Information Technology and Ethics/Security Breach

From Wikibooks, open books for an open world
< Information Technology and Ethics
Jump to navigation Jump to search

Introduction[edit | edit source]

Was your Facebook data illegally harvested by the Cambridge Analytica firm during the 2016 United States Presidential election? If so, you were not alone. Cecilia Kang and Sheera Frenkel, investigative journalists for the New York Times, published their findings, which stated that Cambridge Analytica illicitly collected various types of data from 87 million Facebook profiles, without their knowledge or consent[1]. This chapter is centered around information security and the role security or data breaches play. Specifically, we will detail and provide insights into the most recent and impactful security intrusions. We will outline the possible root causes of security breaches and present the impacts associated with past security breaches, as well as potential impacts associated with future security breaches. Lastly, our research will provide industry-standard remediation techniques and data recovery techniques, to provide possible remedies, after a security breach has occurred and provide recommendations related to preventing security breaches, in the future.

What is a Security Breach?[edit | edit source]

It is crucial to understand what a security breach is before moving on to the rest of this chapter. Any occurrence that leads to unauthorized access to computer data, applications, networks, or devices is referred to as a security breach. It results in information being accessed without authorization and usually happens when an intruder is able to bypass security measures. The majority of data breaches reveal sensitive information such as credit card numbers, trade secrets, and other proprietary details.[2] According to recent research issued by Risk Based Security, in the first half of 2021, there were 1,767 publicly acknowledged data breaches, exposing 18.8 billion PII details.[3] Data breaches are becoming increasingly common as more data is gathered and collected

Causes of Security Breaches[edit | edit source]

A data breach is commonly assumed to be the result of an external hacker. However, this is not necessarily the case. Intentional assaults can sometimes be traced back to the causes of data breaches. However, because humans are one of the weakest links in the realm of security, it can just as easily originate from a simple mistake by an individual or vulnerabilities in a company's infrastructure. Financial gain (the attacker's objective is to generate money from the stolen data by selling it on the dark web or even demanding ransom by holding the victim's computer hostage), stealing trade secrets or military information, and hacktivism (to make a political statement) are some of the reasons malicious actors breach secure networks.

The following are some causes of security breach that are regularly exploited by malicious attackers in the wild,

Lack of awareness and poor habits[edit | edit source]

Lack of knowledge and training is one of the critical reasons for security breaches. Due to a lack of knowledge and ignorance of the newest cyber trend, previous cyberattacks, or attacker strategies, most workers are ignorant of their role in defending the corporate network, exposing them to security events. People's actions such as using a weak password for accessing organization resources, not locking access to laptops and computers when they leave their desk, not following clear desk policy, using vulnerable software, and misplacing organization assets can often result in security breaches because they are unaware of the security policies in place and the necessity to follow them. Such situations may be effectively avoided by notifying each employee of the measures that must be taken to keep the organization safe and by giving appropriate security training and monitoring the results.[4]

Disposal of the E-wastes[edit | edit source]

As critical data handled by a business is typically housed on storage devices/servers and accessible by employees for their everyday activities, the security of such data should always be a top priority for each individual. Employees frequently discard printed confidential material without following appropriate techniques like shredding, which can have severe ramifications for the organization if retrieved by a threat actor. In addition, companies are discarding a large number of servers and hard drives without following proper procedures as they upgrade their infrastructure to deliver better services. Such casualties can lead to a data breach as an attacker can easily retrieve data from these hard drives and servers for personal benefit. In order to ensure that no data is present in the memory of the computational devices that are about to be discarded, appropriate techniques like data erase or degaussing must be utilized.

Server Misconfiguration[edit | edit source]

While the consequences of security misconfiguration are numerous, they are generally overlooked by phishing, ransomware, malware, and other common security flaws exploited by threat actors. Misconfiguration occurs when a system or database administrator or developer fails to correctly setup an application's, website's, desktop's, or server's security architecture, resulting in dangerous open paths for hackers. Instead of default configurations, it is highly recommended that each computing equipment in the organization's network be configured according to the baseline defined by the corporate regulations as misconfigurations can lead to a massive data breach and result in financial repercussions, such as a temporary loss of business, lost customers due to lack of trust (and thus, lost revenue), and could lead to penalties through litigation and possible regulatory fines.

Remote Work[edit | edit source]

Due to the recent pandemic, many firms have adopted the Work-From-Home culture and have implemented different technologies within their network to allow remote work. To prevent these new technologies from increasing the organization's attack surface, it must be assured that access to organizational resources is continuously monitored and allowed only to company-issued assets. In addition, all the devices accessing the company's resources over the internet must be compliant with the organization's policies and regularly patched. Finally, any employee accessing the organization's internal network and resources must use secure technology like VPN to make this communication safe.

