer who had applied for T-Mobiles post-paid products or services between the dates of September 2013 to 2015 was affected. Furthermore, the hackers mostly got away with personal data such as names, addresses, birthdays, social security numbers and military IDs among many others. However, the company noted that no other data was captured particularly those housing other financial records (Pagliery, 2015). How and why the breach occurred According to Krebs (renowned cyber security experts), Experian application portal was to blame for the attack. In his analysis, Krebs noted that Experians analysis and decision credit portal allowed users to upload any file attachment regardless of the type. Therefore, through these attachments, the hackers were able to upload malicious files that affected the companys database. Moreover, this type of attack is pretty common whereby attackers inject malware to an organisations database disrupting operations or as in this case harvest sensitive data. In addition to this, the attack was also aggravated by the fact that Experian did not request its users to subscribe to a username or password before uploading their files. In a nutshell, this meant any anonymous person could upload a file without any form of authentication or authorization (Wired, 2015). A quick analysis of the hack outlined the following; through the unprotected upload facility, the intruders gained access to the companys servers (Experian). Moreover, the said upload facility enabled malware to the uploaded into the system to harvest information however, the encryption method used to encrypt customer data was not provided, which raised more questions. Therefore, the breach may have occurred to acquire customer personal data but the intruder should have never been able to decipher the information. Moreover, the data was actually decrypted as noted by experts who claimed to have seen the data been auctioned in the dark web (Larson, 2015). Now, because of this outcome, the plaintiff to the lawsuit accused both companies of negligence as the information provided (in the dark web) placed the users (customers) at risk. However, even more, worrying was Experian solution to the problem which suggested an extended free service to the customers after a thorough assessment tha t needed the same customers to provide more confidential information (Pagliery). Information is the new currency of business, organisations spend heavily on protecting their data particularly that of their customers who rely on these organisations to protect them. This case study depicts a serious threat and vulnerability of cyber systems. To begin with, Experian and T-Mobile should have included thorough authentication as well authorization protocols before enabling its users to upload files. Moreover, if these functionalities were never in place, both organisations with their massive revenues should have done regular risk assessments to identify vulnerabilities in their systems (Bennett, 2013). Nevertheless, their existing approach could have been done to facilitate an easier transaction with their system however, a systems usability should never come at the price of security. At best a basic access control feature should have been incorporated. In addition to this, these organisations can enact information content management procedures where users encrypt their own personal data before uploading to the system. Commonly known as enterprise right management (ERM), this procedure encrypts documents and provide rules on who can access the said files (Verizon, 2015). Therefore, from the said encryption, files can transverse any network or communication channels without fear of compromise or intrusion. This outlook would have helped Experian whose customer records would have been safe regardless of the intruders accessing the files (encrypted with the access rules). On the other hand, T-Mobile should have included thorough security assessment as part of their acquisition process i.e. when partnering with Experian. This precaution would have identified the risks associated with Experian systems (Forbes 2015). Nevertheless, the major security violation, in this case, was a negligent system that exposed confidential data to the internet without any form of authentication. Experian should change its systems drastically to incorporate competent authentication procedures to their upload services. Moreover, they must conduct regular security assessment regardless of whether they face attacks or not (FTC, 2015). JPMorgan chase hack JPMorgan Chase, a renowned financial institution experienced one of the biggest security breaches in 2014. In the said attack, intruders gained access to over 100 million records of the companys customers. Moreover, this attack compromised more than one aspect of the organisations resources, this included household users, businesses and even charity branches of JPMorgan. In addition to this, the attack hacked several systems of the organisations publishers system which essentially affected the authenticity of the information produced (Crowe, 2015). According to JPMorgan, the intruders gained access to the companys servers accessing customers confidential information such as names, telephone numbers, and addresses. Furthermore, they also gained access to other sensitive information that was undisclosed at the time due to security outcomes. Nevertheless, despite this massive intrusion, JPMorgan held to the notation that the hack did not affect their financial records which maintained the accuracy of their banking details (Weise, 2014). Their evidence for this perception was based on the fact that no account files were compromised by the attack. Which meant, the intruders never gained access to the banks account numbers, IDs and social security numbers. However, this information was refuted by the New York Times who outlined the severity of the attack. In their report, the New York Times suggested that the intruders gained maximum access to JPMorgans systems through the authorization they acquired, which was the highest access lev el possible. In other reviews by Kerb (2015), the intruders acquired maximum privileges to over 90 servers owned by the financial institution across the globe. This outcome gave the hackers root access control over the organisations financial services including their confidential information, manipulation of accounts (open and close) and the ability to transfer funds. Therefore, when needed, the hackers could do whatever they wanted with minimal restrictions. However, as stated before, the organisations financial systems were unaffected despite the criminals extensive access which fueled the notation of future attacks through vulnerabilities left by the perpetrators. Today, reputable organisations like JPMorgan employ sophisticated security measures to avoid attacks such as the one seen in this case study. In the attack, one would expect an extensive