It is well understood that an organization can never be 100% safe from data breaches—but it is possible to lower your company’s likelihood of experiencing a breach by using a number of good cybersecurity practices. Below, we’ve outlined three recent headlining breaches and how they happened—as well as what could have potentially been done to mitigate the risk.
Boards need more information about cybersecurity than ever before. Can you present it effectively?
Acer Breach 
Acer—a hardware and electronics company—was breached via their online payment processing environment. It hasn’t yet been publicized whether this was due to a misconfiguration or a vulnerability that existed in the payment processing software.
The company recently released a breach notification to the California Attorney General's office admitting to the breach, which impacted upward of 34,000 customers. They said the hackers accessed payment card numbers, addresses, names, and security codes—which can, of course, be used to commit identity theft—for customers who made purchases on the company’s website between May 12, 2015, and April 28, 2016.
Our Take: We don’t know whether Acer did or did not encrypt their data and other highly sensitive information, but that is a critical step towards preventing large scale data leakage. Also, it’s important to ensure that you have properly configured databases and that your website isn’t vulnerable to commonly known attack vectors like SQL injection attacks, which can leave your organization’s data particularly vulnerable.
Wendy's Breach
News of this breach was reported by security researcher Brian Krebs in January 2016. It was a compromise of the Aloha point-of-sale (POS) terminals that Wendy’s fast food restaurants use to process payment card transactions. Originally it was thought to be a very limited number of stores that were compromised—but after further investigation, it turned out to be many more. Customer payment cards used at over 300 Wendy’s franchises—5% of all Wendy’s restaurants—were compromised in the breach.
Our Take: Nearly all companies outsource POS systems, so this is a cautionary tale for those companies—and any organization that has critical vendors handling highly sensitive data (like a POS company would). One important takeaway from this breach is to conduct accurate and thorough investigations following any breach. Wendy’s originally thought the breach was smaller than it ended up being, and because of that, the news story echoed for quite a while—this is something you’ll want to avoid.
Empire Life Insurance Breach
In June 2016, it came out that Empire Life Insurance, a Canadian insurance company, was the victim of an email phishing attack in November 2015. A hacker was able to gain access to several email accounts through what may have been a password-reset phishing scheme. At this time, it is unknown whether the attackers were able to gain any personally identifiable information (PII)—and we expect more details on this breach to come out in the next several weeks.
Our Take: It’s imperative to train employees to recognize phishy-looking emails with weird headers or misspelled words—anything that could arouse suspicion. Additionally, there are email authentication protocols—like SPF, DKIM, or DMARC—that reduce the likelihood of employees falling victim to phishing attacks by quarantining suspicious emails to spam folders. Proper application of email authentication protocols will help lower the chances of a breach.
Are data breaches preventable?
The answer is simple: No. But can an organization harden itself against attackers by putting proper controls and policies in place? Absolutely. From properly configuring your databases to monitoring your most critical vendors, training your employees, and adding proper email security controls, you can help drastically lower your odds of being hit with a catastrophic data breach.