Impact of Security Breaches[edit | edit source]

A data breach has the potential to devastate a company entirely. This is particularly problematic for small and medium-sized companies (SMBs), as more than half of them will close within six months of the assault. While bigger businesses and government institutions are unlikely to be forced to close their doors, they will also face significant implications. The impact of a security breach varies based on the affected business, the industry, and the type of breach that occurred.[4] However, there are some common impacts that these businesses experience, such as monetary loss and reputation damage. Financial expenses amount to $4.24 million on average, according to the Ponemon Institute and IBM, with lost business accounting for 38% of the total. [5]In addition, after a data breach, a company's reputation suffers, as customers prefer to do business with organizations they can trust for securing their personal information.

Some of the expected consequences of a security breach are,

Financial Loss[edit | edit source]

A data breach's financial effect is undoubtedly one of the most immediate and severe outcomes that victim businesses must cope with. Compensation for impacted consumers, incident response activities, investigation of the breach, investment in new security measures, legal expenses, and fines for non-compliance can all add up to a significant amount of money. In addition, a data breach may potentially have a significant influence on the stock price and valuation of a firm. According to a recent report by the Ponemon Institute, the global average cost of a data breach has increased by 12% in the last five years to £3.2 million.[5]

Reputational Damage[edit | edit source]

The most damaging and horrific consequence of a security compromise is the loss of consumers' and the loss of stakeholders' confidence. Reputational damage leads to a loss of customers and, in turn, a decrease in sales. The negative press coupled with a loss in consumer trust can cause irreparable damage to the breached company. Moreover, the reputational repercussions of a data breach can last much longer than the short-term fine, causing long-term damage due to customers' loss of trust and loss of potential future business opportunities with different investors, as the vast majority of people would not do business with a company that had been breached, especially if it failed to protect its customers' data.

Operational Downtime[edit | edit source]

In the aftermath of a data breach, business activities are frequently affected. First, companies must control the breach and thoroughly investigate how it happened and what systems were accessed. It is possible that operations will have to be shut down altogether until investigators have all the information they need. Depending on the severity of the breach, this procedure might take days or even weeks. This can have a significant impact on revenue and the capacity of a company to recover. The average cost of a network outage, according to Gartner, is roughly $5,600 per minute. This works up to almost $300,000 every hour. This will undoubtedly vary depending on the size of the organization and the sector in question, but it will definitely have a disastrous effect on corporate efficiency.[6]

Legal Action[edit | edit source]

Organizations are legally required to demonstrate that they have taken all necessary precautions to secure personal data under data protection regulations. In addition, individuals might initiate legal action to demand compensation if their data is compromised, whether intentionally or unintentionally. In the United States, class action lawsuits have risen dramatically as victims seek monetary recompense for their data loss. As the frequency and severity of breaches continue to rise, we can expect to see more of these group cases being brought to court.[7]

Loss of Sensitive Data[edit | edit source]

The implications of a data breach that results in the loss of sensitive personal data may be disastrous. Personal data includes anything from a name to an email address, IP address, and photos that may be used to directly or indirectly identify an individual. It also includes sensitive personal information, such as biometric or genetic information, that might be used to identify a person. Biometric information is also vital to fraudsters, and it is worth far more than credit card numbers and email addresses. Breaches that reveal sensitive data can have severe consequences that far outweigh any financial or reputational harm.[4]

Below the Surface Cost[edit | edit source]

In addition to the monetary costs of incident response, there are several intangible costs that may wreak havoc on a company long after the event has passed. For example, the impact of operational interruption is sometimes underestimated – particularly among businesses that lack formal business resilience and continuity plans – and small businesses that already struggle to manage cash flow may suffer catastrophic increases in insurance premiums or higher borrowing rates after such incidents.[7]

Attack Vectors for Security Breach[edit | edit source]

What is an attack vector?[edit | edit source]

An attack vector is a technique for gaining unwanted network access to conduct a cyberattack in cybersecurity. Cybercriminals can use attack vectors to acquire sensitive data, personally identifiable information (PII), and other valuable information following a data breach by exploiting system flaws.[8] As hackers seek unpatched vulnerabilities posted on CVE and the dark web, the number of cyber risks is on the rise, and no one solution can protect against every attack vector. In addition, as cybercriminals are becoming more adept, antivirus software alone is no longer sufficient, and so to reduce cybersecurity risk, businesses must use defense-in-depth strategies.

