Billionaire investor Warren Buffet once said, “It’s good to learn from your mistakes. It’s better to learn from other people’s mistakes.”
When it comes to data breaches, learning from other companies’ missteps and oversights can save you time, money, and plenty of headaches. It can also protect your reputation.
Over the past decade, we’ve seen giant brands fall victim to breaches that exposed their customers’ and employees’ sensitive information. But while these experiences were more than a little uncomfortable for the organizations (who ended up owing millions in fines, settlements, and rebuilding their reputations), they make great learning opportunities.
Here are three takeaways from a few of the biggest data breaches of the past ten years:
1. Your Employees are Your Biggest Risk
In 2018, Marriott, the world’s largest hotel chain, reported that as many as 500 million user accounts were compromised, according to CSO. Names, addresses, passport numbers, and encrypted credit card information (and potentially the key to decrypt it) was stolen from the organization’s servers. Worse, the hack reportedly began a whopping four years before.
Cybercriminals used a piece of malware called a RAT, which usually gives hackers backdoor access when an employee downloads an attachment from a phishing email.
Then, in 2020, the chain again made headlines when hackers used login information stolen from employees at a franchise property to access the Marriott Bonvoy rewards program, according to CNBC. This breach affected about 5.2 million people.
Lesson learned: Your employees can be your best defense against cybercrime — but only if you’ve given them the resources and training. Until then, they’ll remain your weakest link.
Teach them “healthy” habits — like how to spot and report potential phishing attempts and exercise good password hygiene. Then hold them accountable for their actions and ensure they’re responsible for correcting their mistakes.
2. You Should Thoroughly Vet Third-Party Providers
At the end of 2013, amidst the holiday shopping season, cybercriminals stole about 11 gigabytes of credit and debit card data — impacting roughly 110 million shoppers, according to ZDNet.
At the time, this was one of the largest supply chain attacks ever executed.
A third-party forensic team discovered the hack originated from a compromised HVAC vendor. Hackers successfully phished the vendor and gained access to Target’s supplier portal. In the end, the retailer forked over about $300 million in settlements and damages.
Lesson learned: You’re only as strong as your least secure vendor. When choosing third-party services, it’s critical you take time to carefully vet their cybersecurity efforts. Additionally, pay close attention to their history. Often, past data breaches are an indicator of future breaches, too.
3. Don’t Rely on Companies to Disclose Their Data Breaches
In 2016, Yahoo reported an estimated one billion users’ information was compromised in an attack. The problem? The hack actually occurred three years prior in 2013.
And, upon further investigation, the breach exposed three billion users’ data — every single account at the time of the hack, according to The New York Times. Records included email addresses, birthdates, security questions and answers, and more.
Worse, the discovery happened during an investigation for another attack from 2014, which exposed 500 million users.
Yahoo was hung out to dry for not only their poor response, but also how long it took the company to come clean. Seven years later, Yahoo users are still claiming breach payouts. Additionally, it’s challenging to think of the company without thinking about this hack, and its gross mismanagement.
Lesson learned: The Yahoo breach teaches us two valuable lessons. First, don’t wait to let your customers know if their information has been exposed. The longer you wait, the less likely they are to trust you in the future. Second, don’t expect other organizations to disclose their data breaches to you, at least not immediately. Some wait several days, weeks, or — in the case or Yahoo, years — before notifying their customers.
So What Should You Do?
The first step is awareness. Recognizing the sorts of mistakes other companies make can help you make better decisions for your organization.
The next step is to invest in actionable threat intelligence for your business.
This will help you:
- Educate your employees and hold them accountable for their online activities
- Protect end users by identifying who is most at-risk and locking down vulnerable accounts
- Assess third-party risk before signing contracts with new vendors
- Immediately discover whether your sensitive data was compromised in data breaches
There’s no 100 percent guarantee your organization won’t become the victim of the next major data breach. But by taking the right precautions and learning from others’ mistakes, you can significantly reduce your risk.