In December of 2020, wireless service company T-Mobile saw its fourth data breach in three years. The information accessed by attackers consisted of Customer Proprietary Network Information (CPNI) which is the data our cell phone providers collect related to our calls including phone numbers called, frequency, duration, and timing of the calls. This is considered some of the most sensitive data available to be collected by wireless providers as it tracks and accounts for actual user activity. Needless to say, this has caused distrust between the public and this company which should be protecting users rather than putting them further at risk.
Web service provider Yahoo! was once one of the most commonly used email address and Internet servers in America; however, the company experienced its own slew of data breaches in 2013, 2014, and another data breach that went undetected until 2016. As with T-Mobile, customer faith in this company’s ability to protect their data was essentially squandered beyond repair.
Sony has experienced multiple data breaches affecting a variety of its operating segments including both the PlayStation networks and its film side of the house, Sony Pictures. These hacks have yet to have the impact that the numerous Yahoo or T-Mobile breaches have had with regards to customer relations as the PS5 is still in high demand. Despite this, there are many other implications that a company must encounter when they have faced repeat data breaches.
Each of these major, publicly-traded companies are examples of a group of businesses which are growing at a worrying rate: companies with repeat data breaches. One of the main questions that arises out of these events is why? Why do companies experience repeat data breaches?
When hackers get into a company, they create a little secret door which they got in and left through — if a company doesn’t patch the vulnerability that made it possible for the malicious actors to get in, it’s a swinging door available to them at any time they please. Sixty percent of data breaches in 2019 were related to an unpatched vulnerability in the company’s networks. Particularly in the case of a second, third, or fourth data breach, this is likely a known cybersecurity vulnerability. Missing this sort of issue is a major flaw in the company’s cyber defenses, and it would surely be cause for a change in the IT team. Even if this was not a known vulnerability, a company which has been rocked by a data breach in the past must be extra vigilant when it comes to protecting its networks.
While employees can be an incredible asset to a company, they are also some of the biggest threats to cybersecurity. Employees who use weak passwords for their work-related accounts or who do not properly protect their company-owned devices can be worse than a random hacker — it is as though they are putting the network-secure information on a silver platter for the malicious actors to use as a key into the company’s systems.
Additionally, an employee who is uneducated when it comes to cybersecurity best practices is an easy target for phishing scams. Phishing scams are one of the top ways malicious actors gain access into businesses’ networks and steal data. The only way a phishing scam will work is if the human on the receiving end falls for the trick, making human error a major threat. Again, a company who has already gone through a cyber attack should have employee best practices when it comes to cybersecurity as a priority for training.
Seventeen percent of data breaches occur due to malware. Malware is as the name indicates malicious software. When unsecure sites have pop-ups and an employee carelessly clicks on it to get it to go away, this is one way malware gets into a company — piggybacking off of the human error element. Any software downloaded without the user being aware of the download creates an access point for a hacker to infiltrate and then exploit a system, making a pathway for a potential data breach. Companies should encourage employees to do what they can to protect against malware by not clicking on any pop-ups or email attachments from strange senders; additionally, the cybersecurity teams of a company need to be sure to monitor and secure systems to be aware of any oddities that enter the system.