In what may be the largest data breach ever publicly disclosed, Yahoo, disclosed that a 2014 cyberattack breached at least 500 million user accounts. The company said it believes state-sponsored actors were responsible and that the data stolen includes names, email addresses, telephone numbers, dates of birth, and hashed passwords.
The data could also include security questions and answers, but Yahoo said that some accounts were encrypted. The company said its investigation did not reveal unhashed passwords or credit card or bank account information.
News of the breach comes soon after the $4.8 billion Verizon acquisition of Yahoo. Yahoo shares tumbled after the announcement but analysts said the Verizon deal is not likely to be affected by the news. With the disclosure, Yahoo joins a growing list of U.S. companies to suffer a serious data breach since 2013.
There are five fundamental truths that a company’s privacy officers and legal counsel must be aware of in order to protect consumer data:
Only Required Data Should Be Collected and Stored
Sweeping up and storing data beyond what is needed in order to provide a company’s services opens the door for cyber criminals to access and expose more consumer personal data. A company’s leadership must think very carefully about what personal data it is collecting and why it is collecting it from its consumers – collecting and storing unnecessary personal data exposes consumers and the company to additional risk that is avoidable.
Adhere to the Principle of Least Privilege
The Principle of Least Privilege is a restrictive computing practice that only allows a user to access the data necessary for its legitimate purpose. By only giving the least amount of access privileges to employees, a company can minimize the number of employees who will have access to consumer personal data, thus making the pool of employees who do have heightened access smaller and easier to manage.
Plan for the Inevitable Breach
Industry Best Practices
Above all else, following industry best security practices is the best way to protect consumer personal data. Having a chief information security officer, legal staff and/or information technology director staying on top of trends, events and changes is the only way a company can minimize the potential of a data breach, but also to decrease the amount of data that is breached. Implementing and maintaining an updated and secure corporate network may be costly and scare executive management into inaction, but the cost of cleaning up a breach is far greater than finding money in the budget to hire security-minded staff and to harden the company’s systems.
It seems likely that the next decade will be difficult for IT professionals as breaches become increasingly common. Instead of fighting the trend, IT pros should embrace their fate and prepare for the inevitable breach.