News has emerged that so far in 2017, over 1 billion pieces of personal data have been taken from cloud servers and databases. In most cases, it’s not the fault of the cloud companies, such as Amazon and Microsoft. It’s their clients that don’t take adequate precautions regarding security.
How can this have happened?
Let’s examine what has happened, how and why. After that, we can see what can be done to combat these leaks of data.
Billions and Billions Leaked
IBM X-Force, the security research division of IBM, has been tracking publicly announced data leaks since 2011. So far in 2017, they believe that 1.3 billion exposed records have been taken from cloud servers and databases.
Types of data include usernames and passwords, health records, voter data, and credit card info from e-Commerce sites.
Sources of Data
Many of these data leaks came from market research companies that have been compiling profiles of members of the public, through data they have posted about themselves on social media. People give so much information about themselves on Facebook, LinkedIn and the like. It’s no surprise that market research companies gather up this prized data. It’s also perfectly legal. It’s just a shame they aren’t taking adequate measures to safeguard it.
Unscrupulous hackers have attempted to extort money from these companies, encrypting the data, then offering to give it back in return for a ransom.
More unusual data that has been found include audio files that parents have recorded for their children. These files were stolen from a toy company that makes teddy bears that play audio files. There was also a leak of audio reports relating to crime scenes, from a US Sheriff’s office.
How Did This Happen?
In the recent past, between 2011 and 2013, the main cause of data breaches was SQL injection. However, most of the leaks today have been due to misconfigured cloud servers. Basically, clients who are hiring cloud space from companies like Amazon Web Services and Microsoft are not securing their data properly.
Hackers are using sophisticated methods to discover which servers are exposed, looking for weak points in the armor. Then, they’re going in and taking what they can.
Security Mistakes are Being Made
There are many things these cloud clients are doing wrong, showing hackers the way. These include developers filling test servers with real customer data while they’re building the infrastructure, but not properly securing it when the real thing goes live.
Some were making backups to their data, but not securing the backups properly. Others were not using encryption properly, or being slack with permission settings, giving too many people access to the data.
However, the main reason is that the clients just aren’t considering the risks. They may be just building a small database for benign marketing reasons, and don’t see the need for extra security measures which are a pain to use on a day to day basis. They don’t see themselves as a target for hackers because they’re small. However, they’re wrong.
Perhaps the most worrying part is that companies are storing all of their data in one place, rather than breaking it up into parts. The problem with this methods is, if a hacker gets in, they can get everything. Hundreds of millions of pieces of people’s personal data are at risk.
What Should be Done?
What these companies should be doing is following the advice of the companies they’re using for their cloud storage provision. All the main cloud storage companies provide strong and easy-to-follow guidelines on how to keep their data secure.
The first step should be to conduct a proper risk assessment before transferring such sensitive data onto the cloud. Try and anticipate problems before they happen.
Always encrypt data, and be ultra-strict on who has permission to access the database. When members of staff leave the company, make sure they’re removed from the system. It may be a struggle to do all this, dealing with it on an everyday level, but in the long run, you’ll reap the benefits.
The best advice is to get a data security professional to check your system over, better still, get them to set up your cloud storage in the first instance.
Finally, don’t store all your data in one place. Break it into parts and store each part separately.
If you’re in charge of IT, security, data or related departments at your company, you are holding people’s sensitive data in your hands. Breaches are inconvenient at best for your customers, at worst they can be very distressing, especially if they lose money because of it. Most of us have been the victims of online fraud by now, it’s an awful experience.
Cloud servers should be inherently secure. Just take care of your data, and your data will take care of you.
