On August 15, 2021, a number of media outlets indicated that T-Mobile was investigating a data breach that may have included the names, date of births, phone numbers, T-Mobile account pins, Social Security numbers, and Drivers’ License numbers of over 30 million current and former T-Mobile customers. A number of class-action lawsuits have already been filed, which allege negligence, violation of applicable law (including the California Consumer Privacy Act, CCPA), and/or other wrongful conduct.
The incident is a stark reminder that data breaches have become common for organizations of any size and in every industry. From Main Street to Wall Street, from Fortune 500 companies to the small local businesses, no company is immune from cybersecurity attacks. Today’s cyber-criminals are well organized crime syndicates who seek to make a profit, one way or another. They have perfected their “art” of hacking to maximize profits with lowering the probability of being identified and prosecuted. Their “art” includes exploiting routine vulnerabilities, making money through various means, and then disappearing into the ether until they emerge for their next cyber-attack. This is especially true of ransomware attacks, where the current trend is to not only demand a ransom for decryption of the data, but also additional demands for not publicly disclosing the information should the victim company recover the data from backups or other means. As former FBI Director Robert Mueller once said, “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again. Maintaining a code of silence will not serve us in the long run.”
The information stolen from T-Mobile was allegedly offered for sale on the dark web for approximately $270,000, a clear suggestion of how little value there is in laundering the identity information of affected individuals compared to the costs to affected businesses. Hackers make money by expending little cost and effort exploiting the same vulnerabilities over and over in different organizations once a vulnerability is discovered. In contrast, the 2020 Ponemon Cost of Data Breach Report suggested that the average total cost of a data breach is $3.86 million, with ransomware and other destructive malware attacks having a greater average cost than the overall costs of a data breach. And this figure continues to be very dependent on geographic region, with the average cost for a data breach in the US costing $8.64 million - more than double than this global average and the highest on the planet Earth (Brazil is the lowest with an average cost of $1.12 million). Approximately 2/3rds of these costs are as a result of the aftershocks of a cybersecurity event, i.e., they take the form of lost business and the costs of call centers, credit monitoring, legal expenses, product discounts, and fines.
Steps for Businesses to Develop a Cybersecurity Program
But the data also suggests that, because Hackers stand to gain so little for any particular data breach, there is a light at the end of the proverbial tunnel for organizations: make it harder for the hackers to breach the organization’s system, so that they turn their attention to an easier target. This doesn’t mean defending against every potential cybersecurity event, but simply making it hard enough to exploit the easy, well known vulnerabilities that only the most determined (and well-funded) bad actors will continue their attempts. the Ponemon study may provide some useful guidance on where organizations should expend resources. The Ponemon study found a number of factors that may reduce or increase the average total cost of a data breach.
|DECREASES COST OF A DATA BREACH
||INCREASES COST OF A DATA BREACH
|Incident Response Testing
Business Continuity Planning
Training of Personnel
Use of Encryption
Appointing a CISO
|Complexity of security systems
Migration to Cloud
Shortage of security skills
|FIVE FUNCTIONS OF AN EFFECTIVE
|| 1. Identify
|| 2. Protect
|| 3. Detect
|| 4. Respond
|| 5. Recover
While the specific value of each of these factors have varied over time, the Ponemon reports over time have generally shown the same factors as improving outcomes and the same factors have generally been found to make outcomes worse. Organizations of all sizes that have a basic security framework already in place should therefore focus resources on the greatest returns, i.e., the activities shown in the left hand column. At the same time, these organizations should actively seek to minimize the activities on the right, especially reducing the complexity of the security systems wherever possible.
However, organizations that are just starting to develop a cybersecurity plan often need guidance on where to start. While there are many industry standards, some excellent starting points include the guidelines published by the FTC as well as industry standards such the cybersecurity guidelines published by the National Institute of Science and Technology (NIST), including the NIST Cybersecurity Framework. A roadmap based on these industry standards is described below:
Organizations should develop an understanding of their environment to properly manage cybersecurity risk to systems, people, assets, data, and operations.
- Identify all of your technology assets (computers, smartphones, software, data, etc…).
- Create incident response policies that detail steps to take to protect against an attack.
- Create policies that define security roles and responsibilities for employees and vendors.
Businesses should adopt and maintain appropriate safeguards to ensure continued operation of critical business functions.
- Have access controls in place – every user should not be able to access all data. Very few users should have the ability to install or modify systems.
- Acquire and use security software to regularly scan your organization’s systems.
- Encrypt all data at rest and in transit.
- Backup essential data regularly.
- Always keeps your systems up to date.
- Educate and train employees on the proper use of data.
Organizations should develop and implement appropriate procedures to identify the occurrence of a cybersecurity event.
- Monitor all data in and our of your system, whether through removable media such as a USB, or through the internet.
- Check the network for unauthorized users – remove access to terminated users immediately.
- Investigate unusual activities.
Organizations should develop, maintain, and regularly test an incident response plan to take action regarding a cybersecurity incident that has been detected or that has been attempted and poses a significant threat to the organization.
If an organization has a breach or is subject to a cybersecurity attack, it is important that they have a plan for:
- Notifying customers, employees, and any others whose data is at risk.
- Continuing normal business operations.
- Reporting to law enforcement.
- Investigating and containing the attack.
- Updating policies with lessons learned.
- Inadvertent events like hurricanes or other natural disasters.
Organizations should develop appropriate policies and procedures for resilience against a cybersecurity incident and to promptly restore any services or other business operations that may have been impacted due to a cybersecurity incident.
- Repair and restore the equipment and parts of your network that were affected.
- Keep employees and customers informed of your response and recovery activities.
Organizations should also be reminded that these organizations also provide guidance on how to protect the privacy of personal information, once appropriate security controls have been deployed to protect that information.
Foley has significant expertise in assisting organizations of all sizes in developing and enhancing their cybersecurity and privacy programs, including such programs based on FTC guidance, the NIST Cybersecurity Framework and other industry standards.