Common Types of Attack Vectors[edit | edit source]

Some of the most widely used attack vectors to successfully breach a secure network are,

Compromised Credentials[edit | edit source]

Usernames and passwords remain the most frequent sort of access credential, and they continue to be exposed as a result of data breaches, phishing frauds, and malware. Credentials offer attackers unrestricted access if they are lost, stolen, or revealed. This is why businesses constantly invest in systems to check for data breaches and credentials leaks. Password managers, two-factor authentication, and biometrics can help to limit the chance of credentials being leaked and causing a security breach.[9]

Weak Credentials[edit | edit source]

Predisposition to choose convenience over security has long been recognized, and even suppliers are guilty of it. Another primary concern and a typical symptom in firms that implement password complexity requirements is password reuse. Users are more inclined to repeat a single complicated password since they are pushed to remember increasingly complex passwords for various apps. This exposes the company to a credential stuffing attack. ‍Weak passwords and reused passwords mean one data breach can result in many more. To achieve comprehensive security from such attack vectors, reasonable efforts should be made to teach the company how to construct a safe password. In addition, security solutions such as a password manager or a single sign-on tool should be deployed.[9]

Malicious Insiders[edit | edit source]

A malicious insider threat to an organization is defined as a current or former employee, contractor, or another business partner who has or had authorized access to an organization's network, system, or data and has intentionally exceeded or misused that access for personal gain in a way that compromises the confidentiality, integrity, or availability of the organization's information or information systems.

Ransomware[edit | edit source]

Ransomware is malicious software that blocks access to a computer system or data until a ransom is paid. Phishing emails, malvertising, accessing infected websites, and exploiting vulnerabilities are all ways through which ransomware propagates. Data leaks, intellectual property theft, and data breaches are the consequences of ransomware attacks. To reduce the effect of ransomware attacks, make sure that all systems and endpoints are patched regularly, and that critical data is backed up on a daily basis.[9]

Phishing[edit | edit source]

Phishing is a type of cyber fraud that uses fraudulent emails or other electronic communications to persuade victims to part with anything of value, such as money or personal information. Phishing is most commonly carried out using email messages sent from a device such as a laptop or a tablet, in which the attacker poses as someone the receiver trusts. In whatever shape it takes, phishing may have a severe security impact. Phishing attacks have evolved to the point that they now often transparently mirror the site being attacked, allowing the attacker to watch everything the victim does while exploring the site and cross any extra security barriers alongside the victim.

Missing or Poor Encryption[edit | edit source]

Data encryption converts data into a format that can only be viewed by persons who have access to a secret key or password. Data encryption ensures the security of digital data as it is stored on computer systems and delivered across the internet or other computer networks. Strong encryption should be used for data at rest, in transit, and, if appropriate, in processing. Due to a lack of or insufficient encryption, sensitive data such as credentials is transferred in plaintext or via weak cryptographic ciphers or protocols. This means that an adversary eavesdropping on data storage, transmission, or processing might get access to sensitive information by breaking poor encryption with brute-force methods. To mitigate the effect of such an attack vector, adequate encryption mechanisms must be used, with sensitive data encrypted at rest, in transit, and during processing.[9]

Case Studies of Security Breaches[edit | edit source]

Target Security Breach - 2013[edit | edit source]

In 2013, Target (an American retailer) experienced a significant security breach, affecting more than 40 million customers and sparking widespread concern about data privacy and cybersecurity. The breach originated from vulnerabilities within Target's supply chain, notably through a breach at Fazio Mechanical, a small contractor based in Pennsylvania. The attackers exploited a type of memory-scraping malware that targeted the point-of-sale (POS) systems used by Target[10]. This malware allowed them to capture unencrypted payment card data during transactions, compromising the sensitive financial information of millions of customers. After the breach was exposed, Target hired Verizon to run penetration testing to find weaknesses and vulnerabilities within the system. One of the key vulnerabilities exploited in Target's systems was the lack of proper segmentation between different parts of the network which allowed the attackers to move laterally. The initial report showed that the penetration testers were able to obtain a staggering 86% of Target employee and administrator passwords, allowing access to various internal networks. Additionally, Target's systems were found to be running outdated versions of software, including the operating system and payment processing software. Upon Verizon’s follow-up months later, it was reported that Target had fixed most of the issues and had even taken some proactive steps to further protect their customers[11]. The breach had significant repercussions for Target, including reputational damage and financial losses. Target later settled for $18.5 million in a lawsuit that was filed by 47 states and the District of Columbia[12]. It's interesting to note that Target had no Chief Information Security Officer (CISO) prior to the breach, and that the CEO and CIO faced professional ramifications, losing their jobs as a direct consequence of this breach[13].

