Netflix - Information Technology
1
Data Breaches
Chapter Extension 14
ce14-2
Study Questions
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
Q1: What is a data breach?
Q2: How do data breaches happen?
Q3: How should organizations respond to data breaches?
Q4: What are the legal consequences of a data breach?
Q5: How can data breaches be prevented?
2
ce14-3
Q1: What is A Data Breach?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Data breach – Unauthorized person views, alters, or steals secured data
• 1+ billion people affected in past 5 years, 75% of breaches happened in US
• Average cost of a single data breach $3.5 million • Average costs per stolen record
Healthcare ($359), Pharmaceutical ($227 Communications industries ($177)
Education ($294) Financial ($206)
ce14-4
Costs of Handling a Data Breach
Direct Costs
• Notification
• Detection
• Escalation
• Remediation
• Legal fees and consultation
Indirect Costs • Loss of reputation • Abnormal customer
turnover • Increased customer
acquisition activities • Additional $3.3 million
per incident in US
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
3
ce14-5
What Are the Odds?
• More likely to lose smaller amounts of data than larger amounts of data 22% chance of losing 10,000 records over any 24-month
period <1% chance of losing 100,000 records over same period
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
ce14-6
Well-known Data Breaches
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
4
ce14-7
Why Do Data Breaches Happen?
• 67% are hackers trying to make money from: – Personally identifiable information (PII) Names, addresses, dates of birth, Social Security
numbers, credit card numbers, health records, bank account numbers, PINs, email addresses
• Rogue internal employees
• Credit card fraud, identity theft, extortion, industrial espionage
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
ce14-8
Q2: How Do Data Breaches Happen?
• Attack vectors – Phishing scam – Trick users into donating funds for a natural disaster – Exploit new software vulnerability
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
5
ce14-9
Hitting Target
• Lost 40 million credit and debit card numbers to attackers (Dec. 18, 2013)
• Less than a month later, announced additional 70 million customer names, emails, addresses, phone numbers stolen – Total 98 million customers affected
• Stolen from point-of-sale (POS) systems at Target retail stores
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
ce14-10
How Did They Do It?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
6
ce14-11
The Damage
• Attackers sold about 2 million credit card numbers and PINs for about $26.85 each (total $53.7 million)
• Sold in batches of 100,000 card numbers
• Cost Target $450 million – Upgraded POS terminals to support chip-and-PIN enabled cards – Increased insurance premiums, legal fees, credit card processors
settlement, pay for consumer credit monitoring, regulatory fines – Lost sales, 46% drop in next quarter revenues
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
ce14-12
Collateral Damage
• Credit unions and banks – Spent more than $200 million issuing new cards
• Consumers – Enrolled in credit monitoring, continually watch their credit,
and fill out paperwork if fraudulent charges appear on statements
• Increased insurance premiums, stricter controls, and more system auditing for organizations similar to Target
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
7
ce14-13
Q3: How Should Organizations Respond To Data Breaches?
• Respond Quickly – Stop hackers from doing more damage Exfiltration or illegally transferring data out
– Immediately notify affected users
• Plan for a Data Breach – Walkthroughs, business continuity planning, computer
security incident response team (CSIRT)
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
ce14-14
Q3: How Should Organizations Respond To Data Breaches? (cont'd)
• Get experts to perform an effective forensic investigation
• Identify additional technical and law enforcement professionals needed
• Be honest about the breach
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
8
ce14-15
Best Practices for Notifying Users of a Data Breach
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
ce14-16
Q4: What Are The Legal Consequences of a Data Breach?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
9
ce14-17
Regulatory Laws Govern the Secure Storage of Data in Certain Industries • Federal Information Security Management Act (FISMA)
– Requires security precautions for government agencies
• Gramm-Leach-Bliley Act (GLBA), a.k.a., Financial Services Modernization Act – Requires data protection for financial institutions
• Health Information Portability and Accountability Act (HIPAA) – Requires data protection for healthcare institutions
• Payment Card Industry Data Security Standard (PCI DSS) – Governs secure storage of cardholder data
• Family Educational Rights and Privacy Act (FERPA) – Provides protection for student education records
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
ce14-18
Q5: How Can Data Breaches Be Prevented?
• Use countermeasures software or procedures to prevent an attack
• Better phishing detection software
• Better authentication (i.e., multifactor authentication
• Network intrusion detection system (NIDS) to examine traffic passing through internal network
• Data loss prevention systems (DLP) to prevent sensitive data from being released to unauthorized persons
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
10
ce14-19
Q5: How Can Data Breaches Be Prevented? (cont'd) • Appoint a chief information security officer (CISO) to ensure
sufficient executive support and resources
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .