There have been two data breaches to note in the news in the last week or so that show the diverse nature of the causes of leaks, and the risks they pose to businesses and their customers. The perception is that data breaches are targeted malicious attacks by criminal gangs, but this isn’t always necessarily the case.
First to hit the headlines was Tesco’s Club Card data leak. This wasn’t a targeted attack on Tesco’s website itself, but an opportunistic attack using usernames and passwords of at least 2,000 Tesco’s customers obtained from other hacked sources. Customer details along with the corresponding voucher value appeared online, and unsurprisingly, many of the vouchers have been redeemed by the criminals.
The cause of this breach is down to customers using the same username and password for multiple accounts – Tesco has responded quickly to educate and help customers address this issue – but it highlights that prevention of data leaks is more than simply technology; end-user education and best practice is imperative and this incident goes to show that this access point onto a network is a weak link if not managed well.
Second is the Aviva insurance data breach which has resulted in the arrest of two employees. It is alleged that these members of staff were selling customer details to third parties resulting in nuisance calls from personal injury companies. So again, not a malicious attack by a criminal gang, but the result of an internal threat.
This incident reinforces one of the key questions an organisation must ask itself – ‘how sure is the business that it can detect and respond to someone taking sensitive data from its network?’
The end result in both these cases is that customers have been inconvenienced and may feel a betrayal of trust, which despite swift remedial action, could impact the bottom line.