Yahoo Security Breach - 2013 - 2017[edit | edit source]

The Yahoo security breaches of 2013 and 2014 represent some of the most egregious violations of user trust and data privacy in recent memory. In September 2016, as negotiations were underway for Verizon's acquisition of Yahoo, the company disclosed a staggering data breach affecting 500 million registered users in late 2014. This breach, orchestrated by Russian hackers, compromised a wealth of sensitive information, including users' names, email addresses, birth dates, and phone numbers. Despite Yahoo's use of the bcrypt algorithm to protect user data, the breach underscored the inadequacy of existing security measures in the face of sophisticated cyber threats. In December 2016, Yahoo disclosed another breach, this time affecting a staggering 1 billion users in 2013, perpetrated by a different group of hackers. The magnitude of these breaches continued to escalate, with Yahoo updating the earlier figure to an unprecedented 3 billion compromised users in October 2017, solidifying its status as the largest data breach in history up to that point. The ethical implications of these breaches are profound. Yahoo's failure to adequately safeguard user data compromised the privacy and security of millions of individuals, exposing them to potential identity theft, fraud, and other malicious activities. Moreover, the delayed disclosure of these breaches to both users and potential acquirers like Verizon further eroded trust and integrity in Yahoo's operations[14]. Since disclosing the final breach estimate, Yahoo's market value plummeted, leading to a $350 million reduction in the Verizon acquisition price. Additionally, Yahoo faced regulatory penalties, including a $35 million fine from the Securities and Exchange Commission for misleading investors about the breaches. Furthermore, Yahoo agreed to an $80 million class-action settlement to compensate affected users, reflecting the immense costs of failing to protect user data adequately.[15].

Adult Friend Finder Security Breach - 2016[edit | edit source]

In October 2016, an anonymous Twitter user, known as 1x0123, alerted FriendFinder Networks Inc., the parent company of adult content websites like 'AdultFriendFinder' and 'Cams.com', about a critical Local File Inclusion (LFI) vulnerability within their server infrastructure. Despite this warning, it was soon discovered that the FriendFinder Networks' databases had fallen victim to a breach, compromising an initial estimate of over 100 million user accounts. However, subsequent investigations, notably by LeakSource, revealed a staggering total of 412 million accounts affected by the breach. It was later found out the majority of the personal information and passwords stored were protected with a weak SHA1 hashing algorithm. As a result, an alarming 99 percent of the passwords were deciphered even before the final breach count was reported by LeakSource. The breach prompted FriendFinder Networks to notify users of the incident and strongly advise them to reset and update their passwords to mitigate further risk [16]. The failure to promptly address known vulnerabilities, despite warnings from external sources, raises questions about the company's commitment to safeguarding user data. Moreover, the use of inadequate encryption methods highlights the ethical responsibility of organizations to employ robust security measures to protect sensitive information from exploitation.  

Equifax Security Breach - 2017[edit | edit source]

The Equifax breach stands out as one of the most severe cybersecurity incidents in U.S. history, primarily due to the highly sensitive nature of the compromised information, which could potentially lead to widespread identity theft. About 148 million individuals were affected by the breach, with most having their names, social security numbers, addresses, and birth dates exposed. Additionally, a smaller subset of individuals had their driver's license numbers minimally exposed. The Equifax breach occurred due to a critical vulnerability in a web application. Specifically, attackers exploited a flaw in the Apache Struts framework, a widely used open-source framework for building web applications in Java. This vulnerability, tracked as CVE-2017-5638, allowed remote attackers to execute arbitrary code on Equifax's servers, giving them unauthorized access to sensitive files containing personal information of millions of individuals[17]. Following the breach, former Equifax CEO Richard Smith attributed blame to a single former employee and promptly resigned from his position. Blaming one individual for the entire breach raises ethical concerns about accountability and transparency within Equifax's leadership. In the wake of the breach, free credit monitoring was offered to those affected. However, the full extent of the damage and financial implications of the breach remain uncertain at this time[18]. Although some critics do not believe it was necessarily a factor in the breach[19][20], many questioned the fact the Chief Security Officer at Equifax, Susan Mauldin, held two degrees in music and no documented education or certifications related to technology or security[21].

Google Security Breach - 2018[edit | edit source]

In December 2018, Google disclosed a security vulnerability affecting approximately 52 million users of Google+. The bug exposed personal information such as users' names, email addresses, and ages, putting their privacy at risk. While Google+ users were typically able to access public information of their friends, this bug allowed unauthorized access to private information. Google identified the bug during routine testing and promptly resolved it within one week. Despite earlier plans to shut down Google+ due to low usage and previous security issues, the decision was expedited following this incident, leading to the service's closure in April 2019 instead of August as originally scheduled. The delayed decision to shut down Google+ despite prior security concerns underscores the need for proactive risk management and timely responses to mitigate potential harm to users[22].

