Data breaches in the news in 2014
Data breaches have been a popular topic of conversation already this year, much of this stemming from the large breaches that occurred at the end of last year. But going into 2014 we are continuing to hear more and more about data breaches. I am not sure if this is a product of the recent awareness of them, or due to their new found frequency. Either way it leaves us with a more compelling argument that data security for on-network and off-network devices is extremely important, and data breaches are going to continue to happen. At the beginning of the month KrebsOnSecurity first reported beauty retailer Sally Beauty had been a victim of a network hack, likely caused by the same culprits involved with the Target hack. Sally Beauty responded by saying there had been malicious activity but there was no evidence credit card data was stolen, this occurred around May 5th. Just days later Sally Beauty announced they have in fact found evidence that fewer than 25,000 records containing credit card information had been taken. This number is far less than the 282,000 KrebsOnSecurity reported in their initial blog. The larger figure was estimated based on purchases made by several banks from fraud sites that were selling credit cards from the Target breach. A large batch was purchased and they were non-Target card numbers, all the numbers purchased were in fact from Sally Beauty. Sally Beauty is currently working with many organizations including the United States Secret Service to investigate and mitigate the issues and damages.
A few weeks back I wrote a blog regarding a data exposure at Indiana University that affected roughly 146,000 records. Well the good news is, since the exposure there has been no evidence of any of those records having been used maliciously. They had done a fantastic job of getting out notifications quickly and gathering the necessary resources to provide support to those who data was exposed. Also lucky for them, the investigation into the exposure is now coming to a close, but at a cost. It is reported, just having the data exposed will end up costing the university over $80,000 and they will have provided over 700 hours of personnel support. They took all of the necessary precautions after discovering the exposure and it still cost them over $80,000 and 700+ man hours. All of this over something that could have been caught and corrected in less than an hour.