If you’re familiar with the seven deadly sins, you know that greed is one of them. Benign greed like ambition or wealth isn’t inherently bad, but when it comes at the cost of the expense or harm of others, even hospitals and schools aren’t off the table. With money motivating 86% of breaches, financial payoff over reasons like espionage has become a prominent factor for cybercriminals worldwide.
Cybercriminals looking to make a buck (or a million) have a few different options. They can exploit you by stealing your data or blocking access to critical assets, holding it ransom for $11 million and succeeding. Others sell 91 million user records for $5000, repeating the deed after seeing initial success, affecting millions of additional users every time.
Besides the ethics behind the crime, the financial cost to enterprises is substantial. The average cost of a data breach reached a record high of $4.35 million in 2022. Outside of nation-state actors who are seeking to destabilize a country, there are plenty of groups of individuals who are in it for the money and know there’s a big payoff when they can find the right low-hanging fruit.
In this article, we review three incidents where data breaches and how to protect data from both external and insider threats:
1. Marriott
In 2020, hackers stole the login credentials of two Marriott employees and potentially exposed 5.2 million records of guests via email. The information included names, birthdates, phone numbers, and mailing addresses. The breach was detected when Marriott realized an unexpected amount of guest information accessed by the accounts that were stolen. While payment information was not exposed this time, the number of personal records accessed was concerning. Marriott promptly disabled the accounts, started an investigation, and notified all affected parties and authorities.
2. Consumer Financial Protection Bureau
The Consumer Financial Protection Bureau (CFPB) is a US government agency that protects consumer financial markets. In 2023, an employee at the CFPB exposed 250,000 records of consumers and sensitive information of possibly 50 financial institutions by emailing these records to a personal email account. The employee was promptly fired, and details regarding the impact, breadth, and severity of the breach remain to be seen. Whether the intent was malicious or a case of negligence, the fact that such sensitive information was aggregated and easily forwarded to an external, unsecured account leaves questions on how the CFPB protected consumers’ personal data.
3. Colonial Pipeline
The previous two examples highlight two different ways that data breaches can happen, through an external hacker and an internal user. We know how much personal information can go on the black market, but there are other ways for cybercriminals to make the big payoff: ransomware.
With ransomware, attackers can restrict access to an organization’s critical assets, demanding substantial sums of money to return to normal operations. They did exactly this in 2021, targeting Colonial Pipeline, a fuel pipeline operator in the United States.
Attacks stole credentials to an internal network and released ransomware that locked devices out of the Colonial Pipeline internal networks. To prevent the spread of ransomware, Colonial Pipeline shut down the pipeline and paid the $4.4 million ransom to gain access to the encryption key that would restore operations. Meanwhile, across the eastern coast of the US, Americans lined up at gasoline stations, desperate and panicked, and the government declared a state of emergency.
Upon this consequence of interrupted critical infrastructure, the cyber attackers themselves may have expressed discomfort with the turn of events. In online forums, the attackers posted their motivations and intentions forward: “our goal is to make money and not create problems for society.”
Reduce the Risk and Impact with Data Loss Prevention (DLP)
In all these examples, data breach is the prime target. With Marriott, the personal information of guests was accessed, and while payment information at that particular breach was not exposed, the retail industry is a prime target due to the volumes of credit card information held. In CFPB, personally identifiable information (PII) was exposed and offered an opportunity for identity theft and criminal activity. With Colonial Pipeline, the attackers may not have wanted the actual data, but knowing the value of Colonial Pipeline, they held it ransom for a couple of millions of dollars.
With data loss prevention (DLP) solutions in place, organizations can prevent and mitigate the damage caused by data breaches of personal or proprietary data. DLP can detect the suspicious access of millions of customer records by even a trusted account. DLP can scan data across a network and identify records that follow known patterns of sensitive information, flag them, and block their movement to any unsanctioned external sites.
The current way of working means needing to protect data breach across different layers of the network such as endpoint, network, and cloud. Modern, comprehensive solutions will integrate across all layers and monitor metadata to provide context of severity beyond the traditional reliance on pattern matching of content.
The key is to implement a proactive solution of both technology and education to prevent data breaches—incidents where an organization must choose between bending to a cybercriminal’s demand or their reputation and the lives of people.