Marriott Starwood hotel security breach - 2018[edit | edit source]

In December 2018, Marriott International disclosed a significant breach in its reservation database, revealing unauthorized access and the theft of guests' personal information. It was reported that approximately 500 million guests' data had been compromised, with 65% of victims having their passport numbers and itineraries exposed alongside their names and addresses. Additionally, some guests had their credit card numbers and expiration dates stolen. Following the incident, Marriott engaged security experts to investigate the breach, which had gone undetected since 2014 despite ongoing unauthorized access. The delayed discovery of the breach raised concerns about Marriott's security protocols and the effectiveness of its monitoring systems in detecting and responding to cyber threats[23]. The breach's impact extended beyond the compromised personal information, impacting guests' trust in Marriott's ability to safeguard their data and fulfill its duty of care. Ethical considerations surrounding the Marriott breach center on issues of transparency, accountability, and the duty to protect customer data.

Facebook security breach - 2018[edit | edit source]

In September 2018, Facebook disclosed a significant security breach affecting approximately 50 million user accounts. According to Facebook company, the attackers exploited a combination of three vulnerabilities in Facebook's "View As" feature, allowing them to steal access tokens. These vulnerabilities included a flaw in Facebook's video uploading feature, which inadvertently generated access tokens for the "View As" feature. Attackers leveraged this flaw to steal access tokens, digital keys used to maintain user sessions and keep users logged in. With possession of these tokens, hackers could potentially take control of affected accounts, posing serious risks to user privacy and security. And also, hackers can access other websites using the Facebook account for logging in[24]. Following the discovery of the breach, Facebook promptly patched the vulnerabilities and invalidated the compromised access tokens to prevent further unauthorized access. Additionally, the company reset the access tokens for an additional 40 million accounts as a precautionary measure, bringing the total number of affected accounts to approximately 90 million[25]

SolarWinds Breach - 2020[edit | edit source]

The cyber-security firm FireEye initially uncovered a widespread compromise of private-sector and government networks in late 2020, with the hacking of software provided by SolarWinds emerging as a primary vector for the intrusion. This attack, known as the SolarWinds or SUNBURST attack, affected approximately 18,000 out of SolarWinds' 33,000 clients who unwittingly downloaded a malicious software update embedded in their supply chain[26]. The malicious software, SUNBURST, operated stealthily within compromised networks, remaining dormant and undetected until activated by threat actors. Once activated, SUNBURST granted unauthorized access to the network, allowing attackers to infiltrate systems, steal sensitive data, and establish persistence for further malicious activities. The attack highlighted the vulnerabilities inherent in software supply chains and underscored the need for robust security measures to prevent and respond to such breaches[27]. From an ethical perspective, the SolarWinds attack raised concerns about the responsibility of technology companies to safeguard their software and protect their customers from malicious actors.

Ronin Bridge Breach - 2022[edit | edit source]

The exploitation of the Ronin bridge in the Axie Infinity ecosystem on March 23rd, 2022, represents a sophisticated attack on the underlying blockchain infrastructure. The breach targeted Sky Mavis's Ronin validator nodes and the Axie DAO, exploiting vulnerabilities in the system's transaction authorization mechanisms. At the core of the attack were stolen private keys, which the attacker used to execute fraudulent transactions on the Ronin blockchain. These private keys, typically safeguarded by users to authorize legitimate transactions, were compromised, allowing the attacker to impersonate authorized users and falsify transaction signatures. By leveraging these stolen keys, the attacker executed two unauthorized transactions, resulting in the theft of about 173,000 Ether, valued at $600 million[28]. The origins of the breach trace back to November 2021, when Sky Mavis sought assistance from the Axie DAO to manage the high user load by distributing free transactions. The Axie DAO granted Sky Mavis authorization to sign numerous transactions on its behalf. Despite this arrangement being terminated in December 2021, access to the allowlist was not revoked, leaving the system vulnerable to exploitation[29]. From an ethical perspective, the breach highlights the evolving threat landscape facing blockchain-based ecosystems and the imperative for ongoing vigilance, collaboration, and innovation in cybersecurity practices. Today, these hacks have been found to be linked to the Lazarus Group, a nation-state hacker group sponsored by North Korea.[30] Any wallet linked to those attacks has since been blocked by several cryptocurrency services.

Ethical Implications of Data Collection[edit | edit source]

In today's digital age, personal data permeates every corner of the internet landscape. From e-commerce platforms to social media networks and online healthcare services, individuals routinely divulge sensitive information such as their name, email address, date of birth, and even home address. This wealth of personal data is willingly surrendered to companies in exchange for access to their services or products. However, what often goes unnoticed is the implicit agreement to the platform's Terms of Service (ToS) and Privacy Policy, a practice frequently undertaken without thorough scrutiny. These documents typically include information like what data about you is collected, how the company will use it, and to whom they might sell it[31].

