Recent enterprise data breaches make case for stronger authentication
In the middle of February of this year, the health insurance giant, Anthem, released a statement saying that their network was breached. According to the statement, the individuals responsible were able to access, “names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, (and) employment information, including income data.”
Luckily, the company informed the tens of millions of customers who use their health plans and those of their affiliated health plans that they had, “no reason to believe credit card or banking information was compromised…” That most likely comes as little relief to the individuals who had the rest of their personal information stolen.
Anthem has good company. In fact, they’re not the only financial services giant to announce they were impacted by a data breach in the past six months.
In October of last year, JP Morgan Chase – a financial services company that touts that it has millions of customers and more than $2.4 trillion (yes…that was trillion…with a “t”) in assets – issued a regulatory filing to the U.S. Securities and Exchange Commission (SEC) stating that, “User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.”
The amount of customers effected? According to JPMorgan Chase, “The compromised data impacts approximately 76 million households and 7 million small businesses.” That could put the combined number of people impacted by the attacks at well over 150 million individuals.
Frighteningly, these attacks aren’t out of the ordinary. In fact, simple Google News searches for terms like “data breach” or “credential theft” will turn up many different instances of major corporations losing sensitive customer data (we’re looking at you, Target).
So, why did I single out these two particular data breaches when they’re essentially needles in a cybersecurity haystack?
First, they’re relatively recent. Nobody wants to read about data breaches that happened two years ago. But timeliness aside – both of these attacks are due to similar circumstances. In both the Anthem and JP Morgan breaches, authentication credentials from executives were compromised and used to steal valuable customer information.
According to Time Magazine, “Early investigations in the Anthem case suggest foreign hackers used the username and password of a company executive to get inside Anthem’s system and make off with personal data for 80 million people.” The story is strangely similar in the case of JPMorgan Chase, who, according to Engadget, was hacked by bad actors, “Using just log-in credentials stolen from an employee.”
The cost of these data breaches is significant. According to the Ponemon Institute’s 2014 Cost of Data Breach study, “The average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.” In the case of JP Morgan and Anthem, the costs should be significantly higher simply due to the incredible number of customer records impacted by the breach.
Why do these breaches matter? The companies are responsible and have to make it up to their customers, right?
Recent reports say one in three data breach letter recipients became identity fraud victims. On average this takes the individual six months and 200 hours to resolve. It should matter to all of us how our personal information is stored and managed.
Enterprises simply can’t afford the bad publicity, extra costs and increased customer turnover that result from a data breach – especially in high customer turnover industries like financial services. And they definitely can’t afford for these breaches to result from not having adequate authentication in place.
In this day and age, it’s simply staggering that senior executives at enormous companies are still logging into their desktops and networks using single factor authentication. As these breaches illustrate, multifactor authentication is necessary in today’s more sophisticated and dangerous cyber landscape.
A username and password are no longer sufficient to protect a company’s information. And they’re definitely not enough to protect your customers’ sensitive data. Multifactor authentication is essential in the enterprise to ensure that credential theft doesn’t cost your company cash and your customers their peace of mind.
However, as we’ve discussed in previous posts on Access Granted, just being tough isn’t enough for multifactor authentication to be effective. Ease of use and strong security are essential to ensure that employees don’t circumnavigate authentication solutions by saving sensitive company data in insecure places or other means.
The only way enterprises can avoid the situations facing Anthem and JP Morgan Chase is by embracing multifactor authentication that is equal parts strong and easy to use. Only then can they be confident that sensitive data is secure, and that employees are doing everything needed to keep it that way.