A recent leak compromised the personal data of all 4,557 active students at the California State Polytechnic University Science School.
This was not a case of hackers gaining access through illicit means or an accidental exposure of an unsecured database. The data was inadvertently sent in a spreadsheet as an email attachment by a university employee. It included names, home and email addresses, gender, ethnicity, as well as academic performance.
“It was somebody making an honest mistake. Significant mistake, I’m not minimizing that, but it was just an honest mistake,” said Tim Lynch the associate vice president for Strategic Communications to a campus newspaper.
While the leak itself was quickly identified and the information didn’t contain Social Security numbers or any other information that could be leveraged in a credential stuffing attack, it does provide a clear object lesson for organizations and businesses alike: Data leaks and breaches have become a common enough occurrence that even comparatively minor incidents can garner a wave of negative publicity, significantly damage customer or member confidence, and open the way to expensive fines and litigation.
While the personal data of 4,557 students, or 2,800 Girl Scouts, or 3,000 Minnesotans might pale in comparison to the steady flow of mega breaches from the likes of Equifax or Collection #1-5, but any of them have the ability to effectively sink a business financially. The most recent Ponemon study suggests that the average cost of a data breach is $3.86 million – and it’s likely to rise as more governments levy fines for negligence, and customers increasingly blame businesses for data breaches instead of hackers. And that’s saying nothing about the damage caused by a breach or compromise to an organization’s reputation.
A company the size of Facebook or Microsoft may be able to weather the consequences of poor data management, but most companies and organizations can’t. Fortunately, much of the risk can be mitigated through employee training in the practice of good data hygiene (the employee who leaked the student records really should have double-checked the attachment they were sending), but that doesn’t address the cyber culture that allowed such a trove of information to reside in a spreadsheet to begin with.
Some basic tips for any business or organization:
- Treat any personally identifiable information as privileged: it should only be accessible via login and password from pre-vetted users.
- Require a VPN to log into your network remotely; anyone accessing your workplace’s data should need to be an authorized user at your organization, regardless of their location.
- Re-consider BYOD: every employee’s phone connecting to the network exponentially increases your risk of a data breach and that increases further with every app installed on every device. If someone needs a mobile phone to do their job, supply them with one.
- Create a workplace policy where employee passwords are assigned rather than chosen (less password re-use), changed passwords regularly, require 2-factor authentication, and where accounts have access revoked as soon as an employee is no longer with your company or organization.