   This raises the question: why would entities be interested in purchasing such data? The answer is straightforward: advertising. Major corporations like Google, Meta (formerly Facebook), Amazon, and others invest in vast quantities of user data to construct comprehensive advertising profiles. These profiles can encompass details about individuals such as their religious affiliation, political inclinations, relationship status, gender, and a plethora of additional information, enabling targeted ad delivery based on algorithmic predictions of user interests. Advertisers are willing to allocate higher budgets to platforms where they anticipate greater click-through rates[32]. Notably, this practice is entirely lawful, as users implicitly consented to it upon agreeing to the platform's Terms of Service and Privacy Policy. The problem is that most people don’t read these documents before agreeing to them, often because they are long, complicated, and filled with legal jargon that is hard to understand. This is not inherently a bad process, however, as better targeted ads may be useful to some. For instance, an individual exploring reviews for a new vehicle may find value in subsequently receiving advertisements tailored to their automotive interests, potentially streamlining their decision-making process.

   There have been many unsubstantiated claims that companies like Facebook use your phone microphones to listen in on your conversations to tailor ads, but none of these claims have been proven, and Facebook strongly denies them[33]. Were Facebook to do this, there would certainly be ethical (and possibly legal) implications, as companies would be listening in on conversations you believed to be private. But as far as we can tell, this is not the case. However, while the legality of the practice of collecting and selling personal data is quite clear, the ethicality is questionable. According to recent studies, up to 68% of internet users are concerned about their online privacy, indicating a growing awareness of these issues among the general populace. It is commonly understood among more tech-literate users that most websites engage in data collection, even when users are merely browsing without logging in, often facilitated by computer cookies. Cookies are “small files used by companies to collect information about Internet users”[34]. On most websites today, there will be a popup or banner asking you to agree to the use of cookies on the website, largely due to the GDPR’s “Right to be Informed” clause[35]. However, users may unknowingly consent to the transmission of their browsing habits to advertisers, unaware of where this data is being sent or who may have access to it. Now the problem is that the user has no idea who has their data. This problem becomes even worse in the event of a data breach. For instance, in the 2018 Google security breach, which exposed the personal data of over 50 million users, the compromised information potentially became accessible to unauthorized entities, not just the companies it was sold to. This underscores the fundamental ethical dilemmas inherent in data collection practices. Users are left to ponder whether they can continue to place trust in websites with their personal data, and whether they even have a meaningful choice in the matter.

Protecting Yourself from Breaches[edit | edit source]

How Often Do Data Breaches Happen?


It's logical to expect that big firms' security systems are constantly tested, but 2023 was a particularly disastrous year for data breaches. In their list of cybercrime predictions for 2024, the Identity Theft Resource Center (ITRC) forecasts an increase in identity theft cases following "an unprecedented number of data breaches in 2023 by financially motivated and nation-state threat actors". In recent years, data breaches have affected customers of Facebook, Yahoo, and Amazon alike. If these huge firms can't keep your data safe, can anyone?


How to Protect Your Data From Breaches[36]:

Hunt told me that mitigating the damage from data breaches hinges on taking preventative action and changing your online habits. Below are a couple of pain-free ways that you can change your internet habits and protect your private data in the future.


Here are some strategies to consider:[37]

It is crucial to defend oneself against security breaches in today's linked world. The following are some essential tactics that people can use to improve their digital security:

