5 Philadelphia Data Breaches in 2016 & How to Avoid Them in 2017
Cyber criminals are striking at a rapid and unpredictable pace. Companies ranging from healthcare providers to financial institutions, small businesses to multinational corporations, are discovering – sometimes months after the initial trespass – that they are among the latest victims of an increasing number of data breaches.
One of the most high profile national data breaches of 2016 included the hack into the Department of Homeland Security's employee list, obtained from the Department of Justice (DOJ) with a bit of social engineering. The hacker claims to have simply called up the DOJ and requested access to an internal portal, inevitably giving them access to internal devices, documents and confidential data. Breaches of this magnitude get our attention and then fade into the background, but there's a particular sting that occurs when they hit so close to home. Last year, several Philadelphia-area organizations made headlines. Here we list 5 of them and then provide tips to help you protect your own organization.
- A Main Line Health employee was targeted in an email spear phishing scheme that compromised the personal information of the Philadelphia-based healthcare providers' staff.
- A multi-restaurant breach targeted three Landry's restaurants (McCormick & Schmick’s, Morton's and Chart House) in Philadelphia. Hackers installed a program on payment card processing devices, compromising secure credit card data.
- Westin Hotel Philadelphia was part of the HEI Hotels and Resorts' breach taking place well over a year ago, through 6/6/16. Hackers installed malware on Point-of-Sale (POS) systems and captured payment data.
- Forty PA Wendy's Restaurants, including 7 Philadelphia were among hundreds targeted in another POS systems hack that compromised customer credit card data.
- The Archdiocese of Philadelphia was fined $650,000 for a 2014 HIPAA breach at Catholic Healthcare Services which involved the loss of a single stolen iPhone that was unencrypted and not password protected. The private health information of over 400 nursing home residents was compromised.
Take Action, Be Informed
Cyber schemes and tactics have evolved, and it could be difficult to calculate the potential risk to your business with the large range of criminal options: email scams, ransomware, POS hacks and more. As cyber incidents are becoming more complex and grow both in sophistication and capacity, costs per breach are continuing to rise. (See: New Study Finds Alarming Financial Impact of Data Breaches). Providing consistent education to employees at all levels is critical for them to know what signs and tactics to lookout for. Do not rely on Google to be your cyber teacher. New forms of cyber threats are introduced daily - bringing in third-party cybersecurity experts to keep you and your employees on guard can make all the difference.
On the Technical Defense
Cybersecurity and data protection is your responsibility, but it doesn't have to be your burden. There are countless tools available to help your organization put technology in place that can help you automate cyber defense, from multifactor authentication which requires multiple login credentials to endpoint protection software, and even tools that detect login from suspicious IP addresses. Again, a third-party expert that is experienced in security assessments can help you determine the resources that make the most sense for your business and budget. (See: 3 Tools to Boost Your Cybersecurity Posture.)
Create Policies and Accountability
Does your business have a mobile device policy? What happens if one of your employees' loses a corporate cell phone, or their own cell phone that houses corporate data? Policies are time consuming, and not always welcome by employees, but they protect your business (need we remind you that security is your responsibility?). A third party can also help you implement policies that have worked well for other businesses in your industry.
Like a Natural Disaster
Consider cybercrime like a fire or flood – prepare to minimize damage, and prepare for the inevitable should "the big one" hit. Tighten up and diversify your security posture; develop a disaster recovery checklist that should include: data backup solutions, testing and communication strategies, and reliable IT support. (Learn about the seven essential steps to protect your business in our Disaster Recovery Checklist here.) From your IT resources to PR professionals and high level executives, make sure to have a strategy in place to respond and mitigate damage immediately. Most states, including Pennsylvania, legally require organizations to report a data breach, both to the state and consumers without delay (learn more here).
Cybercrime is a booming business, with multiple ways to turn stolen data into profit, often within hours on overseas black markets. While there are many notable intrusions that make the news, there are still multiple data breaches that never reach the public eye, costing companies billions of dollars. Leadership should take notice of this likely permanent threat, and initiate the following steps:
- Get informed and stay informed – connect with trusted experts you can turn to
- Streamline cyber defense where possible using technology – enterprise-class security tools are available to businesses of all size and should be implemented
- Implement these basic resources:
- A disaster recovery plan for your systems – ensure data recovery and business continuity
- Training and company policies to keep all employees informed and accountable
- A C-level strategy for company protection including IT resources, insurance, regulatory responses and PR strategies.
Taking concrete action and being aware of the modern cybercrime landscape can help you sleep at night, knowing that you have added to your company's value by protecting it against the significant losses involved in cybercrime.