Over the last few months, there’s been another massive security breach, one that you potentially haven’t heard of. Its scale was nearly as large as that of Equifax, with 130 million consumers affected. The data lost was equally as important in nature –the victims of Equifax lost social security numbers, email addresses, phone numbers, and even bank account information. You probably didn’t hear about this severe breach on the national news – because it happened in China.
At the end of last month, a Chinese hotel chain known as Huazhu Group reported that it had lost 500 million files, comprising data from 130 million people. As it stands, the data is currently on sale at a darknet website for 8 Bitcoins (over $50,000 USD) in what amounts to a tremendous and ongoing publicity headache for the organization. Although other hotel organizations may dismiss this incident for having occurred overseas, it offers important lessons for companies all around the world.
Innocent Mistake – or Insider Threat?
Although the end result of the hack is certain, questions remain as to the methods. One report mentions that developers accidentally uploaded the 140-gigabyte database to an insecure GitHub repository (this situation may sound familiar to some of our readers). Another report mentions the same thing – but points the finger at an unnamed developer for working with the attackers themselves.
Whether this incident was a mistake or the work or a malicious insider, it points to the fact that Huazhu Group had no effective internal controls for managing the flow of customer data. If the Huazhu Group is subject to PCI-DSS, and if their breach included cardholder data (both of which seems likely), then this may represent a compliance violation. According to the PCI Security Standards Council, cardholder data shouldn’t be stored unless absolutely necessary, should be protected by interlocking layers of security, and should be kept encrypted at all times.
PCI violations, it should be noted, seem to be endemic to hotels the world over. Last year and in 2015, Hyatt Corp. notified its guests that attackers had stolen payment card information from nearly 100 hotels across the world, including in China and in the rest of Asia (plus three locations in the US).
What Can We Learn from This?
Traceability needs to be a major concern within any database that handles people’s bank account numbers, ID cards, or payment information. If you can’t figure out where your most important data is or who has access to it at any given time, you make errors – or malicious actions – much more likely. In the end, you may not be able to determine whether a data breach was the result of a criminal action or a more excusable mistake.
How should traceability work?
At any given time, you need to know who’s working on critical data. Your developers should need to ask for permission before working on databases that contain PII. When they ask to decrypt it, there should be an alert – in the form of an email, text, or popup – that shows them asking. Once you give them permission, there needs to be a log saying who’s working on the data, and what they’re allowed to do with it. If they try to move that data somewhere it isn’t allowed? More alerts.
Putting these alerting, monitoring, and reporting systems together in a single, granular, and easy-to-understand system is difficult for any organization. That’s why Safe-T does it for you with our Software Defined Access products. For more information, contact us for a free trial today!