  •  Employ Strong Passwords: Creating strong, unique passwords is critical for protecting your online accounts from illegal access and potential breaches. When creating passwords, prioritize length, complexity, and uniqueness. Choose passwords that are at least 12 characters long and contain a combination of uppercase and lowercase letters, numbers, and special characters. Avoid utilizing personal information or common dictionary phrases, as these are easily guessed or cracked by hackers. Instead, consider utilizing passphrases or random character combinations that are simple to remember but difficult for others to guess. Furthermore, using a unique password for each account reduces the possibility of a single breach compromising many accounts. Consider utilizing a trustworthy password manager to generate and securely store your passwords, ensuring an extra layer of protection for your online accounts. By following these best practices, you can significantly reduce the risk of falling victim to password-related security breaches.
  • Turn on two-factor authentication: To increase security added protection for your internet accounts. A code texted to your phone or produced by an authentication app serves as the second form of verification required for two-factor authentication, in addition to a password. When 2FA is enabled, access to your secondary authentication method is required for account entry, even if someone manages to crack your password. That way, even in the case of a password leak, the likelihood of unwanted access is greatly diminished. It is highly suggested to enable 2FA whenever possible to improve the security of your accounts, as it is a feature that many online services and platforms offer. You can considerably enhance the general security posture of your online accounts by combining strong passwords with two-factor authentication.
  • Staying Up to Date: Maintaining a strong defense against potential intrusions requires staying current with software upgrades and security patches. Updates are frequently released by software developers to fix vulnerabilities and flaws that have been found recently and that hackers might exploit. Patches and fixes that close security gaps and improve the general integrity of the operating system or software are frequently included in these upgrades. You may be protected against the most recent threats and vulnerabilities by quickly applying updates for your antivirus software, applications, and devices. Ignoring updates exposes your systems to attack since hackers aggressively seek out and exploit known vulnerabilities in order to get access to and compromise systems. Thus, it's essential to keep up a proactive software update schedule to strengthen your cybersecurity defenses and protect your critical data from unauthorized access and data breaches.
  • Update Software Regularly: Update your operating system, antivirus program, and programs to fix security flaws and stop online criminals from taking advantage of you.
  • Requests for Personal Information Should Be Skeptical: Requests for personal data should always be handled cautiously and with suspicion to guard against identity theft and any security lapses. Requests for private information like passwords, Social Security numbers, or financial information should trigger red flags, whether they come via emails, phone calls, or online messaging. Usually, legitimate companies don't send out unsolicited communications requesting this kind of information. Make sure the request is legitimate before providing any money or personal information. This may entail getting in touch with the company directly using dependable contact details that you can find on their official website or in earlier correspondence. Examine the message closely for any indications of phishing attempts, such as misspellings, dubious links, or demands for quick action. People can reduce their vulnerability to identity theft, phishing schemes, and scams by being cautious and skeptical when answering requests for personal information. This will protect their privacy and financial stability.
  • Secure Internet Connections: In the current digital era, protecting sensitive data and upholding privacy depend heavily on secure internet connections. In order to ensure that data transported between devices and online services is unreadable by unauthorized parties, encryption technologies like SSL and TLS play a vital role. Furthermore, preventing unwanted access to Wi-Fi networks can be achieved by using strong encryption techniques like WPA2 or WPA3 along with distinctive passwords. By encrypting internet traffic and guarding against interception, using VPNs provides an additional layer of protection, particularly when using public Wi-Fi networks. Patching security flaws in devices and routers requires routine updates. Reducing hazards even more is to practice safe browsing practices, like avoiding dubious websites and links. People can dramatically improve the security of their internet connections by putting these precautions in place, which will lessen the possibility of unauthorized access and data breaches.
  • Data Backup: Establish a consistent backup schedule for critical files and data. If there is a security breach or data loss, ensure you have backups safely stored on offline storage devices, cloud storage services, or external hard drives.

References[edit | edit source]

