A few years ago data breaches weren’t all that common or, if they were, they certainly weren’t being reported with quite the same regularity that they are now.
Nowadays, it seems like another big company is getting hit just about every week – but let us not forget that smaller breaches are also a regular occurrence too.
So what are you doing to mitigate the risk of a breach affecting your organisation?
Hmmm…in that case, this post is for you then as I detail just two incidents from the last week that really ought to have you sitting bolt upright, considering the various costs associated with becoming the next data breach casualty.
Firstly, there was the news that one of the biggest mobile carriers in the US – AT&T – had been slapped hard by the Federal Communications Commission (FCC).
Between 2013 and 2014 a series of breaches at call centres in Mexico, Colombia and the Philippines led to the unauthorised disclosure of personal data, including names and Social Security numbers, of some 280,000 US customers.
The FCC’s investigation revealed that over 40 call centre employees had collectively accessed the records so that third parties could submit handset unlocking requests through AT&T’s online portal. According to an FCC official, many of the handsets in question appeared to have been stolen.
As a result of the breach the carrier – which is the second largest in the US – was ordered to hand over $25 million, the largest civil penalty ever handed out in respect of privacy and data security enforcement action.
AT&T was also ordered to file regular compliance reports to the FCC and the company also voluntarily took on the added expense of notifying all impacted customers as well as offering them a year of free credit monitoring.
But it’s not just large settlements that large companies should fear in the wake of a data breach – reputational damage can be an equally big issue.
White Lodging Services
Take White Lodging Services, for example.
The Indiana-based company provides hotel management services across 14 properties, putting it on an altogether different scale to AT&T, but its business may have been damaged just as much by the news that it has suffered a payment card breach.
Can you imagine how prospective customers must feel, knowing that the company’s point-of-sale systems were compromised between 20 March, 2013 and 16 December of the same year?
Not great, I bet, though the relatively small size of the company may have kept it out of the largest news circles.
Unfortunately for White Lodging Services, some things in the past refuse to stay there, as its systems were again compromised on 27 January this year.
The company says the latest attack is not related to the previous one and it’s hard to tell whether customers should be reassured or increasingly worried about that to be honest.
That the company’s POS systems could be compromised once is worrying but perhaps not entirely surprising, given how the likes of Target, Home Depot and Neiman Marcus have all suffered a similar fate in the recent past.
Something is going on here and, in the absence of further information from the company or comment from law enforcement, it’s hard to say what.
In any event, I would suspect that potential customers of White Lodging Services may well have heard the news by now and may be considering their next moves and whether they may be better off staying elsewhere.
That’s not to say that the company has done anything wrong – it may just have been the unfortunate victim of a very skilled attacker (twice, no less) – but the consequences may ultimately be no less damaging than the penalty handed to AT&T.
So, again, the question is, what are you doing to mitigate the risk of a data breach – a crime not limited to the United States – affecting your firm? And do you have an incident response prepared in case the worst does happen?