Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:23 AM
Connect Directly

Another Day, Another Massive Data Breach: Did The Bad Guys Win?

Sony. Epsilon. Millions of customer's names, email addresses and other personal information have been exposed in April.

At what point will it become standard practice to simply publish personal and financial details directly to the open Internet?

Maybe we should start adding our physical address, personal email address, phone number, social security number, credit card information and password to our public-facing Twitter, Facebook and LinkedIn profiles. Someone's going to steal the information anyway. Why make them jump through hoops to get it?

All joking aside, the most recent big-time data breach -- in which hackers infiltrated Sony's PlayStation Network -- has left more than 70 million gamers (or their parents) feeling somewhat exposed. While Sony admitted the breach Tuesday, its PlayStation Network had been unavailable to gamers since the attack allegedly happened one week earlier. That means whoever compromised the network got a decent head start before Sony let all those customers know they should start changing passwords, screening emails or watching their bank accounts for any unusual activity.

Sony's just the latest in a wave of recent data breaches and hacks that include email marketer Epsilon and security token provider RSA.

Apparently the old adage "information wants to be free" still has some legs.

It's unknown whether customer credit card information was part of the data stolen from Sony. But as with the Epsilon breach earlier in the month, it appears that millions more names and email addresses -- along with other personal information and passwords -- are in the hands of someone who might not be acting out of the best intentions.

While the recent large-scale breaches might affect the public perception of the brands that were attacked, the long-term effect of that sensitive information potentially landing in the hands of bad guys is something that should concern any company that does business on the Internet, or any IT organization trying to protect its own sensitive data from leaking into the wrong hands.

"Officially the weakest link in security today is the human," Lance James, director of intelligence for security provider Vigilant and author of "Phishing Exposed" told Bank Systems & Technology in a recent interview. "It’s not the desktop, it’s the user."

The number of names, email addresses and whatever other personal information that's been stolen recently, is staggering. Maybe none of it will ever go anywhere. Or, maybe, that information -- which might correlate individuals with their financial institution of choice -- will lead to a rise in sophisticated spear phishing attacks that could ultimately affect financial institutions everywhere.

Banks and corporations layer security, build firewalls and harden their networks to make sure everything's protected from the outside in, James says. But that doesn't necessarily protect from the weakest link.

"In the world of today’s attacks there’s no silver bullet for stopping a persistent attack," James adds. "A human’s going to make a mistake. We are human."

As James puts it, from a corporate standpoint, knowing that there are persistent attacks, and that a new wave of them could be on its way, it's like going to war. "You raise your threat levels."

But there is no Geneva Convention dictating the rules under which cyber criminals treat the victims of a security breach.

"With the tools available (to a hacker) today… it’s like handing guns out to a bunch of kids," James says. "There are going to be all these bullets flying around, someone’s bound to get hurt. And the biggest thing with the corporations, the bad actors in this are very flexible. They can do anything they want -- they don’t have any laws to go by. So for the corporates, they have to be able to adapt."

The best defense from a social engineering attack, James suggests, is vigilance. Both from a network perspective and a personal perspective. Monitor activity, inform your staff, associates, customers and friends.

Take extra caution.

Use common sense.

"It’s definitely a climate that requires people to be a little more careful," James adds.

Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.