  1. Frenkel, Sheera; Confessore, Nicholas; Kang, Cecilia; Rosenberg, Matthew; Nicas, Jack (2018-11-14). "Delay, Deny and Deflect: How Facebook’s Leaders Fought Through Crisis" (in en-US). The New York Times. ISSN 0362-4331. https://www.nytimes.com/2018/11/14/technology/facebook-data-russia-election-racism.html. 
  2. Kaspersky. (2021, July 12). What is a security breach?. Retrieved from[1]
  3. RiskBased Security. (2021). 2021 Mid Year Report Data Breach QuickView. Retrieved from [2]
  4. a b c Strawbridge, G. (2020, February 28). 5 Damaging Consequences Of A Data Breach. Retrieved from [3]
  5. a b IBM. (2022, April). Cost of a Data Breach Report. Retrieved from [4]
  6. Lerner, A. (2014, July 16). The Cost of Downtime. Retrieved from [5]
  7. a b As, S. (2021, December 10). The Consequences of a Cyber Security Breach. Retrieved from [6]
  8. UpGuard. (2022). What is an Attack Vector? 16 Common Attack Vectors in 2022. Retrieved from [7]
  9. a b c d Balbix. (2022, April 20). 8 Common Cyber Attack Vectors and How to Avoid Them. Retrieved from [8]
  10. Plachkinova, Miloslova; Maurer, Chris (2018-01-01). "Security Breach at Target". Journal of Information Systems Education. 29 (1): 11–20. ISSN 2574-3872.
  11. Krebs, B. (n.d.). Krebs on Security. Retrieved from [9]
  12. McCoy, K. (2017, May 23). Target to pay $18.5M for 2013 data breach that affected 41 million consumers. Retrieved from https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/
  13. [10]
  14. Daswani, Neil; Elbayadi, Moudy (2021), Daswani, Neil; Elbayadi, Moudy (eds.), "The Yahoo Breaches of 2013 and 2014", Big Breaches: Cybersecurity Lessons for Everyone, Berkeley, CA: Apress, pp. 155–169, doi:10.1007/978-1-4842-6655-7_7, ISBN 978-1-4842-6655-7, retrieved 2024-04-20
  15. McAndrew, Edward J. (2018). “The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far).” In natlawreview.com. Retrieved on April 29, 2019.
  16. Ragan, Steve. (2016). “412 Million FriendFinder Accounts Exposed by Hackers.” In csoonline.com. Retrieved on April 29, 2019.
  17. "The Equifax Data Breach: What CPAs and Firms Need to Know Now - ProQuest". www.proquest.com. Retrieved 2024-04-20.
  18. Adams, R. L. (2017, May 5). Identity theft protection: 10 ways to secure your personal data. Retrieved April 19, 2018, from Forbes website: https://www.forbes.com/sites/robertadams/2017/05/05/identity-theft-protection-10-ways-to-secure-your-personal-data/#55cc87f62fde
  19. https://www.thesslstore.com/blog/equifaxs-cso-music-major-college/
  20. http://www.chicagonow.com/listing-beyond-forty/2017/09/equifax-cso-music-degree/
  21. https://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15
  22. David Thacker. (2018, December 18). Expediting changes to Google+. Retrieved from https://www.blog.google/technology/safety-security/expediting-changes-google-plus/
  23. Jordan Valinsky. (2018, November 30). Marriott reveals data breach of 500 million Starwood guests. Retrieved from https://www.cnn.com/2018/11/30/tech/marriott-hotels-hacked/index.html
  24. Guy Rosen. (2018, September 28). Security Update. Retrieved from https://newsroom.fb.com/news/2018/09/security-update/
  25. Suhonen, Seela (2019). "Crisis communication in organizational data breach situations: Facebook data breach 2018". {{cite journal}}: Cite journal requires |journal= (help)
  26. Willett, M. (2021). Lessons of the Solarwinds hack. Survival, 63(2), 7–26. https://doi.org/10.1080/00396338.2021.1906001
  27. [11] Wolff, E. D., Growley, K. M., Lerner, M. O., Welling, M. B., Gruden, M. G., & Canter, J. (2021, March 21). Navigating the solarwinds supply chain attack. Crowell. Retrieved April 23, 2022, from https://m.crowell.com/files/20210325-Navigating-the-SolarWinds-Supply-Chain-Attack%20.pdf]
  28. Kshetri, Nir (2023). "Privacy violations, security breaches and other threats of Web3 and the metaverse". Calgary: International Telecommunications Society (ITS). {{cite journal}}: Cite journal requires |journal= (help)
  29. Ronin. (2022, March 29). Community alert: Ronin validators compromised. Community Alert: Ronin Validators Compromised. Retrieved April 23, 2022, from https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w
  30. Toti, B. (2022, April 23). US sanctions more addresses linked to Axie Infinity Hack. Coin Journal. Retrieved April 23, 2022, from https://coinjournal.net/news/us-treasury-links-three-more-ethereum-wallets-to-the-625m-ronin-hack/
  31. Obar, Jonathan A.; Oeldorf-Hirsch, Anne (2020-01-02). "The biggest lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services". Information, Communication & Society. 23 (1): 128–147. doi:10.1080/1369118X.2018.1486870. ISSN 1369-118X.
  32. Richards, Neil M. and King, Jonathan, Big Data Ethics (May 19, 2014). Wake Forest Law Review, 2014, Available at SSRN: https://ssrn.com/abstract=2384174
  33. Keach, S. (2020, January 17). Facebook probably isn't spying on You through your microphone. The Sun. Retrieved April 23, 2022, from https://www.thesun.co.uk/tech/7497249/facebook-listening-to-you-microphone-ads/
  34. Hormozi, A. M. (2005). Cookies and privacy. EDPACS, 32(9), 1–13. https://doi.org/10.1201/1079/45030.32.9.20050301/86855.1
  35. Right to be informed. General Data Protection Regulation (GDPR). (2020, July 14). Retrieved April 23, 2022, from https://gdpr-info.eu/issues/right-to-be-informed/
  36. "How to Protect Yourself From Data Breaches: Plan Ahead". PCMAG. Retrieved 2024-04-20.
  37. "Top tips for staff". www.ncsc.gov.uk. Retrieved 2024-04-20.
Retrieved from "https://en.wikibooks.org/w/index.php?title=Information_Technology_and_Ethics/Security_Breach&oldid=4390779"