Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

MySpace becomes every hackers’ space with top breach in 2016, report says

Ryan Francis | Feb. 8, 2017
Forrester releases report of top breaches for the year but excludes Yahoo.

Government authorities mishandle voter data

This was a landmark year for losing voter records, with more than 150 million records lost over the past 12 months. Authorities lost the majority of these records because they misconfigured the databases to allow public access. There is the Mexico example as well as the Iowa Republican Party in the U.S., which left 2 million voter records open to the public. Both of these data breaches were preventable, Forrester said.

Key lessons from these incidents include:

  • Realize that data breaches don’t require threat actors. Something as simple as emailing personal information to the wrong person qualifies as a breach. In this case, Mexican political party Movimiento Ciudadano allowed public access to stored personal information for millions of voters.
  • Audit third parties you share information with. Information sharing brings many benefits, and is even mandated in some industries, but it poses reputational risk.
  • Reserve the right to audit third parties with whom you share information to guarantee that they have the requisite processes to protect both the data and your firm’s reputation.
  • Establish vulnerability and configuration management in conjunction with DevOps. The first step to mitigating this type of vulnerability is to establish secure deployment guidelines for DevOps processes to ensure you have a secure and repeatable process for requisitioning systems. After this, use vulnerability and configuration management tools to ensure that you maintain your security baseline.
  • Define a clear path of escalation for incident reporting. The personal information of nearly 75 percent of Mexico’s population was freely accessible on the internet, and there was no clear path for communicating this to the organization responsible for this data. Many organizations have no defined channels (even internally) for users to report suspicious activities.

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.