and sophisticated attack technique sourced from the dark web, however, this intrusion was instigated by a simple if not negligent security flaw. First, the cybercriminals acquired an employees login (confidential) information. From this resource, they accessed the organisations systems and used them to manipulate other control information more so, the pump and dump resource for the online stock exchange scheme. Now, it is through this scheme, that the intruders gained massive earnings using the online processing systems that controlled services such as online gambling (Farrell Hurtado, 2015). Furthermore, the intruders used a clever access option to avoid detection in that they exploited the affiliate system linked to JPMorgans data. Therefore, through the stolen credential, they accessed different systems owned by the organisation across different branches in the world. To start with, they hacked websites owned by charity organisations hosted by JPMorgan. In fact, according to the final assessment, a charity website was the first intrusion point of the hack (Goldstein, Perlroth Corkery, 2014). Therefore through this intricate plan, the cybercriminals went undetected for many months while exploiting the vulnerabilities hosted by the institution. After the intrusions were detected many feared coordinated attack on United States systems, however, because of the simple security flaw, negligence was concluded to be the root cause of the problem. Solutions and Preventing the Attack At the beginning of the incidence, security experts thought that malicious malware sourced from the dark web was used to compromise JPMorgans systems, however, following a thorough assessment the credential flaw was discovered to being the problem. Again, as seen in the previous case study, JPMorgan needs to invest in competent security measures. First, on authentication procedures and secondly, on authorization policies. Yes, sensitive data was stolen (login credential) but the system should have had other extended protocols to identify the user without any reasonable doubt. A simple solution to this outcome would have been a multiple authentication procedures, where more than one variable is used to identify the users of JPMorgans systems (TRC, 2015). For instance, the login credential can be combined with biometric scanners to verify the user who requests access. Moreover, the login credentials should only have a limited access, where further authorization is needed to gain access to other extended systems. Finally, the access codes should also be limited and changed regularly to contain the losses just in case they fall into the wrong hands (Verizon, 2015). Nevertheless, another problem is also showcased by this case study, that of network vulnerabilities. Many organisations today face a considerable challenge in maintaining a strong security system throughout the year regardless of the business outcomes. This attack also went undetected because they organisation at the time focused on payment processes because it was at a turnover period. Therefore, minor systems such as charity websites were neglected which fuelled the attack (Valdetero Zetoony, 2014). Moreover, JPMorgan, as seen before, failed to assess its affiliate organisations during acquisition. Therefore, the organisation should also employ security assessments before acquiring and integrating new systems into their extended services (Forbes, 2015). In summary, JPMorgans attack could have been prevented with basic security measures, for one, employees should not have access information prescribed in their badges. Secondly, even if access cards are used, another variable should be used to authenticate the user e.g. a one-time password. Moreover, access must be limited across the system owned by the organisation, no one time pin should serve as a wholesome access to the companys system. In addition to this, regular assessments should be done to detect and identify system vulnerabilities or even existing threats such as the attack experienced (FTC, 2015). References Bennett. S. (2013). Data Security Breaches: Problems And Solutions. Jones day. Retrieved 14 April, 2017, from: https://www.jonesday.com/files/Publication/2dbb7406-ba13-4305-902a-8f2c65ef3d49/Presentation/PublicationAttachment/301495c5-31c8-4881-8202-9dd8665df004/TPL0812-Bennett.pdf Crowe. P. (2015). JPMorgan fell victim to the largest theft of customer data from a financial institution in US history. Retrieved 4 March, 2017, from: https://www.businessinsider.com/jpmorgan-hacked-bank-breach-2015-11?IR=T Farrell. G Hurtado. (2015). JPMorgan's 2014 Hack Tied to Largest Cyber Breach Ever. Bloomberg. Retrieved 4 March, 2017, from: https://www.bloomberg.com/news/articles/2015-11-10/hackers-accused-by-u-s-of-targeting-top-banks-mutual-funds Federal Trade Commission (FTC). (2015). Data breach response. A guide of business. Retrieved 14 April, 2017, from: https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf Forbes. (2015). The Top 10 Security Breaches Of 2015. Tech. Retrieved 14 April, 2017, from: https://www.forbes.com/sites/quora/2015/12/31/the-top-10-security-breaches-of-2015/6/#4ae5d13e377a Goldstein. M, Perlroth. N Corkery. M. (2014). Neglected Server Provided Entry for JPMorgan Hackers. Deal book. Retrieved 4 March, 2017, from: https://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/ Krebs. (2016). Hyatt Card Breach Hit 250 Hotels in 50 Nations. Retrieved 4 March, 2017, from: https://krebsonsecurity.com/2016/01/hyatt-card-breach-hit-250-hotels-in-50-nations/ Larson. E. (2015). T-Mobile, Experian Sued Over Data Hack Affecting 15 Million. Bloomberg technology. Retrieved 14 April, 2017, from: https://www.bloomberg.com/news/articles/2015-10-07/t-mobile-experian-sued-over-hack-on-15-million-customers Pagliery. J. (2015). T-Mobile customers' info breached after Experian hack. CNN Tech. Retrieved 14 April, 2017, from: https://money.cnn.com/2015/10/01/technology/tmobile-experian-data-breach/ TRC. (2015). Data breach report. IDT911. Retrieved 03 March, 2017, from: https://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf Valdetero. J Zetoony. D. (2014). Data security breaches; incidence preparedness and response. Washington legal foundation. Retrieved 03 March, 2017, from: https://www.bryancave.com/images/content/2/2/v2/2285/DataBreachHandbookValdeteroandZetoony.pdf Verizon. (2015). 2015 data breach investigation report. Verizon enterprise solution. Retrieved 14 April, 2017, from: https://msisac.cisecurity.org/whitepaper/documents/1.pdf Weise E. (2014). JP Morgan reveals data breach affected 76 million households. USA today. Retrieved 4 March, 2017, from: https://www.usatoday.com/story/tech/2014/10/02/jp-morgan-security-breach/16590689/ Wired. (2015). Hack Brief: Hackers Steal 15M T-Mobile Customers Data from Experian. Retrieved 14 April, 2017, from: https://www.wired.com/2015/10/hack-brief-hackers-steal-15m-t-mobile-customers-data-experian/