I’ve wondered for a while now whether the number of data breaches are growing at an exponential rate or whether it is just that they get reported far more often, and by mediums that allow the news to travel much farther and quicker?
In either case, the fact is that any business of note has to believe that it could happen to them, just as it happened to Bell Canada over the weekend.
Over 20,000 customers of the telecommunications giant, many of whom are small business owners themselves, fell victim to the latest attack which saw their usernames and passwords displayed for all to see on the internet.
Bell, claiming the breached servers were not theirs, released a statement saying,
“Bell today announced that 22,421 user names and passwords and 5 valid credit card numbers of Bell small-business customers were posted on the Internet this weekend. The posting results from illegal hacking of an Ottawa-based third-party supplier’s information technology system.
In line with our strict privacy and security policies, Bell is contacting affected small business customers, has disabled all affected passwords, and has informed appropriate credit card companies. We continue to work with the supplier as well as law enforcement and government security officials to investigate the matter.
Bell’s own network and IT systems were not impacted. The issue does not affect Bell residential, mobility or enterprise business customers.”
This latest breach was carried out by a group identifying itself as NullCrew, which is yet to disclose any kind of motive for the attack, but it did subsequently release a public dump of the data on Saturday.
The site hosting that data has now been taken offline but you can bet your bottom dollar that several interested parties of both the white and black hatted variety would have nabbed a copy for themselves whilst it was still available.
In the meantime there is still some debate about whose servers were hacked with Bell adamant that it wasn’t theirs. NullCrew, on the other hand, still claim that it was indeed Bell servers that they got into.
Whatever the case may be, the breach, described by Bell as an “illegal hacking” incident, comes hot on the heels of a breach at Yahoo last week and other high-profile attacks such as the one on US retailer Target which may have seen data for as many as 110 million customers stolen.
So what can you do to minimise the risks of being the next victim of a data breach?
A few ideas would be:
- always storing your customer data in an encrypted database
- ensuring you employ a strong information security management system
- running security software on all of your servers and workstations
- periodically running security assessments on your information systems
- preparing a co-ordinated response ahead of time to be delivered should a breach actually occur – bad PR is something I see too often after an attack, something that often exacerbates the situation and leaves a poor taste in the mouths of customers
- ensuring all staff have at least some security awareness, irrespective of their role within the organisation, in order to minimise the risks posed by silly mistakes or the threat of social engineering being used to gain access to the system in the first place.
Do you have any other ideas for minimising the risks of a data breach or dealing with one that has already occurred?