Customer data breaches happen so often that the average consumer may receive notifications from numerous companies within the same month! Cybercriminals aim to steal valuable data like PII (personally identifiable information) and PHI (protected health information). They can then hold it for “ransom” or sell it on the dark web.
Several high-profile breaches involving AT&T, Ticketmaster, and Social Security have all made headlines. These are just a few examples of the risks of generating, storing, transmitting, and using data. Compliance regulations apply to this information, and most organizations strive to be cyber secure, but failures keep occurring.
What are the critical lessons learned for transactional communications? How can you feel confident when you share consumer data with partners to print and mail these documents?
AT&T Data Breach Impacts 73 Million Customers
Even though AT&T only confirmed the breach in March. It appears hackers may have been stealing data as far back as 2021. In this breach, names, email addresses, physical addresses, SSNs, and dates of birth were in the data sets. Additionally, information about calls and text messages was also part of the heist.
KrebsOnSecurity revealed that the company acknowledged that those records were in a cloud database protected only by a username and password. AT&T noted it was actually their cloud provider, Snowflake, which did not have the correct controls in place.
It seems unfathomable to think that companies of this magnitude aren’t following the basics of cybersecurity. The biggest lesson here is that all sensitive data should have multi-factor authentication as the default, no matter where it goes or sits. That goes for your partners, as well. It’s a tenet of all our data operations as part of our secure file processing and production.
The Social Security Breach: SSNs For Sale on the Dark Web
As many as 272 million Social Security numbers were stolen in a breach related to a background screening company, National Public Data (NPD). Cybersecurity experts reviewed the breach in which hackers were trying to sell this data on the dark web, rating it not catastrophic but concerning.
Some point to the very loose oversight of the data broker industry as a factor. Companies mine information and then resell it again and again, often without proper protection. KrebsOnSecurityreported that an NPD data broker published passwords to its back-end database in a freely available file. Unfortunately, major blunders like this often cause customer data breaches.
As an organization that often must share sensitive data for transactional communications, what are the lessons learned?
- Ask specific questions about how any partner will receive, use, store and purge data. Some providers could have ties to data brokers, and you need transparency.
- Determine if any vendors aggregate data at scale that they receive. In most cases, doing so related to transactional communications would not be legal or compliant.
In short, avoid data brokers as they operate in a regulatory gray area that puts you and your customers at risk.
Ticketmaster Hit with Cyberattack
In May, Ticketmaster, one of the world’s largest ticket companies, was the victim of a cyberattack. As a result, customer data exposure impacted 40 million users. Security experts determined the hackers gained access to the company’s network by exploiting a vulnerability in their customer service portal.
Once they had access, they were able to scrape names, email addresses, payment information, and purchase history. A well-known cybercriminal group, ShinyHunters, is to blame. It’s an example of how innovative hackers are and how they will continue to find ways to penetrate systems.
Companies cannot eliminate vulnerabilities when using technology. There is always an inherent risk. However, the companies most focused on data security and compliance conduct regular vulnerability assessments and penetration tests. These proactive measures offer the best protection against cybercriminals.
In this case, the lesson is to ensure you’re performing these often and that your providers are. We do so multiple times a year to improve our cybersecurity programs continuously.
Minimize the Risk of Customer Data Breaches
When sharing customer data for transactional communications, you should feel confident that the provider has layers of security. We do this by using advanced encryption, network segmentation, robust firewalls, Intrusion Protection Systems (IPS), and more. Companies trust us to produce their letters compliantly, securely, and accurately. Learn more about how we do this by requesting a consultation.