In 2018, massive data breaches echoed all over the world. According to Gemalto Breach Level Index, 944 data breaches were reported, which led to a staggering 3.3 billion data records being compromised worldwide in the first half of 2018. One can only imagine how many went unreported or what was the total cost of all data breaches.

---

Data Breaches Around the World

Just some examples:

Unique Identification Authority of India / Aadhar (India’s government ID database) had 1.1 billion records affected – a massive breach that allowed access to Private Information of India residents, including their names, 12-digit ID numbers, phone numbers, e-mail addresses and information on connected services, such as bank accounts.

Marriott Starwood Hotels had 500 million records affected, including: guest information, phone numbers, email addresses, passport numbers, reservation dates and credit card numbers!

Exactis had 340 million records affected – this incident exposed affected consumers’ email addresses, physical addresses, phone numbers and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.

And the list goes on!

---

What is the real cost of a data breach?

If anyone wonders what could be the possible cost or financial damage of a data breach let me illustrate:

The 2017 Cost of Data Breach Study (commissioned by IBM Security) expresses that a total of 419 companies have been attacked in the previous year. The result was that the average cost of an incident, which results in a data-leak, costs around 3.6 million US dollars.

However if this doesn’t show extremes, take Uber’s case: In 2016 hackers gained access to around 57 million user accounts + 600.000 drivers accounts (including their drivers’ licenses). Instead of being transparent, Uber paid the hackers 100.000 dollars in exchange of deleting the stolen data after which Uber acted as if nothing had happened. Big mistake. A year later the truth surfaced and the backlash was enormous, which led to the firing of their CSO and contributed to the company’s valuation to drop from 68 billion to 48 billion dollars. Talk about a perfect example of how not to handle a data breach!

Speaking of that, in Europe, the GDPR requires the disclosure of data breaches and any cover-up could result in massive fines in addition to the loss of public trust.

---

Best practices to prevent a data breach

A few best practices to avoid a data-breach include the following:

1. Have a plan: This means having a clear understanding what kind of data you have, where it is stored, developing procedures, following them and keeping these procedures updated.

2. Layered security: Sooner or later any organisation can become a victim of an attack. What helps to contain the attack and can prevent it from turning into a data-breach is having a comprehensive layered security – such as encryption of sensitive data, patching and updating software, enforcing security policies and access roles, solid credentials, multi-factor authentication, use of comprehensive security fabric – modern firewalls (with IPS, AV, DLP), endpoint protection, logging, monitoring, etc.

3. Invest in employee training and development. Educate employees on best security practices and ways to avoid socially engineered attacks. Some of the most popular IP vendors offer a diverse portfolio of security-related training.